BACKGROUND
Digital information storage media use by public sector employees has grown significantly in recent years, e.g. through the availability of personal information storage and mobility devices such as
USB flash drive, laptops/notebooks, tablets and smartphones, and the increasing popularity of bring your own device arrangements.
Attributes such as ease of use, low cost and portability, are accompanied by a number of information security concerns related to their lifecycle management. Consequently, agencies must be aware of the risks associated with the use of these devices in order to ensure adequate cyber security considerations are made.
This guideline assists agencies in appropriately protecting these assets when used by their employees and suppliers. This guideline supports implementation of ISMF Policy Statement 21.
GUIDANCE
Agencies are responsible for developing and implementing procedures and practices to maintain adequate protection of information contained on devices with embedded storage, as well as dedicated portable storage devices like USB keys, flash drives and the like. These procedures and practices will need to consider the classification (or value and sensitivity) of the information to be stored on the device(s) as determined by the organisation . ‘Acceptable Use’ policies and procedures implemented in an agency are the direct outcome of the findings of a business impact assessment against identified risks.
Agencies are responsible for developing and implementing procedures in accordance with the requirements of the:

Protective Security Management Framework [ PSMF ]

Information Security Management Framework [ ISMF ]
The predominant ISMF standards relating to equipment with information storage capabilities are
ISMF Standards 59, 60, 101 and 131 respectively.
This guideline encompasses the development of practices and procedures for undertaking secure information management, recovery, sanitisation and/or disposal activities for storage devices and media.

ISMF Guideline 21
PRE-REQUISITE DOCUMENTS
The ISMF should be read in conjunction with this guideline. Implementing the guidance in this document may assist in meeting the requirements contained in the following ISMF Policy
Statements:

ISMF Policy Statement 21 (Media handling and security)

ISMF Policy Statement 11 (Cessation or change of employment)

ISMF Policy Statement 30 (Mobility)
MEDIA MANAGEMENT AND HANDLING
Office equipment often contains media which can store information for an indeterminate period
(e.g. electronic whiteboards, multi-function printers and USB flash drives). This convergence of technology makes security-related aspects of storage media handling increasingly complex.
This section provides guidance on important considerations for management of information storage media, especially when the media is used in conjunction with equipment that is kept or used away from a secured office environment.
Table 1 – Media management and handling
Applicability Guidance References
All classifications
Responsible Parties should define, document and implement formal processes and procedures, including approval authorities, for any activities related to the handling of digital storage media.
ISMF Standard 59
Responsible Parties should classify media to the level that is commensurate with the highest sensitivity or classification of the data that is or will be stored on the media. Responsible
Parties should consider the effect of aggregation of information at a lower sensitivity or classification (for example by storing it on a single type of media such as a portable hard drive or flash drive) which may result in an elevation of classification for that media.
ISMF Standard 11
ISMF Standard 56
Responsible Parties should define and follow formal procedures for the identification of media that is or has the potential to be used to store sensitive or above information. A register of such media should be maintained and made available for review and auditing purposes.
Sensitive and above
Responsible Parties should label Portable Storage Devices with a marking corresponding to the sensitivity or classification applicable to the information on the media. Non-textual protective markings that conform to a documented labelling scheme may be used if operational security reasons are not conducive to the use of textual labels.
ISMF Standard 9
ISMF Standard 20
Government guideline on cyber security
Media handling: Portable storage and electronic media v1.0
Page 2 of 5

ISMF Guideline 21
Applicability Guidance References
Responsible Parties should classify any media that is connected to a system at the same level as the system, unless the media connection or use is otherwise restricted to readonly mode.
Responsible Parties should protect information received from another Agency or other Australian jurisdiction according to the protective markings applied by the originating Agency or jurisdiction, regardless of media.
Media Handling section of the
Australian
Government ISM
ISMF Standard 19
SANITISATION OF MEDIA
When storage media is re-purposed or disused, considerations are needed regarding the process of removing any sensitive or classified information from its storage media (e.g. to reduce its classification level).
Residual digital data can remain intact, accessible or restorable even after a ‘format’ or ‘wipe’ of magnetic and optical media. This may lead to inadvertent disclosure of sensitive information should the storage media be used or released into an uncontrolled environment. The same is true of assets flagged for auction or general sale outside of government.
Table 2 – Sanitisation and disposal
Applicability
All classifications
Guidance References
Responsible Parties should define, document and implement formal processes and procedures, including approval authorities, for any activities to sanitise any reused digital information storage media, or destroy and dispose of any disused media commensurate with the sensitivity of the information contained on the media.
Responsible Parties should ensure that specified processes and procedures for sanitisation activities observe the requirements for the disposal of Official Records in accordance with section 23(1) of the State Records Act 1997 .
ISMF Standard 60
ISMF Standard 45
ISMF Standard 60
Responsible Parties should only undertake sanitisation and disposal activities using approved equipment, techniques, and procedures in alignment with the requirements described in the
Media Security section (pages 135 to 151 Australian
Government ISM) .
Media Handling section of the
Australian
Government ISM
Responsible Parties should track and document media
Sanitisation actions, and periodically review and verify
Sanitisation equipment/procedures for correct operation and performance.
Media Handling section of the
Australian
Government ISM
Government guideline on cyber security
Media handling: Portable storage and electronic media v1.0
Page 3 of 5

