IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
- A policy must be established as to whether private calls may be made with
work mobile phones and, if so, to what extent.
- Consideration should be given to whether only calls to certain
communication partners should be allowed, e.g. to avoid unnecessary
expense and/or restrict the disclosure of information (see also S 2.42
Determination of potential communications partners). This can be
achieved through either an organisational procedure or technical means, as
described below under the keywords "Call restrictions" and "Closed User
Group".
- Even where work mobile phones are used, users should be informed of the
related costs in order that these can be kept as low as possible. Thus, users
should be informed of the tariff structure and roaming agreements in order
that, for example, they can select the most favourable network provider
when making calls abroad.
- Users should be informed as to the care they should take with their mobile
phones to avoid loss or theft and to ensure that the equipment has a long
useful life (e.g. looking after batteries, care of phones outside office or
living rooms, sensitivity of equipment to excessively high or low
temperatures).
- The administration, maintenance and issue of mobile phones should be
controlled. For this purpose it is recommended that a mobile phone pool is
set up (see S 2.190).
- Every time a change of user occurs, all the necessary PINs must be passed
on securely (see S 2.22 Escrow of passwords).
General rules
Irrespective of whether the mobile phones used have been purchased privately
or by the business, the employer should issue the following rules in writing:
- Anyone driving a vehicle on business must not make any calls during the
journey, as otherwise in the event of an accident the organisation could be
held jointly liable.
- Business secrets must not be disclosed over the mobile phone. The threat
here is not so much that the communication will be intercepted on the
communications link (over the network) as that it will be overheard by
persons in the immediate environment.
- Users should satisfy themselves as regards the identity of the person they
are talking to and should not jump to hasty conclusions before passing on
information that is internal to the organisation.
As far as possible, a mobile phone should never be left unattended. If a mobile
phone has to be left behind in a motor vehicle, then the device must not be
visible from outside. Alternatives are to cover the device or to lock it up in the
boot. Mobile phones have a certain value which could attract potential thieves.
If the mobile phone is used on-site in offices which do not belong to the
organisation, then the security rules in force in the organisation being visited
must be observed.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000