IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.176 Selection of a suitable Internet service
provider
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Head of IT Section
A provider via which users are connected to the Internet accumulates
information not only about incoming and outgoing e-mail but also about all of
the WWW pages which the users call up. In addition, all data that is
exchanged between the user’s computer and a server in the Internet passes
through the provider’s IT systems.
When selecting an Internet service provider, the following questions should be
asked:
- Whether staff are available around the clock to deal with technical
problems, and how competent they are.
- How well the provider is prepared for the failure of one or more of his IT
systems (contingency planning, data backup concept).
- What level of availability the provider can guarantee (maximum
downtime).
- Whether the provider regularly checks whether the connections to
customers are still stable, and if not, whether he takes appropriate steps.
- What the provider does to ensure the security of his IT systems and that of
his customers.
Confirmation of secure operation of the provider's IT systems should be
obtained, i.e. for example proof that the conditions specified in S 2.174 Secure
operation of a WWW server have been fulfilled. All relevant measures
specified in Chapter 6 on networked systems and in Chapter 7 on data
communication equipment should be put into practice. An IT security concept
and security guidelines should be a matter of course with every provider. It
should be possible for external users to inspect the security guidelines. The
staff of the provider should be made aware of IT security aspects and be under
obligation to observe the security guidelines; they should also be given regular
training (not only in security matters).
The provider stores user data for invoicing purposes (name, address, user ID,
bank account) as well as connection data and transmitted contents (over a
period of time which varies from one provider to another).
Users should ask their provider for how long which items of data concerning
them remain stored. When selecting a provider, it should be taken into account
that German providers must comply with data privacy regulations applying to
the processing of this information.
Supplementary checks:
- According to which criteria has the provider been selected?
- Which security measures does the provider implement?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000