IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.63 Security-related requirements for
telecommuting computers
Initiation responsibility: Agency/company management; IT Security
Management
Implementation responsibility: Head of IT Section, Administrator
The security-related requirements for telecommuting computers depend on the
degree of protection needed for data at remote workstations and the nature of
the data which telecommuters can access from the telecommuting computer of
the institution. The higher the required degree of protection, the greater the
number of security measures entailed. General security objectives for
telecommuting computers include the following:
- Telecommuting computers must only be used by authorised persons.
This ensures that only authorised persons can use data and programs which
are stored on the remote workstation or accessible via the communications
computer at the institution. Authorised persons include administrators of
telecommuting computers, telecommuters and their stand-ins.
- Telecommuting computers must only be used for authorised purposes.
This helps prevent telecommuters from using or modifying IT for
unauthorised purposes, thus avoiding misuse and damage caused by
improper handling.
- Damage caused by theft or malfunctioning of a telecommuting computer
must remain within tolerable limits.
Telecommuting workstations are usually installed in an insecure
environment, thus exposed to the danger of theft. In the event of a theft, the
availability and, possibly, the confidentiality of the data stored on the
stolen computer are impaired. The potential damage arising here should be
minimised.
- Attempted or successful manipulation of remote workstations should be
clearly recognisable for telecommuters.
This ensures that remote workstations remain in an integral state even if
attempts at manipulation cannot be precluded.
The following functions are useful for remote workstations:
- Telecommuting workstations must have an identification and
authentication mechanism. The following conditions must be met, in
particular:
- Critical security-related parameters such as passwords, user IDs etc.
are managed reliably. Passwords are never stored in unencrypted
form on telecommuting workstations.
- Access mechanisms respond to incorrect entries in a defined manner.
For example, if an incorrect attempt at authentication is made three
times in a row, access to the remote workstation is denied, or the
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000