ISMF Guideline 21
Applicability Guidance
Sensitive and above
Responsible Parties should consider adhere to the guidance provided in the Australian Government ISM with respect to sanitisation and/or disposal of assets prior to reallocating returned equipment to other personnel or for other functions.
Responsible Parties should consider destroying digital media if sanitisation attempts fail, cannot be verified, are not cost effective, or if the media type is not suited to sanitisation.
Third party suppliers engaged in sanitisation or disposal activities should be bound to the provisions of the ISMS by means of contractual conditions with respect to handling sensitive or security classified information.
References
Media Handling section of the
Australian
Government ISM
ISMF Standard 45
ISMF Standard 14
ISMF Standard 23
Responsible Parties should ensure that all personnel, including third-party providers, involved in digital media sanitisation and destruction hold security clearances commensurate with the sensitivity and classification of the information contained on the media.
ISMF Standard 14
Responsible Parties should keep and manage logs and records pertaining to the sanitisation and disposal of information assets for review and audit purposes.
ISMF Standard 60
ADDITIONAL CONSIDERATIONS
 The ‘need-to-know’ principle must be maintained. Personnel accessing or using official information and other information assets away from the office must treat those resources with the same level of care and discretion as if working in their usual environment. Particular care should be taken when communicating in public locations. (see ISMF Standard 68)

Portable storage devices and mobility devices should not be connected to any official networks without approval. If approval for connection is given, then network authentication credentials should not be cached locally on the device.

Further information on this topic is available from the US National Institute of Standards and
Technology ( NIST ) and the Australian Government Australian Signals Directorate ( ASD ).
This guideline does not aim to provide the reader with all of the responsibilities and obligations associated with media handling and security of storage devices. It is merely an overview of the information provided in applicable government cyber security policy, applicable governance frameworks and the resources and utilities available at the time of publication. It is highly recommended that agencies review these documents in their entirety. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s).
Government guideline on cyber security
Media handling: Portable storage and electronic media v1.0
Page 4 of 5

ISMF Guideline 21
REFERENCES, LINKS & ADDITIONAL INFORMATION
1. OCIO/F4.1 Government of South Australia Information Security Management Framework
[ISMF] , Government of South Australia, Adelaide
2. PC030 Government of South Australia Protective Security Management Framework [PSMF] ,
Department of the Premier and Cabinet, Government of South Australia, Adelaide
3. Australian Government Protective Security Policy Framework [PSPF] , AttorneyGeneral’s
Department, Australian Government, Canberra.
4. Australian Government Information Security Manual 2013 , Australian Signals Directorate,
Australian Government, Canberra.
5. Guidelines for Media Sanitisation , National Institute of Standards and Technology (NIST)
ID
Classification/DLM
Issued
Authority
Master document location
Records management
Managed & maintained by
Author(s)
Reviewer
Compliance
Next review date
OCIO_G4.21
PUBLIC-I1-A1
February 2014
State Chief Information Security Officer
Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and
Standards\ISMF\v3.2\ISMFguidelines\ISMFguideline21(media handling).docx
File Folder: 2011/15123/01 - Document number: 8348773
Office of the Chief Information Officer
Christian Bertram
CEA, MSIT,
Enterprise Architect
Jason Caley
CISM, MACS (CP), IP3P, CRISC, CEA
, Principal Policy Adviser
Jason Caley
CISM, MACS (CP), IP3P, CRISC, CEA
, Principal Policy Adviser
Discretionary
February 2016
To attribute this material, cite the
Office of the Chief Information
Officer , Government of South
Australia, ISMF Guideline 21.
This work is licensed under a Creative Commons Attribution 3.0 Australia Licence
Copyright
© South Australian Government,
2014.
Disclaimer