The General Department of Cybersecurity

  1. Storage Media Security Policy

Storage Media Security Policy

Objectives

The purpose of this policy is to define the cybersecurity requirements related to storage media used at the Islamic University and to define the process for their secure disposal, in order to reduce cyber risks by focusing on the fundamental protection objectives of information confidentiality, integrity, and availability.

This policy has been aligned with the controls and standards issued by the National Cybersecurity Authority and the relevant regulatory and legislative requirements.

Scope and Applicability

This policy applies to all information and technical assets of the Islamic University and to all personnel (employees and contractors) of the Islamic University.

General Provisions

  • The Islamic University must ensure control over the use of storage media devices used by personnel to store and transfer information within the university.

  • The Islamic University must define which materials are considered removable media and which of those media may be connected to an information system, device, or data storage and provisioning network, such as:

    • Magnetic media (such as hard disk drives and tapes).

    • Optical media (such as optical drives including CD-R, DVD-R, and Blu-ray discs).

    • Semiconductor media (such as solid-state drives SSDs, flash memory drives, and fixed memory units).

  • The Islamic University must prohibit the use of removable media devices unless there is a work-related need that requires their use.

  • The Islamic University must establish and implement formal procedures for approving the use of removable media.

  • The Islamic University must physically control storage media devices and store them securely within the university.

  • The Islamic University must protect storage media devices until they are destroyed or sanitized using approved equipment, technologies, and procedures, in alignment with the Islamic University’s applicable secure disposal policy.

  • The Islamic University must restrict the use of external storage media and provide secure handling mechanisms for their use.

Access to Media

  • Access to the following storage media must be restricted in accordance with the Islamic University’s Asset Management Policy:

    • First type of storage media, such as backup tapes.

    • Second type of storage media as defined by the entity, such as server-based storage media.

    • Third type of storage media, such as network storage.

  • Distribution restrictions, handling warnings, and applicable security labels must be applied to storage media.

Storage Media

  • Dedicated personnel must be assigned to physically monitor storage media devices and store them in designated, monitored locations.

  • Storage media must be protected until destruction or sanitization using approved equipment authorization procedures, and procedures for handling media must be defined, along with approved protection techniques.

Media Transport

  • Storage media must be protected and monitored while being transported outside controlled areas.

  • Storage media must be tracked during transport outside controlled areas.

  • Activities related to the transport of storage media must be documented and limited to authorized personnel only.

  • The Islamic University must prepare, document, approve, circulate, implement, evaluate, and update policies and procedures for the secure transport of physical media.

  • The Islamic University must review and update policies and procedures related to the secure transport of physical media at least once annually.

Media Sanitization

  • The Islamic University must sanitize storage media before disposal, release from institutional control, or reuse, in accordance with the storage security standard and applicable organizational and regulatory policies.

  • Filtering and sanitization mechanisms with appropriate strength and integrity must be applied based on the data and its classification.

Media Usage

  • The Islamic University must prohibit the use of specific types of storage media defined by the university on university-owned equipment, using approved security protection procedures.