care and due diligence to reduce their culpability and liability when a loss occurs. Senior man- agement could be responsible for monetary damages up to 290 million for nonperformance of due diligence in accordance with the U.S. Federal Sentencing Guidelines of 1991. Privacy and Protection Privacy is the protection of personal information from disclosure to any unauthorized individ- ual or entity. In today’s online world, the line between public information and private informa- tion is often blurry. For example, is information about your web surfing habits private or public? Can that information be gathered legally without your consent? And can the gathering organization sell that information for a profit that you don’t share in? However, your personal information includes more than information about your online habits; it also includes who you are name, address, phone, race, religion, age, etc., your health and medical records, your financial records, and even your criminal or legal records. Dealing with privacy is a requirement for any organization that has people as employees. Thus, privacy is a central issue for all organizations. The protection of privacy should be a core mission or goal set forth in the security policy of an organization. Privacy issues are discussed at greater length in Chapter 17, “Law and Investigations.” Legal Requirements Every organization operates within a certain industry and country. Both of these entities impose legal requirements, restrictions, and regulations on the practices of organizations that fall within their realm. These legal requirements can apply to licensed use of software, hiring restric- tions, handling of sensitive materials, and compliance with safety regulations. Complying with all applicable legal requirements is a key part of sustaining security. The legal requirements of an industry and of a country and often of a state and city should be considered the baseline or foundation upon which the remainder of the security infrastructure must be built. Illegal Activities Illegal activities are actions that violate a legal restriction, regulation, or requirement. They include fraud, misappropriation, unauthorized disclosure, theft, destruction, espionage, entrap- ment, and so on. A secure environment should provide mechanisms to prevent the committal of illegal activities and the means to track illegal activities and maintain accountability from the individuals perpetrating the crimes. Preventative control mechanisms include identification and authentication, access control, separation of duties, job rotation, mandatory vacations, background screening, awareness training, least privilege, and many more. Detective mechanisms include auditing, intrusion detection systems, and more. Record Retention Record retention is the organizational policy that defines what information is maintained and for how long. In most cases, the records in question are audit trails of user activity. This may include file and resource access, logon patterns, e-mail, and the use of privileges. Note that in some legal jurisdictions, users must be made aware that their activities are being tracked. Depending upon your industry and your relationship with the government, you may need to retain records for three years, seven years, or indefinitely. In most cases, a separate backup mechanism is used to create archived copies of sensitive audit trails and accountability infor- mation. This allows for the main data backup system to periodically reuse its media without violating the requirement to retain audit trails and the like. If data about individuals is being retained by your organization such as a conditional employment agreement or a use agreement, the employees and customers need to be made aware of it. In many cases, the notification requirement is a legal issue; in others, it is simply a courtesy. In either case, it is a good idea to discuss the issue with appropriate legal counsel. Sensitive Information and Media Managing information and media properly—especially in a high-security environment in which sensitive, confidential, and proprietary data is processed—is crucial to the security and stability of an organization. Because the value of the stored data is momentous in comparison with the cost of the storage media, always purchase media of the highest quality. In addition to media selection, there are several key areas of information and media management: marking, han- dling, storage, life span, reuse, and destruction. Marking, handling, storage, and observance of life span ensure the viability of data on a storage media. Reuse and destruction focus on destroy- ing the hosted data, not retaining it. Marking and Labeling Media The marking of media is the simple and obvious activity of clearly and accurately defining its contents. The most important aspect of marking is to indicate the security classification of the data stored on the media so that the media itself can be handled properly. Tapes with unclas- sified data do not need as much security in their storage and transport as do tapes with classified data. Data labels should be created automatically and stored as part of the backup set on the media. Additionally, a physical label should be applied to the media and maintained for the life- time of the media. Media used to store classified information should never be reused to store less-sensitive data. Media labels help to ensure proper handling of hosted sensitive, classified, or confidential data. All removable media, including tapes, USB drives, floppies, CDs, hard drives, and printouts, should be labeled. Handling Media Handling refers to the secured transportation of media from the point of purchase through stor- age and finally to destruction. Media must be handled in a manner consistent with the classifi- cation of the data it hosts. The environment within which media is stored can significantly affect its useful lifetime. For example, very warm environments or very dusty environments can cause