II.C.13(d) Transit of Physical Media
Management should implement policies for maintaining the security of physical media (including backup tapes) containing sensitive information while in transit, including to off-site storage, or when shared with third parties. Policies should include the following:
- Contractual requirements that incorporate necessary risk-based controls.
- Restrictions on the carriers used.
- Procedures to verify the identity of couriers.
- Requirements for appropriate packaging to protect the media from damage.
- Use of adequate encryption of sensitive information recorded on media that is being physically transported.
- Tracking of shipments to provide early indications of loss or damage.
- Security reviews or independent security reports of receiving companies.
- Use of nondisclosure agreements for couriers and third parties.
II.C.13(c) Disposal of Information
II.C.13(e) Rogue or Shadow IT