Appendix P
419
which are mission critical.
They are used to restore data on a regular basis
and when a disaster occurs. A limited number of people should have access
to backup tapes. To further control the tapes, access should be logged. Ac-
cess control should be used for different media based on the associated
risk.
Risk:
The risk associated with not limiting access to media is that almost
anyone will be able to access media containing potentially sensitive infor-
mation. This can lead to unauthorized access to sensitive information.
Client Response:
9. How is computer-related media stored? Is it stored according to manu-
facturers’ specifications? Is someone responsible for the proper storage
of computer-related media?
Guidance:
To ensure that computer-related media is adequately pre-
served, someone should be responsible for it. It should be stored according
to manufacturers’ specifications for the different types of media. In addi-
tion, someone’s responsibilities should include the storage of media (sim-
ilar to the concept of ownership in other areas of security).
Risk:
The risk associated with not storing media according to manufactur-
ers’ specifications is that the media might not last or might lose critical
information that resides on it.
Client Response:
10. Are all media containing information appropriately labeled?
Guidance:
All media should be appropriately labeled to ensure that infor-
mation on the media can be located and that the media receives the appro-
priate level of security. Labeling also helps ensure that the company data
classification and data retention
procedures are followed. In addition, la-
beling also makes it easier to find information. One of the issues you might
notice is that media is not properly labeled, but one or two people know
what all the media contains. In this case, the company is at risk if they
leave. Labeling should follow a standard naming convention, making it
easy for anyone to find what he or she needs.
Risk:
The risk associated with not having good labeling processes is that
data might not receive the right level of security, and in the event that data
AU1706_book.fm Page 419 Wednesday, July 28, 2004 11:06 AM