(a) The NCPC shall implement the procedures set forth in this section to insure sufficient administrative, technical and physical safeguards exist to protect the security and confidentiality of Records. The enumerated procedures shall also protect against any anticipated threats or hazards to the security of Records with the potential to cause substantial harm, embarrassment, inconvenience, or unfairness to any Individual on whom information is Maintained.
(b) Manual Records subject to the Privacy Act shall be maintained by the NCPC in a manner commensurate with the sensitivity of the information contained in the Records. The following minimum safeguards or safeguards affording comparable protection shall apply to manual Systems of Records:
(1) The NCPC shall post areas where Records are maintained or regularly used with an appropriate warning sign stating access to the Records shall be limited to authorized persons. The warning shall also advise that the Privacy Act prescribes criminal penalties for unauthorized disclosure of Records subject to the Act.
(2) During work hours, the NCPC shall protect areas in which Records are Maintained or regularly used by restricting occupancy of the area to authorized persons or storing the Records in a locked container and room.
(3) During non-working hours, access to Records shall be restricted by their storage in a locked storage container and room.
(4) Any lock used to secure a room where Records are stored shall not be capable of being disengaged with a master key that opens rooms other than those in which Records are stored.
(c) Computerized Records subject to the Privacy Act shall be maintained, at a minimum, subject to the safeguards recommended by the National Institute of Standards and Technology (NIST) Special Publications 800-53, Recommended Security Controls for Federal Information Systems and Organizations as revised from time to time or any superseding guidance offered by NIST or other federal agency charged with the responsibility for providing recommended safeguards for computerized Records subject to the Privacy Act.
(d) NCPC shall maintain a System of Records comprised of Office of Personnel Management (OPM) personnel Records in accordance with standards prescribed by OPM and published at 5 CFR 293.106-293.107.