MP-03 Media Labeling

Control: The organization: (i) affixes external labels to removable information system media and information system output indicating the distribution limitations, handling caveats and applicable security markings (if any) of the information; and (ii) exempts [Assignment: organization-defined list of media types or hardware components] from labeling so long as they remain within [Assignment: organization-defined protected environment].

Supplemental Guidance: An organizational assessment of risk guides the selection of media requiring labeling. Organizations document in policy and procedures, the media requiring labeling and the specific measures taken to afford such protection. The rigor with which this control is applied is commensurate with the FIPS 199 security categorization of the information contained on the media. For example, labeling is not required for media containing information determined by the organization to be in the public domain or to be publicly releasable.

Control Enhancements: (0) None.

Baseline: LOW Not Selected MOD Not Selected HIGH MP-3

Family: Media Protection

Class: Operational

ISO 17799 mapping: 7.2.2, 10.7.3, 10.8.2, 15.1.3

COBIT 4.1 mapping: DS11.6

PCI-DSS v2 mapping: 9.7, 12.3.4