Control 7.10 : Storage Media

Summary

Storage media should be managed throughout their lifecycle of acquisition, use, transportation, and disposal in accordance with the organization's classification scheme. This includes USB drives, external hard drives, and tapes.

Applicability

In-Scope: Essential for preventing data leaks from physically portable storage, ensuring data remains protected even if the physical media is lost.

Out-of-Scope: Only reducible if the organization has a strict no-removable-media policy that is technically enforced.

Implementation Guidance

Microsoft 365 / Entra ID

• Device Control: Use Microsoft Defender for Endpoint to block the use of unauthorized USB storage devices or enforce read-only mode.

• Encryption: Enforce BitLocker to Go via Intune for any authorized removable media, requiring a password before the data can be accessed.

• Inventory: Log the issuance of any encrypted portable drives in a SharePoint List to maintain a chain of custody.

Evidence Checklist

• Media Handling Policy: Procedures for the labeling, storage, and secure transport of removable media.

• Disposal Certificates: Records from a certified destruction vendor for retired hard drives or tapes.

• Technical Policy Logs: Evidence from Microsoft Defender showing the block/allow rules for removable storage.

Practical Audit Advice

Here are some questions the auditor might ask:

• How are sensitive storage media protected while they are being physically moved between locations?

• What is the process for ensuring that all data is irretrievably destroyed before a piece of media is recycled or discarded?

• How do you identify and track which employees have been issued encrypted USB drives?

• Can you provide evidence of a recent media disposal record showing the secure destruction of a hard drive?