Media marking in an organization’s environment is important to be able to identify what media belongs in the environment and what media should not be there. Malicious actors can use USB drives and other types of media devices to deliver malware to the environment. Marking all media ensures that all users can recognize when a device belongs to the organization or does not and should be reported as suspicious.
When referencing the NIST media marking requirement, media includes digital and physical media. Some examples are USB storage, tape media, mobile system hard drives, and physical records. It is up to the organization to define which media should be labeled as sensitive.
Here is what should be labeled on your organization’s media:
- Whom the media can be distributed to
- How it should be handled, stored and managed
- Any indications of sensitivity
Some media may be exempt from media marking. It might be exempt if the media is stored in a locked data center or heavily controlled area. Keep in mind, if the media leaves the controlled area it will need to be marked before doing so. Any exemptions must be formally documented.