IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.178 Stipulating a set of security guidelines for the
use of faxes
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
Before any fax servers are installed, configured and cleared for use, a set of
security guidelines should be specified for use of faxes. The points outlined
below normally fall within the scope of such guidelines.
1. Concept of use
Before a fax server is cleared for use, the manner in which the system will be
operated must be specified. For example, it might be desirable to have one fax
server used solely to receive faxes over the LAN and then to send them
outside. But a fax server can also receive incoming fax transmissions from
outside. In this case how the incoming fax transmissions are forwarded to
recipients must be specified. Under the first option, these transmissions are
routed by the fax server itself, possibly using a connection to an existing E
mail or workflow system. Another option is manual forwarding of incoming
fax transmissions via the fax mail centre. Once again forwarding could be
performed using E mail. However, another possibility is that the fax mail
centre prints out incoming faxes and sends these printouts on to recipients (see
S 2.181 Selection of a suitable fax server).
2. Integration with business operations
The mode of operation of the fax server also determines how faxes which
have been sent or received are integrated within business operations. A
procedure whereby the fax mail centre prints out all incoming faxes and sends
the printouts to the relevant recipients corresponds to the way in which fax
machines are customarily used. However, procedures whereby faxes are sent
directly from an application on the user's workstation or incoming faxes are
sent directly to the recipient from the fax server are significantly different
from those which apply to the use of conventional fax machines. Hence in this
case the guidelines for the use of faxes need to specify which incoming and
outgoing faxes have to be printed out for the files.
3. Procedures controlling the use of fax servers
To ensure that a fax server is operated and used securely, a number of rules
must be drawn up (see S 2.179 Procedures controlling the use of fax servers).
4. Restrictions as to material which may be faxed
The fax security guidelines must specify what information is allowed to be
transmitted by fax. The fax security guidelines can also specify which
communication partners may receive what information. This ensures that
recipients are actually authorised to handle the information. For example, the
guidelines could specify that price lists may only be sent to buyers or that
project documents can only be sent to project team members by fax.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000