II.C.13(d)     Transit of Physical Media

Management should implement policies for maintaining the security of physical media (including backup tapes) containing sensitive information while in transit, including to off-site storage, or when shared with third parties. Policies should include the following:

  • Contractual requirements that incorporate necessary risk-based controls.
  • Restrictions on the carriers used.
  • Procedures to verify the identity of couriers.
  • Requirements for appropriate packaging to protect the media from damage.
  • Use of adequate encryption of sensitive information recorded on media that is being physically transported.
  • Tracking of shipments to provide early indications of loss or damage.
  • Security reviews or independent security reports of receiving companies.
  • Use of nondisclosure agreements for couriers and third parties.


Previous Section
II.C.13(c) Disposal of Information
Next Section
II.C.13(e) Rogue or Shadow IT