(a) In addition to following the security requirements of § 293.106 of this part, managers of automated personnel records shall establish administrative, technical, physical, and security safeguards for data about individuals in automated records, including input and output documents, reports, punched cards, magnetic tapes, disks, and on-line computer storage. The safeguards must be in writing to comply with the standards on automated data processing physical security issued by the National Bureau of Standards, U.S. Department of Commerce, and, as a minimum, must be sufficient to:
- (1) Prevent careless, accidental, or unintentional disclosure, modification, or destruction of identifiable personal data;
- (2) Minimize the risk that skilled technicians or knowledgeable persons could improperly obtain access to, modify, or destroy identifiable personnel data;
- (3) Prevent casual entry by unskilled persons who have no official reason for access to such data;
- (4) Minimize the risk of an unauthorized disclosure where use is made of identifiable personal data in testing of computer programs;
- (5) Control the flow of data into, through, and from agency computer operations;
- (6) Adequately protect identifiable data from environmental hazards and unneccessary exposure; and
- (7) Assure adequate internal audit procedures to comply with these procedures.