Northeastern University Media Protection Standard
Related Policy: NU Information Security Policy, NU Configuration Management Standard
Responsible Office: Office of Information Security (OIS)
Purpose and Scope
Northeastern University is committed to securing its data and providing clear and concise guidance on protecting the many information technology (IT) systems we use. Given the widespread use and diversity of the types of IT systems employed within Northeastern University (NU), it is paramount that a technology-agnostic set of standards are in place and uniformly applied across all IT systems.
This standard establishes the minimum media protection criteria to carry out and meet the intent of the directives within Northeastern University’s Information Security Policy. This standard applies to all organizations (e.g., academic entities, entities other than Colleges and Departments, legally separate but wholly owned entities) of NU.
IT systems are considered in the scope of this standard if they utilize any of the following: Northeastern’s Network, ITS troubleshooting or administration, OIS incident response or investigation, or a Northeastern Microsoft account (e.g., @northeastern.edu).
Media Protection Overview
The Media Protection (MP) standard focuses on managing the risks of accessing, storing, transporting, and protecting media owned by NU. MP also directs the proper sanitization and destruction of media containing sensitive and proprietary data.
Roles and Responsibilities
The following high-level functional roles support the media protection processes for IT systems. In some cases, there may be more than one functional role associated with a specific process or task; similarly, more than one person may perform some roles. The following describe the roles and responsibilities associated with media protection within the IT system environment.
Chief Information Security Officer (CISO): Individual responsible for the overall NU information security program.
System Administrator: An organization or individual responsible for setting up and maintaining an IT system, appliance, or specific IT system elements. This role revolves around hands on management of the IT system, usually more technical in nature than the System Owner. They are also responsible for implementing approved secure baseline configurations, incorporating secure configuration settings for IT products, and conducting/assisting with configuration monitoring activities as needed.
Depending on the size of the IT system, these responsibilities can be split across multiple skill-based domains listed below. These domains can be managed by separate teams across NU depending on the skills necessary to carry out the listed responsibilities.
- Infrastructure: manages any servers that are not aligned to a specific skill-based domain listed below.
- Network: manages all hardware and IT systems related to managing network communications.
- Security: manages all IT systems that ensure and confirm security of the IT system environment. Sentinel, Defender, Tenable, Azure, Intune, Windows Cloud PC, etc.
- Desktop: manages the physical workstations and the software installed on them.
- Identity: manages IT systems that control identity-based access, like Entra ID.
System Owner: An individual or organization responsible for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an IT system.
Also responsible for establishing, tracking, and maintaining the inventory of IT products and IT systems which process, transmit, or store sensitive information; to include hardware, software, and firmware. Depending on the size of the IT system, these responsibilities can be assigned to someone with a role closely aligned to that of an Asset Manager.
Also responsible for maintaining the appropriate operational security posture for an IT system or enclave and for ensuring the information assurance of a program or organization. Depending on the size of the IT system, these responsibilities can be assigned to someone with a role closely aligned to that of an Information System Security Officer (ISSO).
Standard
This standard is scoped primarily around a subset of the National Institute of Standards and Technology (NIST) 800-171 controls to protect the confidentiality, integrity, and availability of information. The related NIST controls have been tagged (e.g., 3.8.1) in the text below to identify where each listed responsibility inherits its requirements from.
As the media protection capability matures over time, additional controls may be considered to augment confidentiality and address the availability and integrity of information. Additionally, when implementing the criterion of this document, organizations may choose to implement stricter criteria; however, the criterion cannot be lessened without formal exception by the NU Chief Information Security Officer (CISO) as described in the Compliance section of this standard.
Protect and Control Media
(3.8.7) The NU Information Security Policy prohibits storage of NU data on unencrypted portable storage devices (i.e., removable media). Users are responsible for submitting an exception request to OIS for the use of removable media to store NU data.
(3.8.8) Portable storage devices that are not managed or controlled by the organization and/or do not have a specific and identifiable owner are prohibited from use on any IT system and must be turned over to the System Owner or System Administrator upon discovery.
(3.8.7) The System Administrator is responsible for configuring malicious code protection mechanisms on organizational IT systems to perform real-time scans of removable media for malicious content immediately upon their connection to approved IT systems. Any malicious content discovered during the scan is prevented from executing.
