IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
3. Specification of utilisation profiles
The question of how much use authorised users may make of the fax server
should also be covered in the procedures. This is especially important to avoid
overloading of the server with serial faxes.
4. Times of use
Consideration should be given as to whether use of fax servers should be
permitted only at certain times. Thus it would be possible to prohibit the
sending of faxes outside working hours.
5. Configuring groups
Where incoming faxes are to be automatically routed to recipients through the
fax server, separate fax numbers should be configured for certain functions
and tasks. All members of a group can then be granted access to the incoming
fax transmissions associated with a given call number. This also simplifies
procedures for covering absences.
For example, supposing a fax server is operated in a company so that it
automatically forwards incoming fax transmissions to their recipients. A fax
call number is assigned for the Order Entry department. The fax server
forwards all fax transmissions with orders which are transmitted to the
company using this call number, not to one individual person but to all
members of the Order Entry department. This requires that the company
specifies the sequence in which employees process incoming fax
transmissions in order to avoid executing orders twice.
6. Arrangements for covering staff absences
Where fax servers which deliver incoming faxes to individual users are used,
it is essential that arrangements are in place to deal with absences, and
provisions dealing with this point must be included in the security policy.
Otherwise there is no way of ensuring that important incoming faxes cannot
remain unread for prolonged periods. In this respect, the procedure for use of
fax servers is significantly different from that which applies to the use of
conventional fax machines. In the latter case incoming faxes are noticed by
staff standing in, as the faxes are available as hard copy.
7. Logging
Procedures should be defined for dealing with any log data generated. These
should specify who is tasked with analysing what logged data and at what
intervals (see S 2.64 Checking the log files).
8. Address books
Which address books are used and who is responsible for maintaining them.
Many fax server applications provide facilities for creating address books both
for individual users and also for use throughout the organisation. Moreover, it
is often also possible to synchronise fax server address books with distribution
lists and address books already available in e-mail systems. Whereas address
books which are to be used throughout the organisation should be maintained
centrally through the fax mail centre, users must perform the task of
maintaining their own address books themselves. Users should also be
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000