UMGC Policy X-1.14 UMGC Policy on Media Protection

Purpose

The purpose of this Policy is to establish Information Security standards for the media protection processes relevant to University of Maryland Global Campus Information Technology Resources.

Scope and Applicability

This Policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this Policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

Media Protection

All Users of University Information Systems should comply with the University's Media Protection Policy to ensure that the Information Security requirements for device and media protection are maintained during the storage, transport, and disposal of Information Technology Resources.

1. Users must follow University Information Security policies at all times including the UMGC X-1.12 Acceptable Use Policy.
2. University Information Systems must be sanitized or Information System Media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must be destroyed before disposal or release for reuse. The University must use methods that are in accordance with the NIST SP800-88rev1 Guidelines for Media Sanitization. This requirement applies to the permanent disposal or reuse of all storage Media and equipment containing storage Media regardless of the identity of the recipient commensurate with the risk associated with the data stored on that Media. It also applies to equipment sent for maintenance or repair.
3. The procedures performed to sanitize electronic Media must be documented and data destruction records retained whether performed in-house or by a University Contractor.
4. All Users of University Information Systems must protect (i.e., physically control and securely store) Information System Media containing Controlled Unclassified Information (CUI), both paper and digital.
5. Access to CUI on Information System Media must be limited to Authorized Users.
6. Media must be identified with necessary CUI markings and distribution limitations.
7. The use of non-UMGC managed Removable Media must be prohibited when such devices have no identifiable owner.
8. All Users of University Information Systems must control access to Media containing CUI and maintain accountability for Media during transport outside of controlled areas.
9. All Users of University Information Systems must implement cryptographic mechanisms to protect the confidentiality of CUI stored on Digital Media during transport unless otherwise protected by alternative physical safeguards.

Exceptions

Exceptions to this Policy should be submitted to the Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. Most recent versions:
   1. USM IT Security Standards
   2. NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
   3. Cybersecurity Maturity Model Certification (CMMC)

1. UMGC Policy X-1.02 Data Classification 
2. UMGC Policy X-1.04 Information Security
3. UMGC Policy X-1.05 Information Security Awareness and Training
4. UMGC Policy X-1.12 Acceptable Use Policy
5. UMGC Policy X-1.19A Account Management (UMGC Learner Community) 
6. UMGC Policy X-1.19B Account Management (UMGC Workforce)