IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Personnel Remarks
____________________________________________________________________ .........................................
S 3.5 Education on IT security measures
Initiation responsibility: Superiors, IT Security Management
Implementation responsibility: Superiors, IT Security Management
In the majority of cases, damage in the IT field is caused by negligence. In
order to prevent this, everybody must be motivated to exercise care in the use
of information technology. In addition, procedures must be provided which
help the individuals concerned to better understand IT safeguards. In
particular, the following subjects should be included in training on IT security
safeguards:
- Building IT security awareness
Every staff member must be made aware of the need for IT security. A
suitable first step for introducing staff to the subject is to make them aware
of the dependence of the agency/company, and hence of their jobs, on the
smooth functioning of IT systems. In addition, the value of information
should be highlighted, especially with regard to confidentiality, integrity
and availability. These awareness-building activities should be repeated
periodically, possibly also supplemented by practical information, e.g.
through in-house circulars.
- Staff-related IT safeguards
Under this heading, information should be provided on all safeguards
which have been developed within the framework of an IT security policy
and which are to be implemented by the various staff members. This part
of the training effort is very important since many IT safeguards can be
applied effectively only after adequate education and motivation.
- Product-related IT safeguards
Under this heading, information is provided on IT safeguards inherent in a
particular product and already present when the product is supplied. These
can, for example, be registration passwords, screensavers, or encryption
features for documents or data fields. Recommendations regarding the
structure and organisation of files containing transaction data can facilitate
the granting of access rights and considerably reduce the work involved in
data protection.
- Conduct in the event that a computer virus appears on a PC
Staff members should be instructed on how to handle computer viruses.
Such training might cover the following (cf. S 6.23 Procedure in case of
computer virus infection):
- detection of computer infection,
- action and types of computer viruses,
- immediate response when virus infection is suspected,
- measures to eradicate the computer virus,
- preventive measures.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000