Media Protection

Purpose

The purpose of this policy is to establish information security standards for the Media Protection processes relevant to University of Maryland Global Campus (“UMGC” or “University”) Information Technology Resources.

Scope and Applicability

Definitions

Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

1. Authorized User: A User who has been granted authorization to access electronic Information Resources and is current in their privileges.
2. Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.
3. Controlled Unclassified Information (CUI): US Federal Government or Contractor created information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
4. Digital Media: A form of electronic media where data are stored in digital (as opposed to analog) form.
5. Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.
6. Federal Contract Information (FCI): Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
7. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the Information Technology Resource connected to the network.
8. Information System: Inter-related components of Information Technology Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
9. Media: Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an Information System.
10. Removable Media: Portable data storage medium that can be added to or removed from a computing device or network. Note: Examples include but are not limited to: optical discs (CD, DVD, Blu-ray); external / removable hard drives; external / removable Solid State Disk (SSD) drives; magnetic / optical tapes; flash memory devices (USB, eSATA, Flash Drive, Thumb Drive); flash memory cards (Secure Digital, CompactFlash, Memory Stick, MMC, xD); and other external / removable disks (floppy, Zip, Jaz, Bernoulli, UMD).
11. User:  A member of the University community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of University, including Contractors, volunteers and other individuals who may have a need to access, use or control University Data.

Media Protection

All Users of University Information Systems should comply with the University's Media Protection Policy to ensure that the information security requirements for device and media protection are maintained during the storage, transport, and disposal of Information Technology Resources.

1. University Information Systems must be sanitized or Information System Media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must be destroyed before disposal or release for reuse. The University must use methods that are in accordance with the NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization. This requirement applies to the permanent disposal or reuse of all storage media and equipment containing storage media regardless of the identity of the recipient commensurate with the risk associated with the data stored on that Media. It also applies to equipment sent for maintenance or repair.
2. The procedures performed to sanitize electronic media must be documented and data destruction records retained whether performed in-house or by a University Contractor.
3. All Users of University Information Systems must protect (i.e., physically control and securely store) Information System Media containing Controlled Unclassified Information (CUI), both paper and digital.
4. Access to CUI on Information System Media must be limited to Authorized Users.
5. Media must be identified with necessary CUI markings and distribution limitations.
6. The use of non-UMGC managed Removable Media must be prohibited when such devices have no identifiable owner.
7. All users of University Information Systems must control access to Media containing CUI and maintain accountability for media during transport outside of controlled areas.
8. All Users of University Information Systems must implement cryptographic mechanisms to protect the confidentiality of CUI stored on Digital Media during transport unless otherwise protected by alternative physical safeguards.

Exceptions

Exceptions to this policy should be submitted to the Sr. Director, Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the Sr. Director, Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, dated February 2020
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021

1. UMGC Policy X-1.02 Data Classification
2. UMGC Policy X-1.04 Information Security
3. UMGC Policy X-1.05 Information Security Awareness and Training
4. UMGC Policy X-1.19A Account Management (UMGC Learner Community)
5. UMGC Policy X-1.19B Account Management (UMGC Workforce)