Storage of security classified records

Storage of SCRs refers to where and how they are kept when “at rest,” as opposed to when they are being processed or disseminated in some way. Physical SCRs should be stored securely in locked containers and in physical spaces that are only accessible to authorized staff. Some organizations establish minimum security standards for SCRs. Separate secure storage facilities may be designated for different levels of SCRs. One organization requires that all secure storage facilities are documented in a list. Information security policies should align with an organization’s general security protocols, and should include provisions for information security breaches or contingency plans to protect SCRs in emergency situations. Instituting a clean-desk policy that prevents staff from leaving SCRs exposed helps to underline the personal responsibility of each individual for proper handling of SCRs.

Similar to the rules for transmitting SCRs, several organizations require that digital SCRs are stored in encrypted form. However, it is critical that if security encryption or other security mechanisms for digital data are required, then corresponding decryption mechanisms should also be maintained over time, to ensure that SCRs remains legible, whole, and accessible over the long term. Policies should establish controls and procedures to ensure integrity and mitigate against corruption or tampering of SCRs in storage.

The protection of SCRs in digital form should also extend to electronic storage media, including servers, computer equipment, or other media holding SCRs. These should be clearly marked, password-protected, and kept in locked and controlled facilities. Likewise, information systems that store, process, or transmit SCRs should have controls that prevent unauthorized access and protect the integrity of records, and should undergo regular security audits. Ideally, any personal devices such as desktop computers or removable media should not store classified records. SCRs should instead be stored in registries or centralized information systems.

Cloud computing

International organizations may use cloud computing systems to store and process information, including SCRs. Accordingly, policies should extend to SCRs that are not in the physical custody of the organization, but still under the organization’s control, including SCRs that are processed and stored using remote third-party cloud computing services. Organizational policies as well as contracts with cloud providers should acknowledge the privileges and immunities of international organizations, particularly the inviolability of their archives and assets. The inviolability principle, typically found in treaties or host agreements of international organizations, protects the archives and assets of international organizations from external interference, wherever their archives or assets are located, unless expressly permitted by the organization. In principle, the inviolability clause is relevant in a cloud computing setting, although it is difficult to enforce in practice.

Classified records should not be stored in public clouds, where information is kept in remote multi-tenancy servers, and organizations have much less control over the environment as well as over contractual terms with the provider. A study by the United Nations Joint Inspection Unit (JIU) notes that different organizations have different “risk appetites” for storing and processing data in the cloud, partially dependent on the sensitivity of an organization’s data. ’¹ If an organization uses cloud computing, classified records should be stored in private or hybrid cloud settings. Specific contractual clauses, including auditing and monitoring requirements, should be instituted to ensure there are adequate guarantees protecting SCRs entrusted to third parties.³² An important contractual clause would be to specify the location of servers that store SCRs. In a private cloud, the servers may be located on the organization’s own premises or in remote single-tenancy (that is, private) servers; in the latter case, there should be a clause specifying where the servers may be stored, in particular within countries where there may be a reasonable guarantee that data will not be subject to government interference. However, the JIU cautions that, "When highly sensitive data and additional layers of control and encryption are needed, extra protective measures may make cloud solutions expensive and, in those cases, potentially unworkable.”

Reclassification and declassification of security classified records

Re- and declassification procedures need to be established in parallel with security classification procedures and other information security mechanisms.³⁴ The act of re- or declassifying records changes or removes a security classification, while retroactive classification adds a security classification to a record that has already been created, potentially removing information from the public domain that was previously accessible.³⁵ With the removal of security classifications, access control measures also lessen significantly.