NIST 800-53 REV 5 • MEDIA PROTECTION
MP-2 — Media Access
Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}.
Supplemental Guidance
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.
Practitioner Notes
Access to media containing organizational data — both digital and physical — must be restricted to authorized individuals only. Not everyone in your office needs access to backup tapes, external drives, or printed reports.
Example 1: Store backup tapes, external hard drives, and removable media in a locked cabinet or safe in your server room. Limit key or combination access to your system administrator and backup operator. Maintain a sign-out log for any media removed from storage.
Example 2: Use a GPO to control USB storage device access on workstations. Configure the policy at Computer Configuration → Administrative Templates → System → Removable Storage Access to deny read/write access to removable storage devices for all users except those in an approved security group.