last sync: 2024-Apr-24 17:46:58 UTC

Control use of portable storage devices | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Control use of portable storage devices
Id 36b74844-4a99-4c80-1800-b18a516d1585
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0083 - Control use of portable storage devices
Additional metadata Name/Id: CMA_0083 / CMA_0083
Category: Operational
Title: Control use of portable storage devices
Ownership: Customer
Description: Microsoft recommends that your organization limit or prohibit the use of organization-controlled portable storage devices. It is recommended to limit or prohibit the use of portable storage devices on external systems and the use of such devices if they have no identifiable owner. It is recommended that your organization ensure systems are configured to prevent the writing of data to external removable storage devices and media. Microsoft recommends that your organization create and maintain Access Control policies and procedures that affirm that portable storage devices are not allowed within the information system boundary, except by authorized individuals and only in compliance with your organization's policies. This includes prohibiting contractors from storing confidential information on portable storage devices, except as provided for in the agreement and including approved alternate security measures. It is recommended that your organization apply sanitization techniques that are non-destructive to portable storage devices prior to connecting such devices to the information system under organization-defined circumstances.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 28 compliance controls are associated with this Policy definition 'Control use of portable storage devices' (36b74844-4a99-4c80-1800-b18a516d1585)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AC-20(2) FedRAMP_High_R4_AC-20(2) FedRAMP High AC-20 (2) Access Control Portable Storage Devices Shared n/a The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. Supplemental Guidance: Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. link 3
FedRAMP_High_R4 MP-7 FedRAMP_High_R4_MP-7 FedRAMP High MP-7 Media Protection Media Use Shared n/a The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4. References: None. link 4
FedRAMP_High_R4 MP-7(1) FedRAMP_High_R4_MP-7(1) FedRAMP High MP-7 (1) Media Protection Prohibit Use Without Owner Shared n/a The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. link 4
FedRAMP_Moderate_R4 AC-20(2) FedRAMP_Moderate_R4_AC-20(2) FedRAMP Moderate AC-20 (2) Access Control Portable Storage Devices Shared n/a The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. Supplemental Guidance: Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. link 3
FedRAMP_Moderate_R4 MP-7 FedRAMP_Moderate_R4_MP-7 FedRAMP Moderate MP-7 Media Protection Media Use Shared n/a The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4. References: None. link 4
FedRAMP_Moderate_R4 MP-7(1) FedRAMP_Moderate_R4_MP-7(1) FedRAMP Moderate MP-7 (1) Media Protection Prohibit Use Without Owner Shared n/a The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. link 4
hipaa 0301.09o1Organizational.123-09.o hipaa-0301.09o1Organizational.123-09.o 0301.09o1Organizational.123-09.o 03 Portable Media Security 0301.09o1Organizational.123-09.o 09.07 Media Handling Shared n/a The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media are used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. 14
hipaa 0302.09o2Organizational.1-09.o hipaa-0302.09o2Organizational.1-09.o 0302.09o2Organizational.1-09.o 03 Portable Media Security 0302.09o2Organizational.1-09.o 09.07 Media Handling Shared n/a The organization protects and controls media containing sensitive information during transport outside of controlled areas. 7
hipaa 0303.09o2Organizational.2-09.o hipaa-0303.09o2Organizational.2-09.o 0303.09o2Organizational.2-09.o 03 Portable Media Security 0303.09o2Organizational.2-09.o 09.07 Media Handling Shared n/a Digital and non-digital media requiring restricted use, and the specific safeguards used to restrict their use are identified. 6
hipaa 0304.09o3Organizational.1-09.o hipaa-0304.09o3Organizational.1-09.o 0304.09o3Organizational.1-09.o 03 Portable Media Security 0304.09o3Organizational.1-09.o 09.07 Media Handling Shared n/a The organization restricts the use of writable removable media and personally-owned removable media in organizational systems. 8
hipaa 0305.09q1Organizational.12-09.q hipaa-0305.09q1Organizational.12-09.q 0305.09q1Organizational.12-09.q 03 Portable Media Security 0305.09q1Organizational.12-09.q 09.07 Media Handling Shared n/a Media is labeled, encrypted, and handled according to its classification. 7
hipaa 0429.01x1System.14-01.x hipaa-0429.01x1System.14-01.x 0429.01x1System.14-01.x 04 Mobile Device Security 0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking Shared n/a The organization prohibits the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting). 7
