|
|
Initiation responsibility: Head of IT section
Implementation responsibility: Archive keeper; IT procedures officer
The role of data media control, as part of resource management, is to ensure access to data media to the necessary extent and within a reasonable period of time. This calls for well-regulated management of data media, including the requirement for consistent labelling and keeping of inventories. Moreover, as part of data media control, proper handling and safe keeping of data media, their orderly use and transport and, finally, deletion and/or destruction of data media must be ensured.
Inventories provide for quick and specific access to data media. Inventories give information on: the storage location, the retention period, authorised users.
The outer marking of data media provides for their quick identification. However, to discourage any misuse, marking should not provide any clues as to the contents (e.g. marking a magnetic tape with the index word "telephone charges"). A predefined structure of identification characteristics (e.g. date, filing structure, serial number) will facilitate integration within inventories.
For proper handling of data media the information usually provided by manufacturers on the packaging is to be consulted. As regards safe keeping of data media, the required measures refer both to storage (protection against magnetic fields and dust; air-conditioning protection) and to the prevention of unauthorised access (suitable containers, cabinets, rooms).
Mailing or transport of data media must be carried out in a way which precludes damage to the data media to the extent possible (e.g. mailers for magnetic tapes, padded envelopes). Packaging of data media must be based on the protective requirements of the given media (e.g. lockable conveyance containers). Provisions must be laid down with regard to the types of dispatch or transport (e.g. transportation by courier) as well as in respect of accountability procedures for the mailing/transport of items (e.g. waybill, shipping note) and their arrival at the place of destination (e.g. receipts). The data medium must not contain any "remaining data" other than the data which is to be sent. This can be done by physical deletion. In the event that the necessary tools are not available to achieve this, the data medium must at least be formatted. It should also be ensured that it is not possible to undo the command with the operating system used. Another point to be noted is that, before relevant data media are handed over, backups should be made. Chapter 7.1 Exchange of Data Media contains further information on the despatch and transport of data medium.
In the event that data media are to be passed on internally, certain steps can be taken, such as the introduction of a receipt system, an collection entitlement procedure, keeping inventories concerning the location of data media.
If data media provided by third parties are used, provisions must be made with regard to their handling before use. If, for instance, data for PCs are conveyed, a computer virus check of the data medium should be made as a general rule. The same should be done before first use of new data media. It is advisable to make a computer virus check of data media both at the time of receipt and before dispatching.
A regulated procedure for the deletion or destruction of data media will prevent misuse of stored data. Before reusing data media the stored date have to be deleted, see: S 2.167 Secure deletion of data media
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |