1.1本规程描述了一种评估和量化移动数据存储设备（MDSD）丢失影响的方法，例如，拇指驱动器、辅助硬盘驱动器和包含个人识别信息或其他实体敏感信息的其他财产。 1.2本实践基于两个概念: 1.2.1根据存储在MDSD上的信息和使用位置，识别对组织构成最大风险的MDSD，以及 1.2.2确定特定MDSD潜在损失的影响。一般来说，这种影响评估最好作为更大风险管理过程的一部分进行。虽然这种做法没有解决这个更大的主题，但它可能会影响其他风险管理标准。 1.3本惯例适用于所有资产控股实体。 1.4根据惯例E 2279的规定 ，该实践阐明并实现了对设备的有效控制和跟踪。 1.5 本标准并非旨在解决与其使用相关的所有安全问题（如有）。本标准的用户有责任在使用前制定适当的安全和健康实践，并确定监管限制的适用性。 ====意义和用途====== 该实践建立了一种标准的影响评估方法，使实体能够统一确定和传达与MDSD潜在损失相关的影响水平。本惯例无意为实体或组织规定具体的信息安全政策。这种做法假设个人和实体遵循联邦或州法律、适用政府合同条款、特定机构政策（如《国家工业安全计划操作手册》）和实体要求的所有相关信息安全政策- 具体政策。 本惯例假设（但不要求）实体已根据惯例E 2279中关于财产管理的章节设计并维护MDSD的内部控制系统 . 本惯例假设（但不要求）该影响评估的结果将通知未来的行动，并帮助实体根据惯例E 2279中关于财产管理的一节，确定与损失的潜在后果相称的具有成本效益的MDSD财产控制措施 . 这种做法鼓励全面理解和沟通与MDSD相关的风险，并通过对损失影响进行评级，在此基础上与使用相同做法评级的其他MDSD进行比较。 本实践旨在促进和实现与这些术语和概念相关或基于这些术语和概念的其他标准实践。

1.1 This practice describes a methodology for assessing and quantifying the impact of the loss of mobile data storage devices (MDSDs), for example, thumb drives, auxiliary hard drives, and other property containing personally identifiable information or other entity sensitive information. 1.2 This practice is based on two concepts: 1.2.1 Identifying the MDSDs that pose the greatest risk to the organization based on both the information that is stored on them and the location in which they are used, and 1.2.2 Determining the impact of the potential loss of specific MDSDs. In general, this impact assessment is best practiced as a part of a larger risk management process. While this practice does not address this larger topic, it may inform other risk management standards. 1.3 This practice is intended to be applicable and appropriate for all asset-holding entities. 1.4 In accordance with the provisions of Practice E 2279 , this practice clarifies and enables effective and efficient control and tracking of equipment. 1.5 This standard does not purport to address all of the safety concerns, if any, associated with its use. It is the responsibility of the user of this standard to establish appropriate safety and health practices and determine the applicability of regulatory limitations prior to use. ====== Significance And Use ====== This practice establishes a standard impact assessment methodology to enable entities to uniformly ascertain and communicate impact levels associated with the potential loss of MDSDs. This practice is not intended to prescribe specific information security policies for entities or organizations. This practice assumes that individuals and entities are following all relevant information security policies as required by federal or state law, the terms of applicable government contracts, specific agency policies such as the National Industrial Security Program Operating Manual (NISPOM), and entity-specific policies. This practice assumes, but does not require, that entities have devised and are maintaining a system of internal controls over MDSDs in accordance with the section on Management of Property of Practice E 2279 . This practice assumes, but does not require, that the results of this impact assessment will inform future actions and help entities determine cost-effective property control measures for MDSDs commensurate with the potential consequences of their loss in accordance with the section on Management of Property of Practice E 2279 . This practice encourages an inclusive understanding and communication of the risk associated with MDSDs and, by assigning a rating to the impact of loss, enables comparisons on this basis to other MDSDs rated using the same practice. This practice is intended to foster and enable additional standard practices related to or based on these terms and concepts.