Sanitize Media
(3.8.3) All media, digital and non-digital, containing NU data, subject to disposal or reuse must be sanitized according to NIST SP 800-88. Ensuring media sanitization is a shared responsibility between the System Owner and the System Administrator. The System Owner is responsible for defining the methods by which digital media (e.g., diskettes, magnetic tapes, hard disk drives, solid state drives, flash drives, USB drives, CDs, DVDs) containing NU data are sanitized (e.g., purged, cryptographically erased) prior to its release for reuse.
Digital Media Sanitization
(3.8.3) The System Administrator is responsible for ensuring digital IT system media containing NU data is sanitized utilizing the method(s) defined by the System Owner.
When effective sanitization methods cannot be applied such that data recovery is not possible when the device is retired from operational use, the System Owner is responsible for defining the method by which digital media containing NU are destroyed in accordance with NIST SP 800-88.
The System Administrator is then responsible for ensuring digital media containing NU data is destroyed utilizing the method(s) defined by NIST 800-88.
Physical Media Sanitization
(3.8.3) The System Owner is also responsible for defining the method by which NU data contained on non-digital media (e.g., paper, microfilm, photographs) is removed or redacted prior to its release or reuse defined by NIST 800-88.
The user is responsible for ensuring NU data contained on non-digital media is removed or redacted utilizing the method defined by NIST 800-88.
Similarly, the System Owner is responsible for adhering to NIST 800-88 and ensuring non-digital media containing NU data is destroyed (e.g., cross-shredded, pulverized, disintegrated) when effective data removal or redaction methods cannot be applied such that data recovery is not possible in accordance with the NU Configuration Management Standard. The user is responsible for ensuring non-digital media containing NU data is destroyed utilizing the methods defied by NIST 800-88.
Protect Media During Transport
(3.8.6) Cryptography is required to protect media containing NU data. The System Owner is responsible for identifying and approving cryptographic mechanisms to ensure all encryption requirements are met. If encryption is not feasible, the System Owner is responsible for identifying alternative physical safeguards and requesting approval from OIS prior to their use.
Manage Backups
(3.8.9) The System Owner is responsible for defining authorized onsite and offsite storage locations and approved storage media (e.g., magnetic media, Networked Attached Storage [NAS], cloud) for backups. The System Administrator is responsible for encrypting backups using approved encryption methods.
Definitions
The following definitions have been derived from industry standard definitions provided by the National Institute of Standards and Technology (NIST) Computer Security Resource Center Glossary[1] and, where appropriate, tailored for NU’s IT environment.
Cryptographic Mechanism: Application, process, module, or device that provides a cryptographic service, such as confidentiality, integrity, source authentication, and access control (e.g., encryption and decryption, and digital signature generation and verification).
Destroy: A method of sanitization that renders data recovery infeasible resulting in the subsequent inability to use the media for storage of data.
Encryption: Any procedure used to convert plain text into cipher text to prevent anyone but the intended recipient from reading that data.
Information Technology (IT) System: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
IT: Computing and/or communications hardware and/or software components and related resources that can collect, store, process, maintain, share, transmit, or dispose of data. IT components include computers and associated peripheral devices, computer operating systems, utility/support software, and communications hardware and software.
Organization: An entity of any size, complexity, or positioning within an organizational structure (e.g., school, department, lab, operational elements).
Portable Storage Device: An IT system component that can be inserted into and removed from a IT system, and that is used to store data or information (e.g., text, video, audio, image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, flash memory cards/drives that contain nonvolatile memory). The use of an unencrypted Portable Storage Device for information is prohibited.
Media: Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (not including display media) onto which information is recorded, stored, or printed within an IT system.
Sanitize: Process to remove information from media such that data recovery is not possible. It includes removing all data classification labels, markings, and activity logs.
Compliance
This standard complies with the directives defined in the NU Information Security Policy. The university recognizes that on rare occasions there might be compelling reasons to consider allowing an organization to operate outside of the criterion defined in this standard, as derived from the NU Information Security Policy. To facilitate this consideration the System Owner must submit a petition for a risk-based policy exception in writing, including supporting rationale, and forward it to the NU CISO for review and approval. All approved risk-based policy exceptions must be formally documented by the NU CISO and indicate the exception duration (e.g., temporary, long-term). The NU CISO is responsible for disseminating and communicating all risk-based exception approvals and rescissions to the relevant stakeholders in a timely manner.
Change and Review Log
| Date | Description | Version | Editor |
|---|---|---|---|
| 1/6/2025 | Initial draft for stakeholder review | 0.1 | David Niles |
| 1/24/2025 | Manager review before stakeholder review | 0.2 | Brad Wing |
| 9/3/2025 | Final draft approved by CISO | 1.0 | Brad Wing |
Appendix A. Information Media Protection Standard Summary
The table below summarizes the NU IT system environment minimum criteria for enabling media protection capabilities within the NU IT system environments.
