S 4.35 Pre-dispatch verification of the data to be transferred

Initiation responsibility: IT Security Officer

Implementation responsibility: User

Before sending a data medium, it must be checked if the desired information - and only this information - can be reconstructed from the data medium. This must be checked when sending documents as well as when sending electronic data media. Even letters and other analogue data media should be examined visually before sending to check if they are complete and to make sure they do not contain any additional information not intended for disclosure. This is especially important when, for confidentiality reasons, parts of processes, for example names, are not permitted to be transferred to third parties. To keep this information confidential, the corresponding information can be made illegible, for example by blacking out the information with a black marker. Since redacted information can often be made legible again without much time or effort, it is better to completely remove this information from the process before exchanging the data. There are different ways to achieve this depending on protection requirements of the information:

• Documents should be structured so that not-public contents can be easily separated out, for example by placing this content in an appendix. In this case, the appendix should also be available in electronic form in a separate file classified as confidential.
• If the documents are already available in a form which does not allow the information to be divided according to its confidentiality, then the contents requiring protection should be removed before transferring the documents. A basic problem in this case is the identification and careful removal of all sensitive information. Since this often fails in actual practice, you should avoid passing on documents ¿defused¿ in this manner. If this is necessary, though, then all critical information must be removed, and the security level of the affected documents must be re-specified. In all cases, the documents must run through the release process again before they are handed over

• For paper documents, sensitive information is often just blacked out with a black marker. This is done by taking the following steps:
  • First, all critical information must be carefully and generously blacked out from a paper version of the document.
  • After that, a copy is made of the redacted document.
  • You must then check if the redacted passages really are illegible in the copy of the document.
  • If they cannot be read and the document is approved for release, then the copy can be handed over. Never hand over the redacted original since it is often easy to make the redacted passages on the original legible again.
• To remove confidential information from electronic documents, the passages requiring protection must first be replaced by other characters and then blacked out. Character strings with a fixed length should be used for this purpose, for example "XXXXXXXXXX", so that the original meaning cannot be guessed any more either. Before transferring the documents, the files should be checked for hidden data, for example for earlier versions of a document (see also S 4.64 Verification of data before transmission / elimination of residual information).

Electronic data media must also be physically erased before reuse if they were used before to store other data (see S 4.32 Physical deletion of data media before and after usage).

Correct transmission of the data can be checked on electronic data media using a program that compares the original file to the transmitted file character by character (using the comp command on some operating systems, for example).

Before sending, a list of the names of all files on the data media should be made so that a check to ensure that the data media only contains the files intended for the recipient can be performed based on the file names.

Review questions:

• Is it ensured that data media to be sent only includes the complete set of the desired information?