As part of most business processes, information is generated and stored on many different types of media including paper documents, computer media (e.g., tapes, compact discs, flash drives / memory) and others. Much of the information being stored on paper and electronically is critical and can include (among others):

• Mission-critical data
  • Financial information
• Operational data
  • Sensitive information
• Personnel files

Other questionnaires have covered different aspects of security as it relates to the examples listed above in areas such as backup and recovery and physical security. One aspect of securing this information that has not been covered in any detail is the protection of the media where the information is stored, which is the content of this questionnaire.

The questions below are primarily based on the International Standards Orga­nization (ISO) 2700x information security standard for media handling. The key areas addressed in media handling include:

• Media management
• Media disposal
• Media in transit

The questions below are a starting point in discussing security related to media handling. Other questions should be added based on the client’s specific business.

General

Is there a documented policy for media handling?

Guidance: A security policy to communicate management’s position on media handling should exist. The policy should outline high-level roles and responsibilities and the requirements as they relate to media handling.

The policy should be easily accessible to employees so they can refer to it as necessary. The policy also helps in enforcing good media handling practices.