IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
as to whether and when data to be transmitted should be encrypted and
signed digitally (also refer to S 4.34 Using Encryption, Checksums or
Digital Signatures). A central body must determine the applications to be
employed by users for the encryption and use of digital signatures. These
applications must be made available to the users, who should be briefed
beforehand on how to handle the applications.
- Before the introduction of electronic communications systems, clarification
is required as to the circumstances under which incoming and outgoing emails
also need to be printed out.
- File transfer can be documented (optionally). In this case, every file
transfer, together with the contents and recipient of the information, is
registered in a log. Legal regulations concerning logging must be observed
during the transfer of person related data.
E-mail intended for internal dispatch must not be allowed to leave the internal
network. This must be ensured by appropriate administrative measures. For
example, the transfer of e-mail between the various departments of an
organisation should take place via internal, dedicated lines and not via the
Internet.
In principle, messages intended for internal addresses must not be forwarded
to external addresses. If an exception needs to be made, all employees must be
informed duly. For example, e-mails might need to be forwarded to external
points where they can be accessed by staff on external duty or other
employees on business trips.
Additional controls:
- Does a security policy governing the use of e-mail exist?
- Who is responsible for answering users' queries concerning e-mail?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000