S 2.45 Controlling the exchange of data media

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT users, Mailroom

If data media are to be exchanged between two or more communication partners, the following items should be observed to ensure proper exchange:

• Addressing must be clear so as to preclude incorrect delivery. In this context, the recipient's name should be supplemented by the relevant department and the precise designation of the agency/company. The same applies to the address of the sender.

• The data medium should be accompanied by a slip containing the following information (optional):

• Sender

• Recipient

• Type of data medium

• Serial number (if present)

• Identification of the contents of the data medium

• The date of dispatch and, if applicable, the latest date by which the storage medium should reach the recipient

• A note that the data medium has been scanned for viruses

• Parameters required for reading the information, e.g. tape speed

The following items should not be indicated:

• Passwords allocated to classified information

• Encryption keys used for encrypting information

• Contents of the data medium

• The dispatch of the data medium can be documented optionally. In this case, every file transfer, together with the contents and recipient of the information, is registered in a log. Depending on the protection requirement or importance of the transferred information, its receipt should be acknowledged and an acknowledgement statement added to the aforementioned record.

• Persons responsible for dispatch and receipt should be designated

• The type of dispatch is to be specified

Additional controls:

• Do regulations on the procedure of exchanging data media exist?

• Are the persons responsible for the exchange of data media sufficiently aware of the potential threats involved?