DOING OFFICE AND SITE INSPECTIONS

No document security program will succeed unless security person-nel walk through the organization looking for violations of the document

Table 6.3: Document Types

Type Security issues Solutions

Paper 1. Intermixing sensitive and non-sensitive documents

2. Easy to copy

3. Easy to read or photograph

• Secure filing and storage

• Destruction plan in place

• Clean desk policy

• Security patrols

• Locked secure areas for printers and faxes Physical 1. Destruction more complex

2. Special manufacturing equipment may need security 3. Higher visibility to outsiders 4. Difficult to classify

• Destruction plan in place

• Chalkboard, whiteboard, storyboard policy

• Cloaking of sensitive materials

• Securing of production equipment

Machine-readable 1. Reuse issues

2. Misplacement and mislabeling 3. Easy to copy without detection 4. Theft issues

5. Specific destruction measures required

• Media library

• Follow reuse guidelines (see Chapter 5)

• Follow destruction guidelines (see Chapter 5)

• Tracking tags or barcodes

security policy. Careful observation uncovers violations of the security policy. Striking a balance between employees being able to personalize their workspaces and maintaining a reasonable clean desk policy is vital to the program’s success. Demanding Spartan “monastic cells” (or cu-bicles) does nothing for morale, but asking that sensitive documents be locked away is reasonable. Desks and work areas need to be neat and orderly enough to permit quick visual inspection for sensitive materials.

Security officers must understand the document security policy. Their training must include how to inspect an area for violations of the policy.

If they detect a policy violation, they should know the necessary proce-dures for handling the violation. An ideal program includes the elements of observation, inspection, protection, and documentation. Observing correctly means visiting all work areas and focusing on document-intensive areas such as fax, copier, and printer workspaces. Inspection requires close examination of monitors, keyboards, computers, and note-posting areas for messages and “sticky notes” containing passwords and login information. Protection means taking possession of sensitive

Table 6.4: Document Characteristics

Characteristics Affected Documents

Size of the document A consideration for all types

Ability to store or to hide the document Physical documents present challenges Ability to destroy it Physical and machine-readable documents

present challenges

Reuse of the medium Machine-readable documents present unique challenges

Visibility to the human eye 1. Machine-readable documents are opaque without electronic equipment

2. Physical documents may be visible to unauthorized eyes from a distance Audibility to the human ear Audio recordings and audio files are mute

without electronic equipment Copying issues A consideration for all types; copying

equipment in close proximity to sensitive documents is a particular concern

Clandestine theft of the document A consideration for all types; however, paper in bulk or large physical documents may present difficulties for a thief

Mislabeling issues Machine-readable documents have high risk

documents and media. Security officers place these sensitive items in a secure area for latter retrieval by the user or owner of the document or media. Documentation is the creation of an incident report of the doc-ument seizure by the officer. Leaving a copy of the report at the work area lets the user or owner know where they can retrieve their docu-ment. Other copies of the incident report go to Security and to the of-fending business unit’s manager.

Security personnel need to watch out for the following violations:

1. Sticky notes containing passwords and login information. (This is absolute “no-no” and should never be permitted under any circumstances.)

2. Unattended desktop computers that are not password protected.

(Security officers need training on how to do the CTRL-ALT-DEL and screen lock command on a Windows system. If UNIX, LINUX, or Mac OS systems are in use, they need train-ing on safe lockdowns of the computer.)

3. Unattended laptops and PDAs that do not have a physical lock-ing device to prevent theft. (These items should be seized on second and third shift to prevent theft.)

4. Documents unsecured that have a sensitive security classifica-tion. (See “Classifying Documents” below.)

5. Desks cluttered with documents to the point where a quick visual examination cannot ascertain their security classification. (If a pro-ject demands a large number of documents as work-in-progress [WIP], a locked room or controlled access work area is necessary.) 6. Unsecured computer media or other machine-readable media that has a sensitive security classification. (See “Classifying Docu-ments” below.)

7. Chalkboards, whiteboards, storyboards, or other visual displays that violate the document security policy as to duration and con-tent. (If such visual aids are necessary on a continuing basis for a project, they should be in a locked or controlled access area.) 8. Unattended documents left at fax machines, copiers, and print-ers that violate the security policy as to duration and content.

9. Unsecured locked or controlled access areas.

10. Physical documents that require cloaking or hiding but are vis-ible to public areas or to unauthorized individuals.

11. Documents awaiting destruction but are not secured.

12. Sensitive documents placed in unsecured trash.

13. Unauthorized cameras in sensitive areas. (Employees autho-rized to use cameras internally should have a special badge or permit.)

14. Unauthorized computer equipment or media in sensitive areas.

(Employees authorized to bring in their own digital devices or media should have a special badge or permit.)

15. Unescorted visitors, vendors, and suppliers.