IT Baseline Protection Manual - The Information Warfare Site
19.12.2012 Views
Share Embed Flag

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
iwar.org.uk

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Safeguard Catalogue - Organisation Remarks<br />

____________________________________________________________________ .........................................<br />

S 2.205 Transmission and Retrieval of Person-related<br />

Data<br />

Initiation responsibility: <strong>IT</strong> Security Management, Data Privacy<br />

Officer<br />

Implementation responsibility: Head of <strong>IT</strong> Section, Data Privacy Officer<br />

If any person-related data is transmitted from the employer's or customer's<br />

premises to a "remote" workplace (e.g. of a telecommuter), the relevant data<br />

privacy protection provisions must be adhered to. Under §9 of the Federal<br />

Data <strong>Protection</strong> Act (BDSG), it is especially important in such cases to<br />

prevent unauthorised persons using the data transmission facilities to access <strong>IT</strong><br />

systems (user supervision). Furthermore, steps must be taken to ensure that it<br />

is possible to check and determine in which offices or locations person-related<br />

data can be transmitted using data transmission facilities (transmission<br />

supervision).<br />

<strong>The</strong> transport route or transmission method should be selected in such a way<br />

as to provide assurance of both the confidentiality and integrity and also the<br />

authenticity (proof of origin) of the person-related data.<br />

If the transmission of person-related data occurs in the context of an<br />

automated retrieval procedure, the special requirements relating to reliability<br />

contained in the relevant legislation must be complied with.<br />

General aspects<br />

- <strong>The</strong> occasion and purpose as well as the persons or offices involved in the<br />

retrieval procedure must be established.<br />

- Retrieval permissions must be defined and monitored.<br />

- <strong>The</strong> type and scope of the data held must be specified.<br />

- Retention periods and deletion dates must be defined for data.<br />

- <strong>The</strong> cases in which the person/office holding the information must be<br />

informed of the person/office retrieving it must be specified.<br />

- <strong>The</strong> transport route must be specified, e.g. access over an ISDN dial-up<br />

line, callback protection based on CLIP or COLP (see S 5.49).<br />

- Suitable cryptographic procedures (e.g. symmetric and asymmetric<br />

encryption or digital signature) must be employed in order to prevent<br />

violation of the data privacy protection legislation during transmission of<br />

sensitive data. Section 3.7 Crypto Concept describes how to select<br />

procedures and products that are suitable.<br />

- If person-related data is exchanged regularly or continuously over a<br />

transport route, then transmission should be protected using a virtual<br />

private network (VPN) (see S 5.76 Use of Suitable Tunnel Protocols for<br />

RAS Communication and S 5.83 Secure Connection of an External<br />

Network with Linux FreeS/WAN).<br />

____________________________________________________________________ .........................................<br />

<strong>IT</strong>-<strong>Baseline</strong> <strong>Protection</strong> <strong>Manual</strong>: Oktober 2000

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!