8.2 Fax machine

Description

This chapter deals with information transfer via facsimile (fax). The transmission standard (e.g. CCITT group 3) was not used for differentiation purposes for the selection of safeguards as part of IT baseline protection. In this module, only customary stand-alone fax machines are used as the basis for fax transmission, not fax insertion cards or fax servers.

Threat Scenario

The following typical threats are assumed for fax information transfer as part of IT baseline protection:

Organisational Shortcomings:

• T 2.20 Inadequate supply of printing consumables for fax machines

Human Failure:

• T 3.14 Misjudgement of the legally binding of a fax

Technical Failure:

• T 4.14 Fading of special fax paper
• T 4.15 Sending a fax message to a wrong recipient due to misconnection
• T 4.16 Fax transmission errors
• T 4.17 Technical defects on fax machines

Deliberate Acts:

• T 5.7 Interception of lines
• T 5.30 Unauthorised use of fax machines
• T 5.31 Unauthorised viewing of incoming fax messages
• T 5.32 Evaluation of residual information in fax machines
• T 5.33 Impersonating wrong senders on fax machines
• T 5.34 Deliberate re-programming of the destination keys on fax machines
• T 5.35 Deliberate overloading by incoming fax messages

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.

The safeguards package for a "Fax Machine" is presented in the following.

Infrastructure:

• S 1.37 (1) Adequate siting of a fax machine

Organisation:

• S 2.47 (2) Designating a person in charge of the fax system
• S 2.48 (2) Designating authorised fax operators (optional)
• S 2.49 (2) Procurement of suitable fax machines (if required)
• S 2.50 (2) Appropriate disposal of consumable fax accessories and spare parts
• S 2.51 (3) Producing copies of incoming fax messages (optional)
• S 2.52 (3) Supply and monitoring of consumable fax accessories
• S 2.53 (3) Deactivation of fax machines after office hours (optional)

Personnel:

• S 3.15 (1) Information on the use of fax machines for all employees

Hardware/Software:

• S 4.36 (2) Blocking fax recipient numbers (optional)
• S 4.37 (3) Blocking fax sender numbers (optional)
• S 4.43 (2) Fax machine with automatic envelope sealing system (optional)

Communications:

• S 5.24 (1) Use of a suitable fax cover sheet
• S 5.25 (2) Using transmission and reception logs
• S 5.26 (2) Announcing fax messages via telephone (optional)
• S 5.27 (2) Acknowledging successful fax reception via telephone (optional)
• S 5.28 (2) Acknowledging correct fax origin via telephone (optional)
• S 5.29 (2) Periodic checks of destination addresses and logs

Contingency Planning:

• S 6.39 (3) Listing dealerships for re-procurement of fax products (optional)