IT Baseline Protection Manual S 2.45 Controlling the exchange of data media
S 2.45 Controlling the exchange of data media
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT users, Mailroom
If data media are to be exchanged between two or more communication partners, the following items should be observed to ensure proper exchange:
Addressing must be clear so as to preclude incorrect delivery. In this context, the recipient's name should be supplemented by the relevant department and the precise designation of the agency/company. The same applies to the address of the sender.
The data medium should be accompanied by a slip containing the following information (optional):
Sender
Recipient
Type of data medium
Serial number (if present)
Identification of the contents of the data medium
The date of dispatch and, if applicable, the latest date by which the storage medium should reach the recipient
A note that the data medium has been scanned for viruses
Parameters required for reading the information, e.g. tape speed
The following items should not be indicated:
Passwords allocated to classified information
Encryption keys used for encrypting information
Contents of the data medium
The dispatch of the data medium can be documented optionally. In this case, every file transfer, together with the contents and recipient of the information, is registered in a log. Depending on the protection requirement or importance of the transferred information, its receipt should be acknowledged and an acknowledgement statement added to the aforementioned record.
Persons responsible for dispatch and receipt should be designated
The type of dispatch is to be specified
Additional controls:
Do regulations on the procedure of exchanging data media exist?
Are the persons responsible for the exchange of data media sufficiently aware of the potential threats involved?