bet365亚洲官网班纳分校
Menu
一个学生在电脑前工作

SlateConnect

U of I's web-based retention and advising tool provides an efficient way to guide and support students on their road to graduation. Login to SlateConnect.

Common Tools

Resources

Services

Access Email Access MyUI Visit Human Resources

IT Standards

学生技术中心

Physical Address:

教学中心128室

Office Hours:

Monday - Friday
8 a.m. to 5 p.m.

Summer Hours:

Monday - Friday
7:30 a.m. to 4:30p.m.

电话:208-885-4357 (HELP)

Email: support@mpeaffiliate.com

Map

Media Protection

Overview

This updated standard is to help align existing practices within 资讯科技署(OIT) around Media Protection controls to the requirements in NIST 800-171 (MP | 3.8.X)以及行业最佳实践. 这个文件没有完全覆盖3.8.x controls within 171 due to existing limitations and other requirements that are specific to CUI.

本文件内容:

  • 可接受的介质处理方法
  • Encryption requirements
  • 禁止使用个人设备存储高风险数据
  • Marking requirements

本文件中不包含的内容:

  • 处理介质的程序
  • 加密部署细节或过程
  • Marking procedures 

Policy Reference

APM 10.剩余财产盘存和处置程序

APM 20.13大学通信设备和服务

APM 30.11高校数据分类与标准

APM 30.12技术资源的可接受使用

APM 30.14网络事件报告和响应

APM 30.16技术硬件生命周期管理

Purpose

此媒体保护标准支持 APM 30.11高校数据分类与标准 以及其他相关的大学政策.

Scope

These Standards are the minimum baseline for all managed and unmanaged systems that access, 存储或处理bet365亚洲官网的数据(见 APM 30.14 C-6)或使用bet365亚洲官网的技术资源(参见 APM 30.12 C-1)在低、中、高风险水平(见 APM 30.11)不包括在经批准的系统保安计划内.

Standards

Sanitize or destroy information system media before disposal or release for reuse as per APM 30.16 Section D-8.

  1. Any media must be sanitized prior to reuse or destroyed prior to disposal using an approved method.

    适用于:低/中/高风险数据.

    1. Hard Drives
      1. 如果设备不能重复使用, the device must be destroyed via OIT drive crusher.
      2. Overwrite the data on the drive with a minimum of one pass of all zeros or per NIST 800-88.
      3. 如果支持,请使用ATA消毒设备特性集命令之一.
      4. 如果支持,使用ATA安全特性集的“SECURE ERASE UNIT”命令
    2. 固态硬盘(ssd)
      1. 如果设备不能重复使用, 这个装置必须通过Shred销毁, Disintegrate, Pulverize or Incinerate by burning the device in a licensed incinerator as per NIST SP 800-88.
      2. 如果支持,使用ATA安全特性集的“Security ERASE UNIT”命令.
      3. Use the ATA Sanitize command, if supported (block erase, cryptographic erase).
        1. 高风险和受监管数据必须使用FIPS 140验证的加密模块.
      4. 对于NVMe ssd,如果支持,请使用NVM Express Format命令.
      5. ActiveKill软件已被批准用于磁盘擦除.
      6. Cryptographic Erase by issuing commands as necessary to cause all MEKs to be changed.
    3. Removable Media
      1. 如果设备不能重复使用, 这个装置必须通过Shred销毁, Disintegrate, Pulverize or Incinerate by burning the device in a licensed incinerator as per NIST SP 800-88.
      2. 用两次遍历覆盖驱动器上的数据. (仅限非固态介质)
        1. The first pass should use a fixed value, and it's complemented for the second pass.
      3. Cryptographic Erase by issuing commands as necessary to cause all MEKs to be changed.
        1. 高风险和受监管数据必须使用FIPS 140验证的加密模块.
    4. Optical Media
      1. 设备必须用碎纸机粉碎, 或通过NIST SP 800-88批准的销毁服务.
    5. Mobile devices
      1. 如果设备不能重复使用, 不支持加密或没有出厂擦除/擦除功能, 这个装置必须通过Shred销毁, Disintegrate, Pulverize or Incinerate by burning the device in a licensed incinerator as per NIST SP 800-88.
      2. Manufacturer method of media sanitization such as but not limited to factory reset or erase data function.
        1. 设备在消毒前必须加密.
      3. For unmanaged personal devices Microsoft app protection is considered sufficient.
        1. 如果在个人设备上使用非托管应用程序处理U / I数据, 根据APM 20,数据或设备可能会被大学擦除.13.

  1. An appropriate attestation of either disposal or sanitization must be provided and updated within the IT asset management system.

    适用于:低/中/高风险数据.

  2. Certificate of destruction from an authorized application or vendor such as but not limited to the Activekill Erase certificate or Iron Mountain certificate of destruction.
  3. Verification from OIT personnel of successful destruction via the drive crusher within a ticket associated with asset.
  4. Verification from OIT personnel of successful completion for mobile device sanitization.

To ensure data is protected while stored on systems the following standards must be met:

  1. Workstations and laptops will be encrypted by default using Bitlocker for Windows and Filevault on MacOS.
    1. Workstations and laptops explicitly categorized for only low-risk data may be exempted without a formal risk exception.
    2. Encryption will be AES-256 or stronger unless otherwise approved by OIT Security.
  2. University data on mobile devices must use apps that are encrypted via the OIT Managed Microsoft Application Protection Policy.
  3. High-risk applications require that a system is encrypted prior to access, including mobile devices.
  4. High-risk data must be encrypted using OIT-managed encryption when stored media including but not limited to:
    1. 系统驱动器,如硬盘和固态驱动器.
    2. 可移动媒体,如usb驱动器或外部驱动器.
  5. Systems that are housed within approved university data centers are exempt from this encryption requirement.

To ensure the confidentiality of data across networks the following standards must be met:

  1. 需要对中高风险应用数据进行加密.
    1. Authentication Secrets such as passwords, API keys or PSKs, are considered high-risk.
  2. 受监管的数据必须满足监管的加密要求.

Personal devices or devices otherwise not managed or approved by OIT must not be used to access, store, 传输或处理高风险数据.

Backups containing moderate- and high-risk data must be protected by current encryption standards or other approved safeguards.

To ensure data is handled appropriately data and assets containing data must be marked appropriately.

  1. 受监管的数据,如CUI,也必须按照规定进行标记.

    适用于:中等/高

Other References

1. NIST SP800-171r2 (February 2020)

除非另有说明,所有参考的控制都是NIST 800-171r2.

2. NIST SP800-53r5 (September 2020)

3. NIST SP800-88r1 (September 2014)

4. 设备退役和媒体消毒指南

5. tsp的盈余过程和本地支持

Definitions

1. Licensed incinerator

Organization licensed in terms of section 19 and 50 of the Waste Act or which in terms of section 80 of the Waste Act may continue to operate under a license issued under the Environmental Conservation Act (Act 73 of 1989).

2. Cryptographic Erase

“A method of Sanitization in which the 媒体加密密钥(MEK) for the encrypted Target Data (or the Key Encryption Key — KEK) is sanitized, 使解密后的目标数据无法恢复.” (NIST SP 800-88)

3. 先进技术附件(ATA)

磁性介质接口规范. 也被称为“IDE”-集成驱动电子.” (NIST SP 800-88)

4. 非易失性存储器(NVMe)

用于系统非易失性存储介质的接口.

5. 媒体加密密钥(MEK)

用于加密媒体的加密密钥.

6. Disposal

A method of release of media that is not intended to be reused by the university. 包括但不限于, 向废物管理服务机构发放媒体, 发放剩余物品处置介质(APM 10).41).

7. Reuse

A method of release of media that is intended to be used for a new purpose or user by the university as defined by APM 30.16 section D-8.

8. Media

“记录或可能记录数据的材料, such as paper, punched cards, magnetic tape, magnetic disks, 固态器件或光盘.” (NIST SP 800-88)

9. Hard Drives

“A rigid magnetic disk fixed permanently within a drive unit and used for storing data. 它也可以是一个可移动的包含一个或多个磁盘的磁带盒.” (NIST SP 800-88)

10. Solid state drive (SSD)

“A Solid State Drive (SSD) is a storage device that uses solid-state memory to store persistent data.” (NIST SP 800-88)

11. Removable Media

“Portable data storage medium that can be added to or removed from a computing device or network.” (CMMC Glossary)

12. Optical Media

使用光学激光设备读取的塑料磁盘.” (NIST SP 800-88)

  1. 例如:CD、DVD或蓝光.

13. Mobile devices

“A portable computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable/removable data storage; and includes a self-contained power source.” (NIST SP 800-171)

Standard Owner

OIT Security负责这些标准的内容和管理.

请求本标准的例外.

Contact: oit-security@mpeaffiliate.com

Revision History

3/1/2024 -小更新

  • 小的格式/措辞/参考变化.

2023年6月23日-原始标准

  • 完全重写以符合NIST 800-171r2

Download Adobe Reader

学生技术中心

Physical Address:

教学中心128室

Office Hours:

Monday - Friday
8 a.m. to 5 p.m.

Summer Hours:

Monday - Friday
7:30 a.m. to 4:30p.m.

电话:208-885-4357 (HELP)

Email: support@mpeaffiliate.com

Map