Media is properly classified, labelled and registered in order to clearly indicate the required handling instructions and degree of protection to be applied.

]]> This section covers information relating to classifying, labelling and registering media. Information relating to classifying and labelling IT equipment can be found in Section 12.3 - Product Classifying and Labelling.

]]> Labels are not needed for internally mounted fixed media if the IT equipment containing the media is labelled. Likewise fixed media does not need to be registered if the IT equipment containing the media is registered.

]]> Additional information relating to media handling is contained in:

Reference Title Publisher Source

ISO/IEC 27001:2013

 10.7, Media Handling

ISO

https://www.iso.org/standard/54534.html

 
]]> Relevant PSR requirements can be found at:

Reference Title Source

PSR Mandatory Requirements

 GOV3, INFOSEC1, INFOSEC2, INFOSEC3, INFOSEC4, PHYSEC1 and PHYSEC2

Home | Protective Security Requirements

Security governance (GOV) | Protective Security Requirements

Information security (INFOSEC) | Protective Security Requirements

Physical security (PHYSEC) | Protective Security Requirements
]]> When reclassifying or declassifying media the process is based on an assessment of risk, including:

  • the classification of the media and associated handling instructions;
  • the effectiveness of any sanitisation or destruction procedure used; 
  • the planned redeployment; and
  • the intended destination of the media.
]]> Agencies MUST document procedures for the reclassification and declassification of media.

]]> Media that is not classified or not correctly classified may be stored, identified and handled inappropriately.

]]> Incorrect or no classification may result in access by a person or persons without the appropriate security clearance.

]]> Agencies MUST classify media to the highest classification of data stored on the media.

]]> Unless connected through a data diode or similar infrastructure, there is no guarantee that classified information was not copied to the media while it was connected to a system of higher classification than the classification level of the media itself.

]]> Agencies MUST classify any media connected to a system of a higher classification at the higher system classification until confirmed not to be the case.

]]> When sufficient assurance exists that information cannot be written to media that is used with a system, then the media can be treated in accordance with the handling instructions of the classification of the information it stores rather than the classification of the system it is connected to or used with.

]]> Agencies intending to classify media below the classification of the system to which it is connected to MUST ensure that:

  • the media is read-only;
  • the media is inserted into a read-only device; or
  • the system has a mechanism through which read-only access can be assured such as approved data diodes, write-blockers or similar infrastructure.
]]> Agencies must follow the reclassification process as illustrated in Section 13.6 – Media Disposal.

]]> Agencies wishing to reclassify media to a lower classification MUST ensure that:

  • a formal decision is made to reclassify, or redeploy the media; and
  • the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised or destroyed.
]]> The media will always need to be protected in accordance with the classification of the information it stores. As such, if the classification of the information on the media changes, then so will the classification of the media.

]]> Agencies MUST reclassify media if:

  • information copied onto the media is of a higher classification; or
  • information contained on the media is subjected to a classification upgrade.
]]> Labelling helps all personnel to identify the classification of media and ensure that they afford the media the correct protection measures.

]]> Agencies MUST label media with a marking that indicates the maximum classification and any endorsements applicable to the information stored.

]]> Agencies MUST ensure that the classification of all media is easily visually identifiable.

]]> When using non-textual (colour, symbol) protective markings for operational security reasons, agencies MUST document the labelling scheme and train personnel appropriately.

]]> Agencies SHOULD label media with a marking that indicates the maximum classification and any endorsements applicable to the information stored.

]]> It is not possible to effectively sanitise and subsequently reclassify SECRET or TOP SECRET non-volatile media to a classification lower than SECRET. Media of other classifications may be reclassified (See Section 13.6 – Media Disposal).

]]> Agencies MUST label non-volatile media that has been sanitised and reclassified for redeployment with a notice similar to:

Warning: media has been sanitised and reclassified from [classification] to [classification]. Further lowering of classification only via destruction.

]]> If agencies fail to register media with an appropriate identifier they will not be able to effectively keep track of their classified media and there will be a greater likelihood of unauthorised disclosure of classified information.

]]> Agencies MUST register all media with a unique identifier in an appropriate register.

]]> Agencies SHOULD register all media with a unique identifier in an appropriate register.

]]>