What should my policy be regarding CD burners in the company? They are becoming cheaper and cheaper, and more project managers are requesting this purchase.
I am concerned about information leakage and software piracy.
CDs and burner devices should be handled as any other electronic media devices. Some check points include:
Logically and physically secure the CD and burner
Data should be logically secured to the highest degree commensurate with the sensitivity of the data. The burner units should be physically secured when not in use.
Information should be classified prior to burning
In order to properly protect information assets, all information should be classified. By classifying data, business units can determine the appropriate resources needed to protect information.
Information must have an owner
The information wwner's responsibilities are to classify the information to assure it is properly handled.
CDs should be sanitized if no longer required
Electronic media should be degaussed (electronically sanitized) or otherwise rendered unrecoverable and verified by the use of special file recovery programs. Proof of this activity is mandatory.
After the media has been sanitized, the responsible technician should document the action with detailed information attached to the originator (owner) request.
Identification of sanitized media
Sanitized media should be individually identified and method should be employed to prevent accidental re-use with an appropriate method to the media.
Sanitized prior to re-use
Any media containing sensitive information should be sanitized prior to re-use to ensure that any sensitive information resident is unretrievable.
Any magnetic media sent off site (other than backup) should be sanitized prior to leaving the facility.
This was first published in September 2001