1. Purpose
The purpose of this Media Use & Handling Policy is to establish requirements for the secure use, storage, transfer, and disposal of all media that process, store, or convey Synoptix or customer data. By following these guidelines, Synoptix ensures that sensitive information remains protected throughout its lifecycle, minimizing the risk of unauthorized access, data leakage, or accidental exposure.
2. Scope
This policy applies to all forms of media in Synoptix’s operations, including:
- Digital Storage Media: Hard drives (HDDs), solid-state drives (SSDs), removable USB drives, external hard drives, optical discs (CDs/DVDs), and memory cards.
- Backup Media: Tape cartridges, backup appliances, and cloud-based snapshots that store customer or internal data.
- Printed Media: Physical documents, reports, and any paper-based materials containing Synoptix or customer information.
- Endpoint Devices: Company-issued laptops, desktops, tablets, and mobile devices that store or access confidential data.
- Other Physical Media: Any other physical medium (e.g., CDs/DVDs, printed maps, whiteboard snapshots) that may contain proprietary or customer data.
This policy applies to all Synoptix employees, contractors, interns, and approved partners who interact with Synoptix media.
3. Definitions
- Confidential Data: Any customer data, source code, credentials, PII, or proprietary Synoptix information stored or transmitted on media.
- Media Owner: The individual or role responsible for ensuring secure handling, storage, and disposal of a given piece of media (e.g., Infrastructure Manager for backup tapes, Department Manager for printed materials).
- Media Sanitization: The process of permanently removing data from storage media so that it cannot be recovered. Methods include secure wiping (cryptographic erase) or physical destruction.
- Backup Media: Any media used for data backups, including tapes, disks, or encrypted snapshots stored locally or in the cloud.
- Endpoint Device: A company-issued laptop, desktop, or mobile device that stores data locally and connects to Synoptix networks or cloud services.
- Removable Media: Media that can be physically removed from a device, such as USB drives, external HDDs/SSDs, or memory cards.
- Secure Disposal: The process of disposing of media so data cannot be recovered (e.g., shredding paper, degaussing or shredding drives).
4. Roles & Responsibilities
- Approve policy changes
- Provide resources for secure media handling and disposal
- Maintain and update this Media Use & Handling Policy
- Oversee compliance and training
- Coordinate secure disposal processes
Infrastructure & DBA Team
- Ensure backup media (tapes, disk snapshots) are encrypted at rest
- Manage secure off-site storage of backup media
- Track media lifecycle (from creation to secure destruction)
- Issue and track company-owned endpoint devices
- Enforce encryption and device-management policies on endpoints
- Provide guidance on safe media use (e.g., USB restrictions)
- Assign “Media Owners” for department-specific printed materials
- Ensure employees follow secure printing and disposal practices
- Track assigned media (e.g., backup tapes, encryption tokens)
- Ensure media is stored securely and disposed of per policy
All Employees & Contractors
- Use only company-approved media for storing Synoptix or customer data
- Follow encryption, labeling, and disposal guidelines
- Report lost or compromised media immediately
5. Classification & Handling Requirements
- Public Data: Non-sensitive information (e.g., marketing materials, publicly posted documentation). Handling guidelines are minimal: use any media, no encryption required.
- Internal/Proprietary Data: Synoptix internal documents, non-sensitive code, and internal procedures. Must be stored on encrypted media; controls apply primarily to ensure confidentiality within Synoptix.
- Confidential Data: Customer data, PII, source code, credentials, financial records. Requires the highest level of protection: encryption at rest and in transit, strict access controls, and secure disposal.
6. Endpoint Device Security
6.1 Device Encryption & Configuration
- Full-Disk Encryption:
- All new company-issued laptops and desktops (Windows or macOS) must have full-disk encryption enabled (e.g., BitLocker for Windows, FileVault for macOS) before being deployed to users.
- Secure Configuration:
- Default passwords or local administrator accounts must be disabled or renamed.
- USB ports and removable media access on endpoints are disabled by default; only approved, encrypted USB drives provided by the IT Support Team may be used.
- Automatic screen lock after 10 minutes of inactivity; password or biometric reauthentication required to unlock.
6.2 Lost or Stolen Devices
- Reporting:
- Any lost or stolen company-issued endpoint device must be reported immediately (within 1 hour) to IT Support and the InfoSec Program Lead.
- Remote Wipe & Recovery:
- IT Support initiates a remote wipe of the device via the device-management platform.
