IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.74 Maintenance of fax server address books and
distribution lists
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator, fax mail centre
Most fax servers provide facilities for both central and also individual address
books. Central address books are available to all users of a fax server and
should be maintained centrally by the fax mail centre. Individual address
books can be created by any user but are generally available only to the
author.
It is especially important that central address books are protected against
unauthorised changes. To achieve this, the user access rights for the fax server
application should be granted in such a way that only the fax mail centre can
alter the central address books, or, if this is not possible, then the resources of
the operating system should be called on so as to achieve the same result.
The fax mail centre should perform regular checks to ensure that all central
address books are intact and up-to-date. Most fax servers allow several
recipients to be grouped together in the address books as one group. If an
adversary succeeds in manipulating such groups, he or other unauthorised
persons can obtain access to confidential fax transmissions. The fax mail
centre should therefore also regularly review the assignment of recipients to
individual groups to ensure that these are up-to-date. Where faxes are
exchanged between workstations within an organisation via the fax server, the
fax mail centre must keep all internal address books up-to-date as well.
In addition, the users have an obligation to check the entries they use
personally at regular intervals. This applies both to central address books and
also to individual ones.
Distribution lists are used by the fax server to route incoming fax
transmissions to recipients. Incorrect entries in the distribution lists could
result in unauthorised persons gaining access to fax transmissions containing
confidential information. The fax mail centre should therefore check the
distribution lists at regular intervals to ensure that they are up-to-date and
intact.
To ensure that address books and distribution lists are kept up-to-date, the fax
mail centre must be informed when any member of staff leaves the
organisation.
To ensure that all administration work performed is traceable, all entries and
alterations in central address books and distribution lists should be
documented.
Additional controls:
- How often are address books and distribution lists checked to ensure they
are intact and up-to-date?
- How does the fax mail centre find out when a member of staff leaves?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Protection against
manipulation
Regular review of central
address books
Regular review of
distribution lists