OUHSC Information Technology Department


Home  |  Online Help  |  Policies  |  Forms  |  Tier Ones

Transportation of Media Policy:

Supporting documents: Full policy Adobe PDF File

Data and information system resource owners must govern the receipt, transfer and removal of electronic media which contain sensitive data.

Sensitive data located on information system resources or electronic media must be protected against theft and unauthorized access. Sensitive data must be consistently protected and managed through its entire life cycle, from origination to destruction.

Information system resources and electronic media for which this policy applies include, but are not limited to, computers (servers, desktops and portable computing devices (PCD)), floppy disks, backup tapes, CD-ROMs, zip drives, portable hard drives and USB storage devices with stored sensitive data.

All electronic media that contains sensitive data must be clearly marked during transport and should have a tracking number associated with it.

There must be a formal, documented process that ensures consistent control of all electronic media and information system resources containing sensitive data while in transport.  At a minimum this process must ensure the following:

  • Sensitive data in transport is encrypted when warranted/feasible
  • An exact copy of sensitive data is maintained in case of loss or damage
  • A complete Record of Transport including:
    1. What was transported
    2. When was it transported and where was its final destination
    3. Why was it transported
    4. Who handled it during transport
    5. When did it arrive at its final destination
    6. What was its condition
    7. Frequency of transport (For PCDs only)

For PCDs in which the transportation of sensitive data will be a regular or cyclical (more than twice per year) occurrence, a single transport record will meet the above requirement for “record of transport” for each.  Each time one of the parameters within the “record of transport” changes, a new record will be required.

At least annually, an organization-wide inventory to identify all electronic media which contain sensitive data must be performed.  Inventory results must be documented and stored in a secure manner.