The security administrator decides who can allocate devices and makes sure that any user who is authorized to use devices is trained. The user is trusted to do the following:
Properly label and handle any media containing exported sensitive information so that the information does not become available to anyone who should not see it.
For example, if information at a label of NEED TO KNOW ENGINEERING is stored on a CD, the person who exports the information must physically label the disk with the NEED TO KNOW ENGINEERING label. The CD must be stored where it is accessible only to members of the engineering group with a need to know.
Ensure that labels are properly maintained on any information being imported (read) from media on these devices.
An authorized user must allocate the device at the label that matches the label of the information that is being imported. For example, if a user allocates a CD-ROM drive at PUBLIC, the user must only import information labeled PUBLIC.
The security administrator is also responsible for enforcing proper compliance with these security requirements.