IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
- When mobile phones or SIM cards are passed around a circle of users, it
requires a lot of effort to intercept telephone calls in a targeted manner. It
may therefore be appropriate to employ such means when highly sensitive
information or data is to be transmitted.
Itemised call breakdowns should be examined for unknown call numbers.
- A check should be made as to whether all call charges are billed to the
subscriber. If certain connections do not incur any charges, this could be a
sign that interception is taking place.
Raising the awareness of users
Because people are often careless about the danger of communications being
intercepted, organisations should check that existing measures aimed at
creating staff awareness of the relevant dangers are sufficient. If necessary it
may be appropriate to inform staff at regular intervals about the dangers of
having their calls intercepted and of making them fully aware.
Employees should also be briefed on the requirement not to disclose
confidential information on the telephone without taking additional
precautions. In particular, checks should be made as to the identity of callers
before giving out any detailed information (see also T 3.45 Inadequate
checking of the identity of communication partners). Where mobile phones are
used, care should also be taken to ensure that confidential information is not
discussed in public.
Spectacular but false warning messages are always in circulation (see also
T 5.80 Hoaxes). To avoid wasting valuable working time checking whether
such messages are true or not, all staff should be informed as soon as possible
following the occurrence of a new hoax. There are various information
services which send out appropriate warnings.
Rules on the use of mobile phones
Where mobile phones are used in an organisation, a number of aspects needs
to be subject to control. These concern the use of both private and also work
mobile phones.
Use of private mobile phones
If there are not enough mobile phones to go round within the organisation, it is
possible that private mobile phones could be used for business purposes.
However, the following aspects must be settled in advance:
- Who pays for business calls and how will they be settled?
- Modern mobile phones contain diaries, address books, e-mail support and
other functions. To make the most of these functions it is usually necessary
to synchronise the phone with a PC. Therefore the issue of whether
installation of the hardware and software necessary for this is permitted
must be resolved.
Use of business mobile phones
Similarly, a number of items need to be regulated with regard to the use of
mobile phones belonging to the company/organisation:
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Circumspection in the
disclosure of information