S 5.14 Mobile data media
Description
This module examines the basic security features of mobile data media. Mobile data media can be used to
- exchange data (see module S 5.2 Exchange of data media),
- transport data between IT systems that are not connected to the same network or are installed at different locations (see S 5.8 Telecommuting, for example),
- archive or store backup copies when other automated methods are unsuitable (see modules S 1.4 Data backup policy and S 1.12 Archiving),
- store data that is too sensitive to store on workstation computers or servers, and
- use or create data when on the road (e.g. with an MP3 player, digital camera, etc.).
There is a wide variety of types of mobile data media including, among others, diskettes, removable disks (magnetic, magneto-optical), CD-ROMs, DVDs, magnetic tapes, cassettes, USB hard drives, and even flash storage devices such as USB sticks. Due to the wide variety of types and areas of application, not all security aspects requiring examination are always actually examined.
Data media can be classified according to whether they are read-only, write-once, or rewritable. They can also be further classified using additional criteria, for example:
- According to the data storage method: analogue or digital data media,
- How they can be used: without any technical aids such as paper, or only using technical aids such as microfilm and audio tape, and
- Their design: removable data media, external data storage, or data media that can be integrated into other devices.
Removable data media, which are sometimes also referred to as portable data media, are inserted into a drive. Examples of this type of data media include diskettes, CD-ROMs, DVDs, magnetic tapes, and cartridges. External data storage media such as USB sticks and external hard drives, on the other hand, can be connected directly to an IT system. Examples of data media integrated into other devices include the memory components in mobile telephones, MP3 players, and digital cameras.
Information on paper, microfilm, or other analogue data media must also be taken into account in the security policy in addition to the digital data media. This applies in particular to the printing, copying, and scanning of documents and the use of fax services. Additional information on this subject can be found in the modules S 3.6 Printers, copiers, and all-in-one devices and M 3.2 Fax machine.
On the one hand, this module shows how the information stored on mobile data media can be used securely, and on the other hand, how to prevent the unauthorised transfer of information via mobile data media.
Threat scenario
The following typical threats to the IT-Grundschutz are assumed to exist when using mobile data media:
Force Majeure
| T 1.9 | Loss of data due to intensive magnetic fields |
| T 1.15 | Degradation due to changing application environment |
Organisational Shortcomings
| T 2.2 | Insufficient knowledge of rules and procedures |
| T 2.10 | Data media are not available when required |
Human Error
| T 3.1 | Loss of data confidentiality or integrity as a result of user error |
| T 3.3 | Non-compliance with IT security measures |
| T 3.44 | Carelessness in handling information |
Technical Failure
| T 4.7 | Defective data media |
| T 4.52 | Loss of data when using a portable device |
Deliberate Acts
| T 5.1 | Manipulation or destruction of equipment or accessories |
| T 5.2 | Manipulation of information or software |
| T 5.4 | Theft |
| T 5.9 | Unauthorised use of IT systems |
| T 5.23 | Malicious software |
| T 5.141 | Data theft via mobile data media |
| T 5.142 | Spreading malicious software via mobile data media |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A series of safeguards must be implemented to ensure the secure handling of mobile data media starting in the planning and design phase, through the purchasing phase, and up to the contingency planning phase. The steps to take to accomplish this as well as the safeguards to implement in each phase are listed in the following.
Planning and design
A concept for the secure handling of mobile data media should be created in which the risks and safeguards are pointed out for each of the various types of mobile data (see S 2.401 Handling of mobile data media and devices).
Purchasing
The selection of suitable data media is to be coordinated. S 4.169 Use of appropriate archiving media should be considered when deciding on what types of data media to use.
Operation
Based on the applicable security requirements, security notes should be created for all employees using application scenarios as examples (see S 3.60 Sensitising staff to secure handling of mobile data media and devices).
The drives and interfaces of the IT systems should be secured according to the security policies (see S 4.4 Correct handling of drives for removable media and external data storage).
Disposal
When data media are transferred, the data on these media should be physically deleted before reusing or disposing of the data media to prevent residual information from being transferred to the wrong recipient (see S 4.32 Physical deletion of data media before and after usage).
Contingency Planning
Important information stored on mobile data media should be copied to another location to prevent the loss of this information.
The bundle of security safeguards for mobile data media are presented in the following.
Planning and design
| S 2.3 | (B) | Data media control |
| S 2.218 | (C) | Procedures regarding the personal transportation of data media and IT components |
| S 2.401 | (C) | Handling of mobile data media and devices |
| S 4.34 | (Z) | Using encryption, checksums, or digital signatures |
Implementation
| S 4.32 | (B) | Physical deletion of data media before and after usage |
Operation
| S 3.60 | (C) | Sensitising staff to secure handling of mobile data media and devices |
| S 4.4 | (C) | Correct handling of drives for removable media and external data storage |
| S 4.200 | (Z) | Handling of USB storage media |
| S 4.232 | (Z) | Secure use of extended memory cards |
Disposal
| S 2.306 | (A) | Reporting losses |
Contingency Planning
| S 6.38 | (A) | Backup copies of transferred data |