S 3.14 Briefing personnel on correct procedures of exchanging data media

Initiation responsibility: Head of Organisation

Implementation responsibility: Specialists Responsible

Employees must be adequately informed of which general conditions must be satisfied and which restrictions apply when exchanging information (see S 2.45 Controlling the exchange of data media). If the employees are insufficiently informed of these conditions and restrictions, a number of security problems can arise. The information employees need to know includes, for example:

In addition, the basic steps of the data media exchange procedure are to be specified and published, for example on the intranet. The employees must be required to promise that they will follow the rules.

Furthermore, the employees exchanging the data media must be sensitised to the specific threats existing before, during, and after transport. Correspondingly, these employees must be familiar with the security safeguards they need to follow or implement.

Before reading in digital data media found in the mailbox even though they were not expected, the sender specified on the package should be asked if they really sent the data media (see also S 2.224 Prevention against malware). If the sender is unknown, then security management should be informed if management has not set any other rules or regulations governing this case.

If certain IT-based methods are used to protect the data during the exchange (such as encryption or the checksums method, for example), then the employees responsible for this must be adequately instructed in the corresponding method.

Review questions:

© Federal Office for Information Security. All rights reserved.