7.1 Exchange of data media

Description

The exchange of data media for data transfer between non-networked IT systems is considered here. The data media dealt with include floppy disks, removable hard disks (magnetic, magneto-optical), CDs, magnetic tape and cassettes. Furthermore, the storage of data on the transmission and reception system is taken into account. Handling of the data media before and after dispatch is also described.

Threat Scenario

The following typical threats are assumed for the exchange of data media as part of IT baseline protection:

Force Majeure:

• T 1.7 Inadmissible temperature and humidity
• T 1.8 Dust, soiling
• T 1.9 Loss of data due to intensive magnetic fields

Organisational Shortcomings:

• T 2.3 A lack of compatible, or unsuitable, resources
• T 2.10 Data media are not available when required
• T 2.17 Inadequate labelling of data media
• T 2.18 Improper delivery of data media
• T 2.19 Inadequate key management for encryption

Human Failure:

• T 3.1 Loss of data confidentiality/integrity as a result of IT user error
• T 3.3 Non-compliance with IT security measures
• T 3.12 Loss of data media during transfer
• T 3.13 Transfer of incorrect or undesired data records

Technical Failure:

• T 4.7 Defective data media

Deliberate Acts:

• T 5.1 Manipulation/destruction of IT equipment or accessories
• T 5.2 Manipulation of data or software
• T 5.4 Theft
• T 5.9 Unauthorised use of IT systems
• T 5.23 Computer viruses
• T 5.29 Unauthorised copying of data media
• T 5.43 Macro viruses

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.
The safeguards package for the "Exchange of Data media" is presented in the following.

Infrastructure:

• S 1.36 (2) Safekeeping of data media before and after dispatch (optional)

Organisation:

• S 2.3 (2) Data media control
• S 2.42 (2) Determination of potential communications partners
• S 2.43 (1) Adequate labelling of data media for dispatch
• S 2.44 (1) Secure packaging of data media
• S 2.45 (1) Controlling the exchange of data media
• S 2.46 (2) Appropriate key management (optional)

Personnel:

• S 3.14 (2) Briefing personnel on correct procedures of exchanging data media (optional)

Hardware/Software:

• S 4.32 (2) Physical deletion of data media before and after usage
• S 4.33 (1) Use of a virus scanning program when exchanging of data media and data transmission (for IT systems generally prone to computer viruses)
• S 4.34 (1) Using encryption, checksums or digital signatures (optional)
• S 4.35 (3) Pre-dispatch verification of the data to be transferred (optional)
• S 4.44 (2) Checking of incoming data for macro viruses

Communications:

• S 5.22 (2) Compatibility check of transmission and reception systems (optional)
• S 5.23 (2) Selecting suitable types of dispatch for data media

Contingency Planning:

• S 6.38 (2) Backup copies of transferred data (optional)

© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update on 6 April 2000