IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
Safeguards against unauthorised retrieval
Retrieval of data by unauthorised persons must be prevented by means of
suitable precautions:
- Every user must be uniquely identified and authenticated to the IT systems
from which the person-related data is retrieved.
- Authorisation should be blocked after a specified number of unsuccessful
attempts.
- Passwords must be changed at regular intervals. As far as possible, this
must be enforced by the relevant programs.
- Program-controlled checking procedures should be used to review the log
files.
- The type and scope of logging must be specified (see also S 2.110 Data
Privacy Guidelines for Logging Procedures).
- Random sampling checks should be performed or else continuous logging
should be carried out.
- The place at which logging is performed must be specified (the retrieving
and/or originating party).
- Logging must be designed in such a way that it is possible to determine
after the event which retrieval permissions were used when data was
retrieved.
- The reasons for retrieving the data must be logged.
- Where data is retrieved, which connection and which terminal devices
were used during transmission must be logged.
Measures for organisational supervision
- All staff, especially those in the office which retrieves the data must be
under an obligation to maintain confidentiality of the data. Passing on of
data to third parties must be contractually prohibited.
Additional controls:
- Have the technical and organisational measures implemented been
documented?
- Is there a concept covering the review and assessment of the reliability of
data transmissions involving automated retrieval?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000