Each IT environment should have a data library that control access

to data files, programs, and documentation. An important data

library control centers on assurance that all file media are clearly
and accurately labeled.
WHAT IS DATA LIBRARY?
refers to a centralized repository or storage system where
important data files, programs, and documentation are organized,
stored, and managed. It typically involves:
1. Centralized Storage: Where all important data files, programs, and
documentation are stored in one central location. This makes it easier
to manage and access the information when needed.
It also involves
2. Organization: Wherein the Data in the library is organized in a
structured manner, usually based on categories, types, or departments.
This helps users find the information they need quickly and efficiently.
3. Access Control: Access to the data library is tightly controlled. Only
authorized individuals or teams are allowed to access, modify, or delete
the stored data. This helps prevent unauthorized access or tampering.
4. Version Control: Changes made to data files and programs are
carefully tracked and managed. This ensures that there is a clear record
of who made the changes and when they were made. It also helps
prevent confusion or conflicts that can arise from different versions of
the same file.
5. Backup and Recovery: Regular backups of the data library are
performed to ensure that valuable information is not lost in case of
accidents, hardware failures, or cyberattacks. These backups are stored
securely and can be used to restore the data in case of emergencies.
DATA MEDIA LABELING
That is, external labels should be affixed to or marked upon the
data media themselves. On tape cartridges and disk packs,
pressure-sensitive labels are usually affixed to identify both the
volume and the file content. Procedures should be in place to
assure that all labels are current and that all information they
contain is accurate.
ACCESS CONTROL
The data library should assure that only authorized persons
receive files, programs, or documents, and that these persons
acknowledge their responsibility at the time of each issuance.
-Only authorized individuals should access files, programs, and
documents.
- Individuals must acknowledge responsibility upon issuance,
ensuring accountability.
FILE MANAGEMENT
Each time a file is removed for processing, controls over data files
should assure that a new file would be generated and returned to
the library. If appropriate to the backup system in place, both
issued and new files should be returned together with the prior
version serving as backup.
- Controls should ensure that files are returned to the library
after use.
- Backup systems may require both issued and new files to be
returned, with prior versions serving as backup.
INVENTORY MANAGEMENT
Control is enhanced by maintaining an inventory of file media
within the data library. In other words, an inventory record should
exist for each tape cartridge or disk pack. The record should note
any utilization or activity. After a given number of users, the file
medium or device is cleaned and recertified. Further, if any
troubles are encountered in reading or writing to the device,
maintenance steps are taken and noted.
SEGREGATION OF DUTIES
Ideally, a full-time person independent of IS operations will be
assigned as the data librarian.
In smaller IT environments, however, such assignment might not
be economically feasible. When an environment cannot afford a
full-time data librarian, this custodial duty should be segregated
from operations. That is, for adequacy of control, the function of a
librarian should be assigned as a specific responsibility to
someone who does not have access to the system.
- Ideally, a dedicated data librarian oversees library operations.
- In smaller environments, the librarian's role should be
segregated from system operations to ensure adequate control.

That is all for the Protection of data files and programs next topic
will be Physical security and access controls which will be
discussed by the next reporter.