SECURING PAPER AND PHYSICAL DOCUMENTS
DOING OFFICE AND SITE INSPECTIONS
No document security program will succeed unless security person-nel walk through the organization looking for violations of the document
Table 6.3: Document Types
Type Security issues Solutions
Paper 1. Intermixing sensitive and non-sensitive documents
2. Easy to copy
3. Easy to read or photograph
• Secure filing and storage
• Destruction plan in place
• Clean desk policy
• Security patrols
• Locked secure areas for printers and faxes Physical 1. Destruction more complex
2. Special manufacturing equipment may need security 3. Higher visibility to outsiders 4. Difficult to classify
• Destruction plan in place
• Chalkboard, whiteboard, storyboard policy
• Cloaking of sensitive materials
• Securing of production equipment
Machine-readable 1. Reuse issues
2. Misplacement and mislabeling 3. Easy to copy without detection 4. Theft issues
5. Specific destruction measures required
• Media library
• Follow reuse guidelines (see Chapter 5)
• Follow destruction guidelines (see Chapter 5)
• Tracking tags or barcodes
security policy. Careful observation uncovers violations of the security policy. Striking a balance between employees being able to personalize their workspaces and maintaining a reasonable clean desk policy is vital to the program’s success. Demanding Spartan “monastic cells” (or cu-bicles) does nothing for morale, but asking that sensitive documents be locked away is reasonable. Desks and work areas need to be neat and orderly enough to permit quick visual inspection for sensitive materials.
Security officers must understand the document security policy. Their training must include how to inspect an area for violations of the policy.
If they detect a policy violation, they should know the necessary proce-dures for handling the violation. An ideal program includes the elements of observation, inspection, protection, and documentation. Observing correctly means visiting all work areas and focusing on document-intensive areas such as fax, copier, and printer workspaces. Inspection requires close examination of monitors, keyboards, computers, and note-posting areas for messages and “sticky notes” containing passwords and login information. Protection means taking possession of sensitive
Table 6.4: Document Characteristics
Characteristics Affected Documents
Size of the document A consideration for all types
Ability to store or to hide the document Physical documents present challenges Ability to destroy it Physical and machine-readable documents
present challenges
Reuse of the medium Machine-readable documents present unique challenges
Visibility to the human eye 1. Machine-readable documents are opaque without electronic equipment
2. Physical documents may be visible to unauthorized eyes from a distance Audibility to the human ear Audio recordings and audio files are mute
without electronic equipment Copying issues A consideration for all types; copying
equipment in close proximity to sensitive documents is a particular concern
Clandestine theft of the document A consideration for all types; however, paper in bulk or large physical documents may present difficulties for a thief
Mislabeling issues Machine-readable documents have high risk
documents and media. Security officers place these sensitive items in a secure area for latter retrieval by the user or owner of the document or media. Documentation is the creation of an incident report of the doc-ument seizure by the officer. Leaving a copy of the report at the work area lets the user or owner know where they can retrieve their docu-ment. Other copies of the incident report go to Security and to the of-fending business unit’s manager.
Security personnel need to watch out for the following violations:
1. Sticky notes containing passwords and login information. (This is absolute “no-no” and should never be permitted under any circumstances.)
2. Unattended desktop computers that are not password protected.
(Security officers need training on how to do the CTRL-ALT-DEL and screen lock command on a Windows system. If UNIX, LINUX, or Mac OS systems are in use, they need train-ing on safe lockdowns of the computer.)
3. Unattended laptops and PDAs that do not have a physical lock-ing device to prevent theft. (These items should be seized on second and third shift to prevent theft.)
4. Documents unsecured that have a sensitive security classifica-tion. (See “Classifying Documents” below.)
5. Desks cluttered with documents to the point where a quick visual examination cannot ascertain their security classification. (If a pro-ject demands a large number of documents as work-in-progress [WIP], a locked room or controlled access work area is necessary.) 6. Unsecured computer media or other machine-readable media that has a sensitive security classification. (See “Classifying Docu-ments” below.)
7. Chalkboards, whiteboards, storyboards, or other visual displays that violate the document security policy as to duration and con-tent. (If such visual aids are necessary on a continuing basis for a project, they should be in a locked or controlled access area.) 8. Unattended documents left at fax machines, copiers, and print-ers that violate the security policy as to duration and content.
9. Unsecured locked or controlled access areas.
10. Physical documents that require cloaking or hiding but are vis-ible to public areas or to unauthorized individuals.
11. Documents awaiting destruction but are not secured.
12. Sensitive documents placed in unsecured trash.
13. Unauthorized cameras in sensitive areas. (Employees autho-rized to use cameras internally should have a special badge or permit.)
14. Unauthorized computer equipment or media in sensitive areas.
(Employees authorized to bring in their own digital devices or media should have a special badge or permit.)
15. Unescorted visitors, vendors, and suppliers.