Purpose. To establish minimum requirements and define procedures for the protection, control, dissemination, and accounting of centrally accountable removable media, per references (h) and (r).
Background. Advances in computer technologies have created unique security concerns which have a profound influence over the control, accountability and disposition of removable media. Physical characteristics and retentive properties of removable media used to store, record and manipulate information require that special control and accounting procedures be implemented.
Scope. The Commanding Officer (CO) is responsible for prescribing policy for the level of control and accounting appropriate on all removable media within TTGL. Accordingly, these procedures define special security controls, safeguards, and counter-confidentiality, preserve the integrity and ensure the availability of removable media resources essential for success of the TTGL mission.
General. Each member is responsible for protecting computer media in their custody and to prevent the loss of sensitive information through poor security practices. The procedures outlined below represent the minimum acceptable standards for the control, dissemination, inventory and destruction of data storage media.
Removable media labels. Removable information storage media and devices used on all IS shall bear external labels clearly indicating the classification of the information, and applicable associated markings. These labels shall be affixed to all removable media in a manner that does not adversely affect operation of the equipment in which it is used. Additionally, each piece of removable media shall be labeled to clearly identify the content of each disk.
Receipt of “new/blank” magnetic media. New media will be controlled as bulk item supplies until issued or the factory seal is opened. Upon issue, each piece of magnetic media will have a classification label, content label and if necessary, an inventory control label attached.
Magnetic media transfer requirements IAW reference (v). All media being transferred to or from TTGL must adhere to following guidelines
Whether by personal courier, Defense Courier Service (DEFCOS), or controlled mail it requires permission from TACTRAGRULANT Security Manager as well as a courier card.
If transfer of magnetic media is from SIPR, a data transfer request (Exhibit 7) must be completed, reviewed, approved, and provided to N6 Helpdesk for transfer.
If transfer of magnetic media is from NIPR or CENTRIXS, a media transfer request shall be provided to N6 Helpdesk.
Receipt of used magnetic media. All personnel receiving used magnetic media from outside sources, by any means including mail, DEFCOS, or courier must immediately report receipt of this media to IAM prior to use. The IAM will register the media into the inventory database if required, examine the media to ensure correct classification, review the media for public-domain or copyrighted software and have it tested for malware prior to issuance.
Media Inventory. All copyrighted and centrally accountable magnetic media will be inventoried at least semi-annually by the responsible department and reported via email to the IAO. Following each inventory, the IAO will certify that all accountable items have been sighted, no discrepancies exist, and that all records accurately reflect the status and classification of the magnetic media. Individual inventories will be retained by the IAO for at least one year. The IAO will forward a formal report of each inventory to the IAM and outline any discrepancies noted.
Destruction. Destruction of all media shall be completed IAW references (j), (l), and (r). All magnetic media used to process classified data will be destroyed when damaged, superseded, out-dated or no longer required. Additionally, the following applies:
Destruction of classified magnetic media is an auditable event requiring two-person integrity.
Magnetic media destruction reports will be prepared by the IAO, forwarded to TTGL IAM for retention, and copied to the responsible department for inventory updating.
The destruction of all classified magnetic media shall be recorded on a Material Destruction Report, OPNAV Form 5511/12. This form shall include any media control number, a general (unclassified) description of contents, type of media (CD, DVD, etc.) destroyed, date of destruction, media classification, and signatures of two individuals conducting the destruction.
Destruction records shall be maintained by TTGL for one year. Destruction records for top secret media shall be maintained for three years.
Hard Drives (Disk Packs). Removable hard disks used to process top secret or Sensitive Compartmented Information (SCI) data are not considered expendable items and are not authorized to be released for reuse. Sealed hard drives or disk packs are considered classified at the highest level of data stored or processed on the IS in which it was used. Therefore, removable hard drives which are damaged, or no longer usable will be destroyed rather than jeopardize security. Hard drives shall be forwarded by the IAM for special destruction per specific TTGL procedures. The exterior case may be disposed of as normal trash.
Magnetic Tape (Date Tapes). Magnetic tape inter-record gap areas represent security vulnerabilities because classified data in the inter-record gap may not be totally eliminated or overwritten if the tape drive is misaligned. Degaussing or physical destruction is the only authorized procedures for destroying magnetic or data tapes. The IAO will prepare and forward OPNAV Form 5511/12, listing all magnetic media destroyed to the IAM for retention.
CD-ROM. CD’s can be destroyed locally at TTGL. TTGL is equipped with a Security Engineered Machinery model 250 CD destroyer which is NSA approved.
Virus Protection. All information storage media will be virus scanned prior to use on any TTGL computer system using the most recent version of the Navy anti-virus program.
Virus Detection/Reporting. If a virus or a suspected virus is detected on any TTGL media, contact IAM, and/or IAO.
Data Transfer
This directive establishes TTGL policy on transfer of data by authorized removable media from/to an IS of unequal accreditation. Due to the concern of cross domain data leakage, USCYBERCOM FRAGO 11 must be adhered to when conducting any transfer.
Policy
The transfer of selected data files from or to computer system of unequal accreditation may be authorized by TTGL Removable Media Representation (RMR) on a case-by-case basis. Only the Data Transfer Agent (DTA) may conduct such transfers. Per reference (l), special care must be taken whenever data is transferred. Data transfers will be performed in accordance with reference (s).