Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 05/25/2021

1.  Purpose

This policy establishes the enterprise Media Protection Policy for managing risks from media access, media storage, media transport, and media protection through the establishment of an effective Media Protection program.

2.  Authority

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.

3.  Applicability

This policy applies to all District Workforce members performing official functions on behalf of the District, or any District agency/District/entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from OCTO. In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.

4.  Policy

All District agencies, that fall under the authority of the Mayor of the District, must protect and control electronic and physical data while at rest and in transit. The District agencies will take appropriate safeguards for protecting the District’s data to limit potential mishandling or loss while being stored, accessed, or transported. The District must assess any inadvertent or inappropriate data disclosure and/or use must be reported to the concerned agency’s Information Security Officer (ISO), Security Operations Center (SOC), and OCTO. All District agencies must develop their Procedures or adopt OCTO Procedures that define requirements for the secure handling, transporting, and storing media. The following requirements must be defined in the procedure.

4.1. Media Access

District agencies must restrict access to digital and non-digital media to authorized personnel using physical access controls and safeguards.

4.2. Media Marking

District agencies must:

1. Mark information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.
2. Exempt District agencies' confidential and sensitive information from marking if the media remain within designated agency's workspaces (such as agency HQ and Data Centers).

4.3. Media Storage

District agencies must:

1. Physically control and securely store District information systems and restoration media within securely controlled areas and/or in a protective container and overseen by authorized personnel.
2. Protect information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

4.4. Media Sanitization

District agencies must:

1. Sanitize all information system media (both digital and non-digital) using approved equipment, techniques, and procedures before disposal, release out of organizational control, or release for reuse.
2. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

4.5. Media Use

District agencies must:

1. Restrict the use of removable media on information systems unless required for system maintenance or other procedure (i.e., backing up or preparing data for delivery to external users).
2. Encrypt all removable media used to store all District sensitive information.

5.  Exemption

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.

6.  Definitions

The definition of the terms used in this document can be found in the Policy Definitions website.