Req. 9.7.1 media classification

[sniper]

We have been advised by our QSA that we must phisically mark as confidential our back-up media that contains card data. We have reluctantly placed sticky labels on our tape cartridges (100's of them), those tapes are handled by an automated tape library and it will be a big problem if those labels come off inside the ATL. I am told that the labels have now started to peel off!

Can anyone tell me if the requirement is to classify the media physically or will a classification on the system satisfy 9.7.1?

Thanks.

[jbhall56]

Have your data classification standard specify that all media (i.e., hard drives, tapes, CDs, DVDs, etc.) are classified or whatever you have specified as your category for these items. If they are all considered classified and they are treated accordingly, then IMHO you have met the requirements in 9.7.1.

I have a serious problem with labeling things as "classified" or whatever as that makes them an even bigger target than if they were not labeled. Besides, with today's tape library systems, there is no way an organization could know what tapes are to be considered classified and which are not, so call them all the same thing and move on. If everyone in your organization knows that they are classified and your off-site storage company knows they are classified, then all the people that need to know, should know.

[AllanPoll]

And from the PCI SSC FAQ:

Do backup media containing cardholder data need to be physically labeled confidential?

The objective of PCI DSS requirement 9.7.1 “classify the media so it can be identified as confidential,” is to ensure that media is controlled and protected against inadvertent or unintentional exposure. There is no requirement to physically label media. Instead, companies must have processes to classify and identify all media containing cardholder data as ‘confidential’ and to apply appropriate protection to that media. Companies can then rely on their processes for classifying and protecting that media, in essence treating it as confidential without the specific requirement to provide a physical label.

[jonassono]

Quote:

Originally Posted by sniper

We have been advised by our QSA that we must phisically mark as confidential our back-up media that contains card data. We have reluctantly placed sticky labels on our tape cartridges (100's of them), those tapes are handled by an automated tape library and it will be a big problem if those labels come off inside the ATL. I am told that the labels have now started to peel off!

Can anyone tell me if the requirement is to classify the media physically or will a classification on the system satisfy 9.7.1?

Thanks.

Been through the same issue with a client last year. The answer is "YES", all tapes must be labeled in accordance with the data security classification of the most sensitive data on the tape or cartridge.

We decided to mark all cartridges with either "confidential data" or "highly confidential data" as "highly confidential data" since they are both handled more less with the same secure methods by internal staff and the client's courier service.

The other 2 classifications were "public" and "internal" and, again we combined these two classifications into one, i.e. "internal" to simplify the handling and disposal of this portable media.

Secondly, we contacted Data-Link Associates Inc. and where able to acquire special labels that were simple to pre-print and would not peel off during repeated use.

These were DLT tapes/cartridges, but I expect they have sources for the supply of similar labels for other tape/cartridge types.

[AllanPoll]

Totally incorrect jonassono and you're even contradicting the official guidance given by the PCI SSC within their FAQ. See both jbhall56 and my previous posts.

[jonassono]

Quote:

Originally Posted by AllanPoll

Totally incorrect jonassono and you're even contradicting the official guidance given by the PCI SSC within their FAQ. See both jbhall56 and my previous posts.

The FAQ you refer to is very specific as follows:

Question: "Do backup media containing cardholder data need to be physically labeled as confidential". In the body of the answer it further states "There is no requirement to physically label media. Instead, companies must have processes to classify and identify all media containing cardholder data as "confidential" and to apply appropriate protection to that media".

After nearly 40 years in information technology growing up with unit record equipment, followed by magnetic tape, followed by disk, minicomputers, mid-rangers, mainframes and supercomputers, statements such as these leave me at a total loss for words.

I will abandon this thread to someone else with more patience and perseverance.