Requirement 35 All removable or external storage devices containing surveillance information that contains personal identifiers must
- include only the minimum amount of information necessary to accomplish assigned tasks as determined by the surveillance coordinator,
- be encrypted or stored under lock and key when not in use, and
- with the exception of devices used for backups, devices should be sanitized immediately following a given task.
External storage devices include but are not limited to diskettes, CD-ROMs, USB port flash drives (memory sticks), zip disks, tapes, smart cards, and removable hard drives. Deleting electronic documents does not necessarily make them irretrievable. Documents thought to be deleted often are preserved in other locations on the computer's hard drive and on backup systems. Acceptable methods of sanitizing diskettes and other storage devices that previously contained sensitive data include overwriting or degaussing (demagnetizing) before reuse. Alternatively, the diskettes and other storage devices may be physically destroyed (e.g., by incineration). Such physical destruction would include the device, not just the plastic case around the device.
|