UMGC Policy X-1.14

Media Protection

Policy Category Policy No. & Title Policy Owner Effective Date Revision Number Revision Eff. Date Review Cycle

X
Information Governance, Security & Technology

X-1.14
Media Protection

VP of Information Security

July 1, 2021

N/A

N/A

Annual

  1. Purpose

    The purpose of this policy is to establish information security standards for the Media Protection processes relevant to University of Maryland Global Campus (“UMGC” or “University”) Information Technology Resources.

  2. Scope and Applicability

    This policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.

  3. Definitions

    Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

    1. Authorized User: A User who has been granted authorization to access electronic Information Resources and is current in their privileges.

    2. Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.

    3. Controlled Unclassified Information (CUI): A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination.

    4. Digital Media: A form of electronic media where data are stored in digital (as opposed to analog) form.

    5. Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.

    6. Federal Contract Information (FCI): Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

    7. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the Information Technology Resource connected to the network.

    8. Information System: Inter-related components of Information Technology Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

    9. Information System Steward: A UMGC staff member or other individual providing services to the University who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.

    10. Media: Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.

    11. Removable Media: Portable data storage medium that can be added to or removed from a computing device or network. Note: Examples include but are not limited to: optical discs (CD, DVD, Blu-ray); external / removable hard drives; external / removable Solid State Disk (SSD) drives; magnetic / optical tapes; flash memory devices (USB, eSATA, Flash Drive, Thumb Drive); flash memory cards (Secure Digital, CompactFlash, Memory Stick, MMC, xD); and other external / removable disks (floppy, Zip, Jaz, Bernoulli, UMD).

    12. User: A University community member, including but not limited to, staff, faculty, students, alumni, and individuals working on behalf of the University, including third party vendors, Contractors, consultants, volunteers, and other individuals who may have a need to access, use or control University Data.

  4. Media Protection

    All Users of University Information Systems should comply with the University's Media Protection Policy to ensure that the information security requirements for device and media protection are maintained during the storage, transport, and disposal of Information Technology Resources.

    1. University Information Systems must be sanitized or Information System Media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must be destroyed before disposal or release for reuse. The University must use methods that are in accordance with the NIST SP800-88rev1 Guidelines for Media Sanitization. This requirement applies to the permanent disposal or reuse of all storage media and equipment containing storage media regardless of the identity of the recipient commensurate with the risk associated with the data stored on that Media. It also applies to equipment sent for maintenance or repair.

    2. The procedures performed to sanitize electronic media must be documented and data destruction records retained whether performed in-house or by a University Contractor.

    3. All Users of University Information Systems must protect (i.e., physically control and securely store) Information System Media containing Controlled Unclassified Information (CUI), both paper and digital.

    4. Access to CUI on Information System Media must be limited to Authorized Users.

    5. Media must be identified with necessary CUI markings and distribution limitations.

    6. The use of non-UMGC managed Removable Media must be prohibited when such devices have no identifiable owner.

    7. All users of University Information Systems must control access to Media containing CUI and maintain accountability for media during transport outside of controlled areas.

    8. All Users of University Information Systems must implement cryptographic mechanisms to protect the confidentiality of CUI stored on Digital Media during transport unless otherwise protected by alternative physical safeguards.

  5. Exceptions

    Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

  6. Enforcement

    1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.

    2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

  7. Related Policies

    1. Account Management

    2. Data Classification

    3. Information Security

    4. Information Security Awareness & Training

  8. Effective Date: This policy is effective as of the Effective Date set forth above.