415
Appendix P
Media Handling
As part of most business processes, information is generated and stored on many
different types of media including paper documents, computer media (e.g., tapes,
compact discs, floppy disks) and others. Much of the information being stored on
paper and electronically is critical and can include (among others):
Mission-critical data
Financial information
Operational data
Sensitive information
Personnel files
Other questionnaires have covered different aspects of security as it relates to
the examples listed above in areas such as backup and recovery and physical security.
One aspect of securing this information that has not been covered in any detail is
the protection of the media where the information is stored, which is the content of
this questionnaire.
The questions below are primarily based on the International Standards Orga-
nization (ISO) 17799 information security standard for media handling. The key
areas addressed in media handling include:
Media management
Media disposal
Media in transit
The questions below are a starting point in discussing security related to media
handling. Other questions should be added based on the client’s specific business.
GENERAL
1. Is there a documented policy for media handling?
Guidance:
A security policy to communicate management’s position on
media handling should exist. The policy should outline high-level roles
and responsibilities and the requirements as they relate to media handling.
AU1706_book.fm Page 415 Wednesday, July 28, 2004 11:06 AM
416
A Practical Guide to Security Assessments
The policy should be easily accessible to employees so they can refer to it as
necessary. The policy also helps in enforcing good media handling practices.
Risk:
The risks associated with not having a policy for media handling
include:
Employees will not be aware of the company’s media handling require-
ments and the related roles and responsibilities.
It is difficult to enforce good media handling practices without an
official policy.
Client Response:
2. Are there any procedures for media handling?
Guidance:
The procedures for media handling are the step-by-step pro-
cesses for different media handling scenarios that achieve compliance with
the media handling security policy. Examples of scenarios include dispos-
ing of media and the use of couriers in sending media. Depending on the
associated risk and complexity of the process, it might be appropriate to
have documented procedures. Procedures are useful for two reasons. First,
when new employees have to learn the process, the documented proce-
dures can facilitate this learning. Second, a documented procedure helps
ensure that the process is being performed consistently.
Risk:
The risks associated with not having documented procedures
include:
Processes being performed inconsistently.
Lack of process knowledge if employee turnover occurs; if the media
handling processes are not documented and are only known by certain
employees and they leave, no one has a good idea of how the media
handling processes work.
Client Response:
3. Does the organization have a data classification and retention policy that
is enforced?
Guidance:
One of the dependencies for media handling is data classifica-
tion and retention. All data does not require the same level of security as it
relates to media handling. The appropriate security level is driven by the
AU1706_book.fm Page 416 Wednesday, July 28, 2004 11:06 AM
Appendix P
417
data classification and retention standards. If data is not classified and if no
retention policy exists, it is difficult to determine the level of media han-
dling security required.
Risk:
If there is no data classification or retention policy, a risk exists that
media handling controls will not be commensurate with the criticality of
the information on the media.
Client Response:
4. Identify the different types of media (paper, computer related, etc.), what
information is on them, and the associated criticality.
Guidance:
The purpose of this question is to understand what media there
are, what type of information is on the media, how important the informa-
tion is, and the potential impact if a related security compromise occurs.
Based on this question, you should have a high-level idea of the risk asso-
ciated with media handling and how detailed the review of media handling
should be.
Risk:
Not applicable. The purpose of this question is to help determine the
scope of the media handling activity.
Client Response:
5. Have any security incidents related to media handling occurred?
Guidance:
Any history of security incidents is important as it might indi-
cate a potential security weakness worth investigating. It is also useful to
know what steps management took to address the security breach — i.e.,
reacting to the incident and taking specific steps to ensure that similar se-
curity incidents are prevented in the future. If the cause of the security in-
cident has not been addressed, it may lead to security findings.
Risk:
Not applicable. The purpose of this question is to determine whether
there were any past security incidents and to obtain related information as
outlined in the question.
Client Response:
AU1706_book.fm Page 417 Wednesday, July 28, 2004 11:06 AM
418
A Practical Guide to Security Assessments
MEDIA MANAGEMENT
6. With reusable media, are contents properly erased prior to reuse?
Guidance:
Reusable media should have information thoroughly erased
prior to reuse. The standard for erasing (e.g., number of times information
is overwritten) depends on the media. Specific steps should be taken to en-
sure that the contents are properly erased. This information, regarding spe-
cific steps, should be available from the media vendor or on security Web
sites on the Internet.
Risk:
If information is not properly erased, a risk exists of unauthorized
access to potentially sensitive information if it can be recovered. If the
media is reused in the same department, minimal risk exists.
Client Response:
7. Is there an audit trail of personnel handling media with critical informa-
tion (e.g., backup tapes, other stored information)?
Guidance:
An audit trail of who handles media should be maintained. If a
security breach occurs, the audit trail is instrumental in determining who
might be responsible. A documented audit trail promotes accountability as
it relates to handling media (e.g., tapes). The information should include
who took the media, when they took it, for what purpose they took it, and
when it was returned.
Risk:
The risk associated with not having an audit trail is a lack of knowl-
edge about who handled the media, when it was taken out, and for what
purpose. If a security breach occurs, little information about who handled
the media is available. Consequently, there is no accountability, and it is
difficult to investigate security incidents.
Client Response:
8. Are there controls limiting access to media so that only those who require
access to it to do their jobs have it?
Guidance:
As in other areas of the company, access to resources such as
media should be limited to those who need it to perform their jobs. One
critical area where this should be strictly followed is for those backup tapes
AU1706_book.fm Page 418 Wednesday, July 28, 2004 11:06 AM
Appendix P
419
which are mission critical.
They are used to restore data on a regular basis
and when a disaster occurs. A limited number of people should have access
to backup tapes. To further control the tapes, access should be logged. Ac-
cess control should be used for different media based on the associated
risk.
Risk:
The risk associated with not limiting access to media is that almost
anyone will be able to access media containing potentially sensitive infor-
mation. This can lead to unauthorized access to sensitive information.
Client Response:
9. How is computer-related media stored? Is it stored according to manu-
facturers’ specifications? Is someone responsible for the proper storage
of computer-related media?
Guidance:
To ensure that computer-related media is adequately pre-
served, someone should be responsible for it. It should be stored according
to manufacturers’ specifications for the different types of media. In addi-
tion, someone’s responsibilities should include the storage of media (sim-
ilar to the concept of ownership in other areas of security).
Risk:
The risk associated with not storing media according to manufactur-
ers’ specifications is that the media might not last or might lose critical
information that resides on it.
Client Response:
10. Are all media containing information appropriately labeled?
Guidance:
All media should be appropriately labeled to ensure that infor-
mation on the media can be located and that the media receives the appro-
priate level of security. Labeling also helps ensure that the company data
classification and data retention
procedures are followed. In addition, la-
beling also makes it easier to find information. One of the issues you might
notice is that media is not properly labeled, but one or two people know
what all the media contains. In this case, the company is at risk if they
leave. Labeling should follow a standard naming convention, making it
easy for anyone to find what he or she needs.
Risk:
The risk associated with not having good labeling processes is that
data might not receive the right level of security, and in the event that data
AU1706_book.fm Page 419 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.133.12.172