S 2.45 Controlling the exchange of data media

Initiation responsibility: IT Security Officer, Head of Organisation, Head of IT

Implementation responsibility: Mail Centre, User

When data media are to be exchanged between two or more communication partners, a series of recommendations should be followed to ensure proper exchange.

A suitable shipment mode must be specified. When determining the shipment mode, the type of data media and the protection requirement of the data it contains must be taken into account.

The address must be stated clearly and must be unique to prevent incorrect delivery. For example, the recipient's name as well as the relevant organisational unit and the precise designation of the government agency or company must be specified. The organisation should maintain a list of the most commonly used addresses so that current and correct addresses of possible recipients are available throughout the organisation.

The address of the sender must also be specified clearly and completely. A rule should be made that applies throughout the organisation that specifies a uniform design for the sender address and which information must be specified in this address.

Digital data media should be accompanied (as an option) by a data media slip containing the following information:

• sender,
• recipient,
• type and quantity of data media,
• serial number (if available),
• identification codes for the contents of the data media,
• date the data media were sent, and if necessary the latest date by which the recipient should have received the data media,
• a note stating that the data media was scanned for viruses, and
• parameter settings required to read the information on the data media, for example the tape speed.

However, the following information should not be stated:

• the password assigned to protect the information,
• the key used to encrypt the information, and
• the type of data contained on the data media.

The shipment of the data medium can be documented optionally. When shipping personal data or other sensitive data, though, the date of shipment must be documented.

It should be checked if the data media were properly received. When sending highly confidential data and when the data needs to be received by a certain date, the recipient should be informed which transportation route was selected. When the protection requirement is high, it is recommended to request confirmation of receipt from the recipient.

The persons responsible for shipping and for receiving the data media must be specified. If tampering is detected or the data media are lost, then security management must be informed immediately.

Review questions:

• Are the type of data media and the protection requirements of the information considered when selecting the type of shipment?
• Is it ensured that the shipment of personal or other sensitive data is documented?
• Are the responsibilities regarding shipment and receipt of data media assigned?