hipaa 0915.09s2Organizational.2-09.s hipaa-0915.09s2Organizational.2-09.s 0915.09s2Organizational.2-09.s 09 Transmission Protection 0915.09s2Organizational.2-09.s 09.08 Exchange of Information Shared n/a The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems. 4
hipaa 0916.09s2Organizational.4-09.s hipaa-0916.09s2Organizational.4-09.s 0916.09s2Organizational.4-09.s 09 Transmission Protection 0916.09s2Organizational.4-09.s 09.08 Exchange of Information Shared n/a The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices. 7
hipaa 1022.01d1System.15-01.d hipaa-1022.01d1System.15-01.d 1022.01d1System.15-01.d 10 Password Management 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems Shared n/a Password policies, applicable to mobile devices, are documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and prohibit the changing of password/PIN lengths and authentication requirements. 8
hipaa 1423.05j2Organizational.4-05.j hipaa-1423.05j2Organizational.4-05.j 1423.05j2Organizational.4-05.j 14 Third Party Assurance 1423.05j2Organizational.4-05.j 05.02 External Parties Shared n/a For all system connections that allow customers to access the organization's computing assets such as websites, kiosks, and public access terminals, the organization provides appropriate text or a link to the organization's privacy policy for data use and protection as well as the customer's responsibilities when accessing the data. 9
hipaa 19142.06c1Organizational.8-06.c hipaa-19142.06c1Organizational.8-06.c 19142.06c1Organizational.8-06.c 19 Data Protection & Privacy 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements Shared n/a Guidelines are issued by the organization on the ownership, classification, retention, storage, handling and disposal of all records and information. 9
ISO27001-2013 A.8.1.2 ISO27001-2013_A.8.1.2 ISO 27001:2013 A.8.1.2 Asset Management Ownership of assets Shared n/a Assets maintained in the inventory shall be owned. link 7
ISO27001-2013 A.8.2.3 ISO27001-2013_A.8.2.3 ISO 27001:2013 A.8.2.3 Asset Management Handling of assets Shared n/a Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 26
ISO27001-2013 A.8.3.1 ISO27001-2013_A.8.3.1 ISO 27001:2013 A.8.3.1 Asset Management Management of removable media Shared n/a Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. link 6
NIST_SP_800-171_R2_3 .1.21 NIST_SP_800-171_R2_3.1.21 NIST SP 800-171 R2 3.1.21 Access Control Limit use of portable storage devices on external systems. Shared Microsoft is responsible for implementing this requirement. Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. Among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system. link 3
NIST_SP_800-171_R2_3 .8.7 NIST_SP_800-171_R2_3.8.7 NIST SP 800-171 R2 3.8.7 Media Protection Control the use of removable media on system components. Shared Microsoft is responsible for implementing this requirement. In contrast to requirement 3.8.1, which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may control the use of portable storage devices based on the type of device, prohibiting the use of writeable, portable devices, and implementing this restriction by disabling or removing the capability to write to such devices. link 4
NIST_SP_800-171_R2_3 .8.8 NIST_SP_800-171_R2_3.8.8 NIST SP 800-171 R2 3.8.8 Media Protection Prohibit the use of portable storage devices when such devices have no identifiable owner. Shared Microsoft is responsible for implementing this requirement. Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code). link 4
NIST_SP_800-53_R4 AC-20(2) NIST_SP_800-53_R4_AC-20(2) NIST SP 800-53 Rev. 4 AC-20 (2) Access Control Portable Storage Devices Shared n/a The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. Supplemental Guidance: Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. link 3
NIST_SP_800-53_R4 MP-7 NIST_SP_800-53_R4_MP-7 NIST SP 800-53 Rev. 4 MP-7 Media Protection Media Use Shared n/a The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4. References: None. link 4
NIST_SP_800-53_R4 MP-7(1) NIST_SP_800-53_R4_MP-7(1) NIST SP 800-53 Rev. 4 MP-7 (1) Media Protection Prohibit Use Without Owner Shared n/a The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. link 4
NIST_SP_800-53_R5 AC-20(2) NIST_SP_800-53_R5_AC-20(2) NIST SP 800-53 Rev. 5 AC-20 (2) Access Control Portable Storage Devices ??? Restricted Use Shared n/a Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. link 3
NIST_SP_800-53_R5 MP-7 NIST_SP_800-53_R5_MP-7 NIST SP 800-53 Rev. 5 MP-7 Media Protection Media Use Shared n/a a. [Selection: Restrict;Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. link 4
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 36b74844-4a99-4c80-1800-b18a516d1585
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC