IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.52 Security-related requirements for
communications computers
Initiation responsibility: Agency/company management; IT Security
Management
Implementation responsibility: Administrators
Access by telecommuters to data at an institution differs in accordance with
the type of telecommuting and the tasks to be performed. In some situations,
only e-mail might be exchanged between telecommuters and the institution. In
other cases, it might be necessary for telecommuters to access servers at the
institution. Regardless of the type of access procedure being used though, the
communications computer at the institution needs to meet the following
security requirements:
- Identification and authentication: All users of the communications
computer, i.e. administrators, employees at the institution and
telecommuters, must identify and authenticate themselves before gaining
access to the computer. If attempts of identification and authentication fail
repeatedly, access is to be denied. Preset passwords are to be changed.
If necessary, the communications computer should be able to prompt for
renewed authentication from the telecommuter or remote workstation
during the process of data transfer in order to preclude unauthorised
interventions.
As part of user identification and authentication, the remote workstation
should also be identified (for example, by means of subscriber numbers
and call-back procedures).
- Role distinction: The roles assumed by the administrator and users of the
communications computer must be separated. Only the administrator
should be able to allocate permissions.
- Rights management and monitoring: Access to files on the
communications computer must only be granted in accordance with the
rights allocated in each case. In particular, access to computers installed at
the institution and the data stored on them must be regulated. Data and
system access should be restricted to the bare minimum. The time periods
during which access by telecommuters is possible, can also be restricted.
In the event of a system failure or irregularities, the communications
computer must assume a stable state, in which access to it might no longer
be possible.
- Minimisation of services: Services provided by the communications
computer must follow the principle of minimisation: Everything not
explicitly allowed is prohibited. The services themselves must be restricted
to the scope absolutely necessary for telecommuters to fulfill their duties.
- Logging: Data transmissions from, to and via the communications
computer must be logged with details of the time, user, address and type of
service.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000