Episode 51 — A.7.9–7.10 — Off-premises assets; Storage media

A.7.9 requires controls for assets used off-premises, recognizing that laptops, tablets, phones, developer kits, and even lab equipment are exposed to theft, loss, and uncontrolled networks when outside secure facilities. For the exam, emphasize baseline safeguards: full-disk encryption with centrally managed keys, strong authentication with MFA, hardened configurations, automatic screen lock, and remote-wipe capabilities. Policies should define acceptable locations, physical custody expectations, airline and hotel handling, and restrictions on storing sensitive data locally. Asset registers must track ownership, serial numbers, and lifecycle state so that off-site devices remain visible to governance. Candidates should connect these measures to incident reporting and classification rules: if a device is lost, the organization must rapidly assess data exposure, execute containment steps, and document decisions for audit and, where applicable, breach notification.

A.7.10 governs storage media—removable drives, external SSDs, tapes, optical discs, and any media embedded in devices—across acquisition, use, transport, reuse, and disposal. Controls include encryption at rest, tamper-evident transport, custody logs, and secure erasure using approved methods, with destruction documented when reuse is not possible. Pitfalls include untracked USB usage, ad hoc transfers to personal drives, and returning leased equipment without verified sanitization. Effective programs implement media control zones, disable unauthorized ports, and utilize vaulting for high-value backups with chain-of-custody. Auditors will sample destruction certificates, sanitization logs, and device return records, checking that actions match classification and retention policies. Candidates should be ready to explain how off-premises and media controls intersect—such as using encrypted, tagged drives for field operations—and how evidence demonstrates that portability does not compromise confidentiality, integrity, or availability. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.