Control: The organisation responds to information spills by:
Information Spillage Response Supplemental Guidance:
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorised to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organisational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorisations (e.g., security clearances) of individuals with authorised access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimise the risk of further spreading the contamination before such contamination is isolated and eradicated.
Information Spillage Response Control Enhancements:
IR-9 (1) Information Spillage Response - Responsible Personnel
The organisation assigns [Assignment: organisation-defined personnel or roles] with responsibility for responding to information spills.
IR-9 (2) Information Spillage Response - Training
The organisation provides information spillage response training [Assignment: organisation-defined frequency].
IR-9 (3) Information Spillage Response - Post-Spill Operations
The organisation implements [Assignment: organisation-defined procedures] to ensure that organisational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.
Supplemental Guidance: Correction actions for information systems contaminated due to information spillages may be very time-consuming. During those periods, personnel may not have access to the contaminated systems, which may potentially affect their ability to conduct organisational business.
IR-9 (4) Information Spillage Response - Exposure to Unauthorised Personnel
The organisation employs [Assignment: organisation-defined security safeguards] for personnel exposed to information not within assigned access authorisations.
Supplemental Guidance: Security safe guards include, for example, making personnel exposed to spilled information aware of the federal laws, directives, policies, and/or regulations regarding the information and the restrictions imposed based on exposure to such information.