The security administrator decides who can allocate devices. The security administrator should make sure that any user who is authorized to use devices is trained and can be trusted to do the following:
Properly label and handle any media containing exported sensitive information so that it does not become available to anyone who should not see it.
For example, if information at a label of NEED TO KNOW ENGINEERING
is stored on a floppy disk, the person who exports the information must physically label the disk with the NEED TO KNOW ENGINEERING
label and store
the disk where it is accessible only to members of the engineering group with a need to know.
Ensure that labels are properly maintained on any information being imported (read) from media on these devices.
An authorized user should allocate the device at the label that matches the label of the information being imported. For example, if a user allocates a floppy drive at PUBLIC
, the user should only import information labeled PUBLIC
.
The Security Administrator role also is responsible for enforcing proper compliance with the above-mentioned requirements.