The media protection policy is responsible for defining how media will be handled within the organization. This includes secure handling, what media is allowed, how media should be protected, and how media should be destroyed.

What the media protection policy should address:

• Protecting information system media, both paper and digital
• Limiting access to information on information system media to authorized users
• Sanitizing or destroying information system media before disposal or release for reuse
• Marking media with necessary markings and distribution limitations
• Controlling access to media and maintaining accountability for media during transport outside of controlled areas
• Implementing cryptographic mechanisms to protect the confidentiality of information stored on digital media during transport, unless otherwise protected by alternative physical safeguards
• Controlling the use of removable media on information system components
• Prohibiting the use of portable storage devices when such devices have no identifiable owner
• Protecting the confidentiality of backup information at storage locations