INF.6 Storage Media Archive
Storage media archives are enclosed rooms within an institution in which storage media of all types are stored. These include not only storage media on which digital information is saved, but also paper documents, films, or other media...
Description
Introduction
Storage media archives are enclosed rooms within an institution in which storage media of all types are stored. These include not only storage media on which digital information is saved, but also paper documents, films, or other media.
Objective
This building block describes the typical threats and requirements regarding information security for a storage media archive. The objective is to protect the information contained on the storage media and other media archived there.
Scope and Modeling
The building block INF.6 Storage Media Archive is to be applied to all rooms used as an archive for storage media.
This building block addresses technical and non-technical security requirements for storage media archives. Recommendations for correct archiving are not covered in this building block. Guidance on this can be found in the building block OPS.1.2.2 Archiving.
Within the IT-Grundschutz framework, no elevated fire protection requirements are imposed on archive rooms. Additional fire protection requirements can, however, be met through the containers in which storage media are kept.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block INF.6 Storage Media Archive.
Impermissible Temperature and Humidity
When storing digital long-term storage media, temperature fluctuations or excessive humidity can lead to data errors and reduced storage life.
Missing or Inadequate Regulations
If employees do not close or lock windows and doors after leaving the storage media archive, storage media or other information can be stolen. Sensitive information could then be viewed or passed on by unauthorized persons. If employees are not sufficiently aware of the relevant regulations, security gaps can arise. Simply establishing regulations is not sufficient. They must be observed for operations to run smoothly. Many problems arise when regulations exist but are not known.
Unauthorized Access to Sensitive Rooms
If access controls are absent or inadequate, unauthorized persons can enter a storage media archive and view, steal, or manipulate sensitive information. This can impair the availability, confidentiality, and integrity of the archived information. Even if no immediate damage is apparent, operational continuity can be disrupted.
Theft
Since many storage media are very compact, it is all the easier to slip them unnoticed into a bag or under clothing and take them away. If there are no copies of the information, the information stored on the stolen storage media is lost. Furthermore, the persons who have stolen the storage media could view and disclose confidential information. This can cause further damage, which in most cases significantly outweighs the cost of replacement storage media.
Requirements
The following are the specific requirements of the building block INF.6 Storage Media Archive. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. They should be filled where meaningful and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | Information Security Officer (ISO) |
| Additional responsibilities | Employees, Planners, Facility Management, Fire Protection Officer |
Exactly one role should be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a specific requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not imply anything about the number of persons filling these roles.
Basic Requirements
The following requirements MUST be met as a priority for this building block.
INF.6.A1 Portable Fire Extinguishers (B) [Fire Protection Officer]
In the event of fire, appropriate portable fire extinguishers MUST be readily accessible in the storage media archive. These portable fire extinguishers MUST be regularly inspected and maintained. Employees working near a storage media archive MUST be trained in the use of portable fire extinguishers.
INF.6.A2 Access Control and Monitoring (B) [Facility Management]
Access to the storage media archive MUST ONLY be possible for authorized persons. Access MUST be reduced to a minimum number of employees. Access MUST therefore be regulated and monitored. A concept MUST be developed for access control. The measures established therein for access control SHOULD be regularly checked to determine whether they are still effective. To make it difficult or impossible to circumvent an access control, the entire room MUST offer mechanical resistance sufficient to the protection needs, which MUST NOT under any circumstances fall below RC2 (in accordance with DIN EN 1627).
INF.6.A3 Protection Against Dust and Other Contamination (B)
It MUST be ensured that storage media in the storage media archive are adequately protected against dust and contamination. The requirements for this MUST be analyzed already in the planning phase. A strict no-smoking policy MUST be observed in storage media archives.
INF.6.A4 Closed Windows and Locked Doors (B) [Employees]
In a storage media archive, there SHOULD be no windows if possible. If windows do exist, they MUST be closed when leaving the storage media archive. Likewise, the door MUST be locked when leaving. Fire and smoke protection doors MUST also be closed.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be met.
INF.6.A5 Use of Protective Cabinets (S) [Employees]
Storage media and media in storage media archives SHOULD be stored in appropriate protective cabinets.
INF.6.A6 Avoidance of Water-Carrying Pipes (S) [Facility Management]
In storage media archives, unnecessary water-carrying pipes SHOULD generally be avoided. If water pipes are nevertheless installed through the storage media archive, they SHOULD be regularly checked to ensure they are still leak-tight. Furthermore, precautions SHOULD be taken to detect water leaks early. For a storage media archive with high availability requirements, response plans SHOULD exist that precisely specify who must be informed in the event of a leak and what the general procedure should be.
INF.6.A7 Compliance with Climatic Conditions (S) [Facility Management]
It SHOULD be ensured that the permissible maximum and minimum values for temperature and humidity as well as the particulate content in the room air of the storage media archive are maintained. The values of air temperature and humidity SHOULD be recorded and documented several times a year for a period of one week. Any deviations from the target value identified during this process SHOULD be remedied promptly. The air conditioning units used SHOULD be regularly maintained.
INF.6.A8 Secure Doors and Windows (S) [Planners]
Security measures such as windows, doors, and walls SHOULD be equivalent and appropriate with regard to break-in, fire, and smoke. Depending on the protection needs, an appropriate resistance class in accordance with DIN EN 1627 SHOULD be met. All security doors and windows SHOULD be regularly checked to determine whether they are still functioning as required. The entire room SHOULD offer mechanical resistance sufficient to the protection needs, which MUST NOT fall below RC3 (in accordance with DIN EN 1627).
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection representing the state of the art. The proposals SHOULD be considered when protection needs are elevated. The specific determination is made within an individual risk analysis.
INF.6.A9 Hazard Detection System (H) [Facility Management]
An appropriate hazard detection system SHOULD be installed in storage media archives. This hazard detection system SHOULD be regularly inspected and maintained. It SHOULD be ensured that those persons who receive hazard alerts are able to respond appropriately to alarm messages.
Additional Information
Good to Know
The German Institute for Standardization provides requirements for the physical security of buildings and rooms in its standard “DIN EN 1627:2021-11.”