10.13 Production Input/Output Controls

Copyright(c), 1995 - Management Analytics - All Rights Reserved

Policies and procedures will be established to protect sensitive information from either accidental, unauthorized or intentional modification, destruction or disclosure during input, processing or output operations.

The handling of sensitive input data will be limited to properly screened persons, and will be controlled by formal procedures which will provide an audit trail of the data as it passes from person to person or point to point in the process. The audit trail must assure personal accountability from initial receipt to distribution or destruction of the final products.

Procedures must be established to ensure that only authorized users pick up or deliver sensitive input and output data and media. Procedures for sensitive information should include such controls as signed receipts, registered mail and locked or monitored user "boxes".

Printouts, containers, tape reels, disk packs, floppy disks and similar data storage media should be clearly identified as to contents and sensitivity. The purpose of this is to prevent accidental release for reuse, inadvertent disclosure of sensitive information and to notify the users of the need for continuous protection. Classified information should be labeled and protected as specified in the "DOC National Security Information Manual."

Subject to the capabilities of the system, inadvertent destruction (e.g., overwriting) should be prevented by the use of "write protect" rings, internal labels, floppy disk tabs or similar safeguards. Operator instructions for each application should clearly specify the actions to be taken in the event of inadvertent damage or destruction, as well as incidents which cause physical damages to the media.

All sensitive and/or critical data stored on media such as magnetic tape, disk, and similar devices, should be stored and controlled in the media library when not required for processing. Only authorized and properly screened individuals will be allowed entry to the library. Controls should be in place to assure that these individuals can be held accountable for data resources under their control. In addition to the library, sensitive data may only be stored in an authorized, secure off-site location or temporarily in the computer area during processing. Procedural instructions, inventories and audit trails will be implemented to assure that these controls are in place and are effective. If a media library is not justified, as in the case of a PC, the sensitive diskettes and tapes should be stored in a locked safe or cabinet with all other controls in place.

Section 10.19 of this document and Section 19 of the "DOC IT Security Manual" describe the approved methods of clearing and/or declassifying storage media which has been used for classified national security information. Sensitive, but unclassified data will be handled as follows:

• 1. Using "delete" or "erase" features usually do not remove the data from the media, and does not assure that the data cannot be retrieved by more sophisticated devices. This process can be used when the media is to remain under control of the original data owner, and will be subsequently used to store or process information of the same or lower sensitivity. It is important to note that "delete" routines that only remove pointers and leave the data intact are not acceptable methods for clearing sensitive data if the media is to be released outside of the original data owner's control.
• 2. If the media containing sensitive information is to be released outside the original owner's control or is to be used for non-sensitive data and will not be in a controlled environment, it should be cleared by overwriting each memory location, register and other circuity used for storing sensitive information before it is reused. Afterwards, verify that all appropriate memory locations have been cleared. Section 13 of the "DOC IT Security Manual" contains specific guidance for clearing and overwriting sensitive data.