Overview and Purpose

Some [variable: Covered Organization] systems contain sensitive information that must be protected from unauthorized access throughout all phases of the information lifecycle. Failure to protect sensitive information can lead to fraud, waste, abuse, and other negative outcomes that ultimately damage both the business and our relationships with customers, suppliers, and other critical entities.

Employees in both IT and business roles should use physical and technical mechanisms to ensure secure handling, transfer, and storage of data via electronic and paper documents, printouts, tapes, disks, and other media. Protection does not end with computer use, however. Employees must also consider sensitive information that may be saved on media and equipment slated for disposal.

Coverage

These procedures apply to data contained in the [variable: Covered Organization] system.

Note: [This section might also include covered roles or entire systems subject to this policy.]

Roles and Responsibilities

Information Systems Officer or Information Security Officer

• Approves, as needed, reproduction of sensitive data files
• Signs for, or delegates authority to sign for, receipt of registered, certified, or express mail which can contain sensitive data
• Reviews transmittal logs and transport records on a [variable: time period] basis to ensure all tapes and paper documents are accounted for
• Investigates and resolves any discrepancies between internal records and transmittal and transport logs
• Defines in the security plan disposition procedures for media no longer used to process or store sensitive information

Supervisors

• Train employees on security requirements for equipment and media containing sensitive information
• Monitor employee activities to ensure compliance with security policies and procedures
• Work with System Administrators to ensure that only authorized software runs on automated information systems
• Approve, as needed, reproduction of sensitive data files
• Sign for, or delegate authority to sign for, receipt of registered, certified, or express mail which can contain sensitive data
• Review transmittal logs and transport records on a [variable: Period] basis to ensure all tapes and paper documents are accounted for
• Investigate and resolve any discrepancies between internal records and transmittal and transport logs
• Work with information security officer to define disposition procedures for media no longer used to process or store sensitive information

System/Application Administrators

• Designate user profiles to define access permissions to categories of sensitive data
• Work with Supervisors to ensure that only authorized software runs on automated information systems
• Establish and communicate requirements for protecting systems and data
• Ensure that sensitive data is not stored on personal computers
• Track data sets from creation through destruction

Users

• Adhere to security requirements for the protection of sensitive data and systems
• Appropriately identify, date, and mark sensitive information they are responsible for originating, producing, or processing
• Ensure that media containing sensitive data is appropriately labeled
• Ensure that media containing sensitive data is stored in secure locations and/or containers
• Ensure that media does not contain both sensitive and non-sensitive information
• Ensure that sensitive information is not printed on printing devices that use printer ribbons or left on printers after printing
• Lock or close applications on unattended computers when processing sensitive data or when sensitive data or a critical application system is resident in memory
• Sign for all data sent, received, or transported
• Shred sensitive printed documents and follow secure disposition procedures for media

Enforcement

Unauthorized personnel are not allowed to see or obtain sensitive data. Gross negligence or willful disclosure of sensitive information can result in the imposition of administrative penalties or prosecution for misdemeanor or felony resulting in fines, imprisonment, civil liability, and/or dismissal.

Supporting Documentation

This policy is supported by the following rules, standards, and procedures:

• [variable: internal documents (with links, if available)]
• [variable: external documents (with links, if available)]

Policy Support Contact

• [variable: title (not personal name) of role responsible for overseeing this procedure]
• [variable: Contact information of office responsible for overseeing this procedure]

References

Policy Model(s)

Federal Agency Security Practices, US Government, National Institute of Standards and Technology (NIST)