IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Personnel Remarks
____________________________________________________________________ .........................................
- Proper use of passwords
In this context, the importance of a password for IT security and the overall
prerequisites for ensuring effective use of passwords should be explained
(cf. also S 2.11 Provisions governing the use of passwords).
- The importance of data backup and its implementation
Regular data backup is one of the most important IT safeguards in any IT
system. Trainees must be instructed in the data backup policy (c.f. Chapter
3.4 Data Backup Policy) of the agency/company and about the data backup
tasks to be carried out by each individual. This is of particular significance
for PC uses where data backup is incumbent on each user individually.
- Handling of person related data
Person related data requires particularly careful handling. Staff members
who work with person related data (both in IT systems and in written
records) must be trained in the statutory safeguards required. Subjects to be
covered are: handling of information requests, requests for amendments
and corrections from the individuals concerned, legally stipulated deletion
deadlines, protection of privacy and communication of data.
- Briefing on emergency measures
All staff members (including persons not directly concerned with IT, e.g.
entrance control staff or guards) must be briefed on the established
emergency measures. Their briefing should include information on
emergency exits/escape routes, procedures in case of fire, handling of fire
extinguishers, the emergency reporting system (who must be notified first
by what means) and use of the Emergency Procedure Manual.
- Prevention of social engineering
Staff should be informed of the dangers of social engineering. The patterns
which attempts to gain confidential information through targeting
individuals typically take should be explained, as well as the relevant
methods of protection. As social engineering often involves the pretence of
a false identity, staff should be regularly instructed to check the identity of
communication partners and not to provide confidential information over
the telephone, in particular.
When implementing training courses, it should always be remembered that it
is not enough to only train a member of staff once during his entire term of
employment. With most forms of training, especially front desk training
courses, if a lot of new information is presented at once participants can be
overwhelmed. Only a small amount of the information reaches long-term
memory, and 80% is generally forgotten again at the end of the training
course.
For this reason, staff should receive regular training on the subjects of IT
security and indoctrination regarding its importance. For example, this could
take any of the following forms:
- short events devoted to current IT security topics,
- inclusion at regular events such as departmental meetings, or
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000