compliances , policies , security

Sample – Data Repository Policy

February 11, 2013

Introduction

The Data Repository Policy requires company personnel to classify information according to its degree of confidentiality.  Based on the classification, company information must then be marked so others know how to handle it and protect it from unauthorized access or exposure.  This protection from unauthorized access must happen when the classified information is stored, transmitted, transported or when shared verbally.

Some company facilities deal with very large volumes of classified information. The Secure Data Repository concept addresses the protection of these large volumes while balancing the cost and resources to mark it.

Definition

A “Data Repository” is a secure environment used to store and process large volumes of unmarked classified information. A Data Repository may range from an electronic database to a physical area with people processing the classified information.

Requirements

The following are the basic requirements for creating and managing a Data Repository to protect the unmarked classified information from unauthorized access or use.

  1. Implement formal policies and procedures requiring the physical and technical safeguards be in place for the defined Data Repository.
  2. Implement the physical and technical safeguards to protect the classified information within the Data Repository from unauthorized access or usage.
    1. Restrict Data Repository access authorization to those individuals with a business need.
    2. Secure an electronic Data Repository with password access, credential restrictions, or encryption as required by the information classification.
    3. Physical areas should be located away from common areas and have safeguards such as secured entries.  Common areas are where most employees can go without restrictions.
    4. All individuals, working within an Data Repository, must have the same access or authorization profile.
    5. When classified information leaves the Data Repository, it must be marked.
    6. Properly train all personnel authorized to access the Data Repository to ensure they understand their responsibilities and all Data Repository procedures.  Data Repository procedures would include items such as security procedures or procedures for marking classified information before it leaves the Data Repository.

The benefit of creating an Data Repository is to reduce the cost and work involved with managing and marking large volumes of classified information.  Marking classified information within a Data Repository becomes optional.

It is highly recommended that within a Data Repository, all electronic classified information be marked when created.  This reduces significant effort when distributing paper or electronic copies outside of the Data Repository.  It is easy to include the classification stamp within the header or footer of an electronic document.

Applying the Data Repository Concepts

Large volumes of classified information might exist in the following examples.

  • file cabinet(s) containing classified employee information
  • database containing classified financial information
  • vault containing classified product drawings
  • physical area where claims processors handle classified information

Each of these examples could drive the establishment of Data Repository.  The company operations creating the Data Repository must meet the three requirements.  Answer the following questions to determine the feasibility of establishing an Data Repository:

  1. Does the volume of classified information processed required significant costs to mark old documents or present a huge cost or resource burden to mark them at creation?  If yes, continue.
  2. What is the effort, resources and cost required to implement adequate Data Repository  physical and technical safeguards to protect the unmarked classified information from unauthorized access or use?  If acceptable, continue.  If not, do not establish the Data Repository.
  3. Establish the Data Repository.
    1. Implement the policies and procedures requiring physical and technical safeguards.
    2. Implement the physical and technical safeguards.
    3. Train all personnel on their responsibilities and Data Repository procedures.

Exception

Information pertaining to acceptable physical and technical safeguards is available from your unit security or information technology organizations.  The Global Security and Corporate Information Systems Computer Security organizations have additional information.

www.bestitdocuments.com