- The first column “NU Practice ID” identifies the related NU practice ID as defined in the NIST 800-171.
- The “NU Practice Statement” column includes the NU practices required to be met for that control.
- The third column, “Derived Requirement”, provides a description of the requirement derived from the high-level NU practice statement. Derived requirements were developed from analysis of the intent of the practice and the logical components required to satisfy the practice. In some instances, an NU practice statement may be derived into several requirements to be addressed to satisfy the NU practice.
- The final column, “NU IT system environment Criteria”, defines the minimum criteria (e.g., configurations, actions, responsibilities, practices, etc.) which the university will implement to satisfy the related NU practice.
| Northeastern University Practice ID | Northeastern University Practice Statement | Derived Requirement | Northeastern University IT System Environment Criteria (NU Practice Implementation) |
|---|---|---|---|
| 3.8.3 | Sanitize or destroy IT system media containing Federal Contract Information before disposal or release for reuse. | Sanitize Digital Media | The System Owner is responsible for: – Defining the methods by which digital media (e.g., diskettes, magnetic tapes, hard disk drives, solid state drives, flash drives, USB drives, CDs, DVDs) containing NU data are sanitized (e.g., purged, cryptographically erased) prior to its release for reuse. The System Administrator is responsible for: Ensuring digital IT system media containing NU data is sanitized utilizing the method(s) defined by the System Owner. |
| Destroy Digital Media | The System Owner is responsible for: – Defining the method by which digital media containing NU are destroyed in accordance with NIST SP 800-88. The System Administrator is responsible for: Ensuring digital media containing NU data is destroyed utilizing the method(s) defined by NIST 800-88. | ||
| Destroy Non-Digital Media | The System Owner is responsible for: – Defining the method by which NU data contained on non-digital media (e.g., paper, microfilm, photographs) is removed or redacted prior to its release or reuse defined by NIST 800-88. – Adhering to NIST 800-88 and ensuring non-digital media containing NU data is destroyed (e.g., cross-shredded, pulverized, disintegrated) when effective data removal or redaction methods cannot be applied such that data recovery is not possible in accordance with the NU Configuration Management Standard. The User is responsible for: – Ensuring NU data contained on non-digital media is removed or redacted utilizing the method defined by NIST 800-88. Ensuring non-digital media containing – NU data is destroyed utilizing the methods defied by NIST 800-88. | ||
| 3.8.7 | Control the use of removable media on IT system components. | Define Use | The Security Administrator is responsible for: – Configuring malicious code protection mechanisms on organizational IT systems to perform real-time scans of removable media for malicious content immediately upon their connection to approved IT systems. Any malicious content discovered during the scan is prevented from executing. The User is responsible for: – Ensuring NU data contained on non-digital media is removed or redacted utilizing the method defined by NIST 800-88. – Ensuring non-digital media containing NU data is destroyed utilizing the methods defied by NIST 800-88. |
| 3.8.8 | Prohibit the use of portable storage devices when such devices have no identifiable owner. | Define Use | The System Owner is responsible for: -Identifying and approving cryptographic mechanisms to ensure all encryption requirements are met. – Identifying alternative physical safeguards and requesting approval from OIS prior to their use if encryption is not feasible. |
| 3.8.6 | Implement cryptographic mechanisms to protect the confidentiality of data stored on digital media during transport unless otherwise protected by alternative physical safeguards. | Encrypt Media | The System Owner is responsible for: – Identifying and approving cryptographic mechanisms to ensure all encryption requirements are met. – Identifying alternative physical safeguards and requesting approval from OIS prior to their use if encryption is not feasible. |
| 3.8.9 | Protect the confidentiality of backup information at storage locations. | Define Storage Location | The System Owner is responsible for: -Identifying and approving cryptographic mechanisms to ensure all encryption requirements are met. -Identifying alternative physical safeguards and requesting approval from OIS prior to their use if encryption is not feasible. |
Appendix B. Media Protection References
The following list of references are common industry standards used to carry out the media protection criterion defined within this standard.
- NIST SP 800-88 Rev.1, Guidelines for Media Sanitization. https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
- NU, Encryption Methods and Protecting Data. https://service.northeastern.edu/tech?id=kb_article&sys_id=2047e4b91b8fa010112420a6624bcbd8#_ga=2.268806578.2142073269.1621537096-712560934.1551803088