Policy Maintenance: The Office of the Chief Information Security Officer shall be responsible for the maintenance of this policy.
Agencies may choose to add to this policy, in order to enforce more restrictive
internal policies as appropriate and necessary. Therefore, staff members are to refer to their agency’s related policy which may have additional information or clarification of
this enterprise policy.
Authority: KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies that support and promote the effective application of information technology within the executive branch of state government, as well as information technology directions, standards, and necessary management processes to assure full
compliance with those policies.
to be adhered to by all staff, including employees, contractors, consultants,
temporaries, volunteers, vendors and other workers within the Executive Branch of state government.
Responsibility for Compliance: Each agency shall be responsible for assuring appropriate staff members within their organizational authority
aware of the provisions of this policy, and that compliance by staff members is expected.
It shall be each Executive Cabinet’s responsibility to enforce this policy.
develop and enforce additional more restrictive procedures; however, the minimum standards identified by
policy are required.
This policy will be
reviewed at least every two
• Digital Media: Portable, removable storage media or device used to store information.
magnetic tapes, desktops, laptops, hard
drives, read only
memory, compact disks, network equipment)
• Non-digital Media: Hard copy or
physical representation of information. (ex. paper copies, printouts, printer ribbons, drums,
Policy: The controls outlined in the following sections detail the measures that should be implemented to protect
information that is stored on media based on the classification of the information and regulatory requirements
State, and Agency. See Enterprise Standard 4080: Data
Classification Standard for more information.
Marking: Media shall
be marked in accordance with regulatory requirements.
Transporting: During transport,
be protected and controlled outside of secured areas and
activities associated with transport of such media restricted to authorized personnel. Tracking methods
shall be developed and deployed to
ensure media reaches its intended destination.
is transmitted via e-mail or other electronic means, it must be sent
mechanisms. Please see
Information Technology Standard, for information concerning these requirements.
Storage: Media shall be physically
controlled and securely stored in a manner that ensures
that the media cannot
be accessed by unauthorized individuals.
This may require storing media in locked containers such
as cabinets, drawers, rooms, or similar locations if unauthorized individuals have unescorted access
to areas where sensitive information is stored.
Access Control: Only authorized individuals are permitted access to media containing State information. In addition to controlling physical access, user authentication will provide audit access
access must also comply with any applicable regulatory
requirements. Non-digital media should be hidden from the view of individuals that do not have authorization to access
the information contained on or within
Media must be sanitized in accordance with the requirements defined in NIST Special Publication (SP) 800-88 Rev 1,
Guidelines for Media Sanitization
(or its successor). Additionally, to ensure
compliance with using approved devices, Agencies shall
also consult the National Security Agency (NSA) Central Security Services’ Media Destruction Guidance.
Sanitization of Portable, Removable Storage Devices Prior to First
Use: Portable, removable storage devices (e.g., thumb drives, flash drives, external storage devices) can be the source of malicious code
insertions into information systems.
These devices are obtained from numerous sources and can contain malicious code that can
be readily transferred
to an information system through USB ports
or other ports of entry. For these reasons, sanitization of these devices is required prior to their initial use.
develop procedures to support
Logging and Accountability: Media must be logged throughout the media lifecycle, including creation, movement, and destruction, in accordance with applicable regulatory requirements.
This media must be
physically inventoried and accounted
or on a predetermined interval as
defined within applicable regulatory requirements.