S 3.60 Sensitising staff to secure handling of mobile data media and devices
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: IT Security Officer, Head of IT
A wide variety of mobile data media are increasingly being used in government agencies and companies. Likewise, the number of devices that can be used as mobile data media in addition to their obvious function is also constantly increasing, meaning the number of possible routes for spreading information as well as the number of possible security gaps is also increasing. Some of these security risks can be minimised technically, but without instructing the employees on the secure and proper handling of mobile data media, government agencies and companies will be overwhelmed time and time again by new developments in technology.
The types and possible uses of mobile data media and devices should be explained to all employees. This also includes informing them of the various designs and variations of data media, for example that an MP3 player is also a mobile data medium. In addition, the employees should be informed of the potential risks and problems as well as the benefits of their use, but also of the limits of the safeguards implemented. The employees should be informed regularly of new threats and issues relating to mobile data media and devices, e.g. by posting a corresponding article on the intranet or in the employee newsletter.
The users should also be instructed in the careful handling of mobile data media and devices to prevent their loss or theft, but also to guarantee a long service life. The instructions should handle, for example, questions on how to store mobile data media and devices outside of office and residential spaces as well as questions relating to the sensitivity of the devices to low and high temperatures. Damaged or lost mobile data media and devices should be reported immediately (see S 2.306 Reporting losses).
Additional aspects to be pointed out to the users are:
- which data is allowed to be stored on mobile data media and which data is not (see also S 2.217 Careful classification and handling of information, applications and systems),
- how the data stored on these mobile data media will be protected against unauthorised access, tampering, and loss, and
- how to securely delete the data on mobile data media and how to dispose of data media.
Review questions:
- Have the employees been instructed in the secure handling of mobile data media and devices?
- Are there requirements on secure and proper storage of mobile data media and mobile IT components?