Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification.
Topic
Classifying media
Applicable to
all
History
Priority
must not
Dec 2021
Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification.
Miscellaneous changes were made to rationale and security controls throughout the publication. This included:
• A review from the Using the Information Security Manual chapter through to the Guidelines for Media chapter.
• Security controls suitable for all audiences have been identified with the ‘All’ applicability marking while additional security controls suitable for just government audiences have been identified with the O, P, S and TS applicability markings.
• Security controls suitable for specific classifications have been amended to include their classification(s) in the wording of the security controls to reduce the reliance on applicability markings to confer suitability.
• Tables in security controls have been converted into prose to allow for inclusion in the SSP annex template and the XML list of security controls.
• The use of ‘official’ and ‘highly classified’ terminology has been replaced with specific classifications to remove ambiguity.
• Security controls relating to high assurance ICT equipment have had their applicability narrowed to ‘S, TS’ reflecting that they are intended for the protection of SECRET and TOP SECRET systems and data.
Apr 2021
Media is only used with systems that are authorised to process, store or communicate the sensitivity or classification of the media.
Security control 0337 was amended to clarify that it’s not necessarily the sensitivity or classification of information on media that determines what systems it can be connected to but the sensitivity or classification of the media itself, which may be higher than that of the information stored on the media depending on what systems it has previously been connected toandin what manner (e.g. whether those systems had mechanisms to ensure read-only access).
Mar 2021
Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it.
2015
Agencies must not use media with a system that is not accredited to process, store orcommunicate the information on the media.
2010
Agencies must not use media with a system that has a lower classification than the media.
2008
Agencies must not insert classified media into a system, or connect classified media to a system, that is not classified to at least the classification level of the media.