- If the device cannot be recovered, IT Support revokes associated credentials and issues a replacement device.
- Investigation & Notification:
- InfoSec Program Lead determines if any data breach occurred and notifies affected parties (e.g., customers affected by potential data exposure) within 48 hours of discovery.
7.1 Approved Removable Media
- Only Synoptix–issued, encrypted USB drives or external HDDs/SSDs are approved for storing or transferring Synoptix or customer data.
- All removable media must be pre-encrypted using company-approved encryption tools. Unencrypted personal USB drives or storage devices are prohibited.
7.2 Authorized Usage
- Data Transfer Procedures:
- Encrypt data on the removable media using the company encryption tool before data copy.
- Label device with unique asset tag, “Synoptix Confidential,” and “Encrypted.”
- Physically secure the device during transport (e.g., in a locked briefcase).
- Record details in the Removable Media Usage Log: Media ID, user, date, data description, destination.
- Return & Decommission:
- After data use is complete, removable media must be returned to IT Support.
- Media that no longer requires Confidential Data (e.g., single-use transfer) must be sanitized (see Section 9) or re-encrypted with blank content.
- IT Support inspects returned devices for malware before reissuing or decommissioning.
8.1 Backup Encryption & Storage
- Encryption:
- All backup media (disk snapshots, tape backups) must be encrypted at rest.
- Off-Site Storage:
- Daily backup tapes or encrypted disk snapshots are maintained at a secure, off-site storage facility managed by a third-party provider.
8.2 Backup Retention & Rotation
- Retention Period:
- Production Database Backups: Retained for 30 days on rotating media; older backups automatically deleted.
- Configuration & Source Code Backups: Retained for 90 days; archived off-site for potential audit or recovery.
9. Secure Disposal & Sanitization
9.1 Digital Media Sanitization
- Media Reuse:
- If a storage device (e.g., HDD, SSD, tape) is to be repurposed within Synoptix operations, it must undergo a full factory reset to ensure no residual data.
9.2 Printed Material Disposal
- Cross-Cut Shredding:
- All printed documents containing Confidential Data must be destroyed using a cross-cut shredder. Shredded materials are collected in locked bins and shredded by a certified document-destruction service.
- Secure Recycling:
- Shredded material is recycled through secure recycling channels; no shredded documents are placed in standard recycling without prior shredding.
9.3 Mobile Media & Device Returns
- Mobile Device Wipe:
- Company-issued mobile devices (e.g., tablets, smartphones) are subject to a factory reset and remote wipe via the mobile device management (MDM) system before reissuing or retirement.
- Confirm successful wipe in MDM logs; record in Endpoint Device Inventory.
- Peripheral Devices:
- Printers and copiers with hard drives (e.g., store queued print jobs) must have their internal storage securely wiped (according to manufacturer guidelines) when decommissioned or reassigned.
10.1 Internal Transportation
- Within Facility:
- Media transfers between offices (e.g., from main office to data center) must be conducted by authorized personnel.
11. Incident Reporting & Breach Response
11.1 Lost or Stolen Media
- Immediate Reporting:
- Any lost, stolen, or unaccounted-for media containing Confidential Data must be reported to IT Support and InfoSec Program Lead within 1 hour of discovery.
- Containment & Investigation:
- InfoSec Program Lead initiates an investigation to determine the scope of data exposure, including:
- Data classification on the missing media
- Potential risk to customers or Synoptix
- Likelihood of unauthorized access
- If necessary, initiate the Security Incident Response Program (Document V1.1) to notify affected customers within 48 hours.
11.2 Unauthorized Disclosure
- Reporting Procedure:
- If any employee or partner discovers that media has been mistakenly shared (e.g., wrong recipient, email attachment error), they must notify InfoSec Program Lead immediately, providing details of:
- What data was disclosed
- Recipient and distribution method
- Steps taken so far (e.g., recall email, notify recipient)
- Mitigation Steps:
- InfoSec Program Lead assesses impact and recommends further action (e.g., recall messages, rotate any affected credentials).
- If data exposure reaches customers’ PII, InfoSec Program Lead triggers the Security Incident Response Program for notifications.
- Information Security Program (Document V1.0)
- Security Incident Response Program (Document V1.1)
- Access Control Policy (Document V1.0)
- Privacy Policy (customer-facing)
- Acceptable Use Policy (employee-facing, outlines acceptable use of company resources)
13. Revision History
Initial creation, reflecting Synoptix’s secure media practices.
Synoptix InfoSec Program Lead