S 2.60 Secure administration of a modem

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT users, Administrator

The secure use of a modem requires certain administrative measures:

• The subscriber number of a modem must only be disclosed to the communication partners involved, in order to protect the modem from unauthorised dialling-in attempts. This number must not be listed in the telephone directory of the organisation.

• Modems integrated in a network server can be accessed by users from their respective terminals. In this situation, access to the communications software must only be granted to users who are authorised to transmit data (also refer to S 2.42 Determination of potential communications partners).

• The modem settings and communications software must be checked regularly, and a log of the data transmissions must be maintained.

• It must be ensured that the modem interrupts the telephone connection as soon as the user logs-out of the system. For stand-alone systems, this can be realised by leaving the modem connected to the telephone network only for the period of data transmission and then deactivating or disconnecting it from the line. Modems integrated in a network server must be configured accordingly. An external modem can simply be switched off. In addition, all users must be instructed to quit the communications program after completion of data transmission.

• It must be ensured that external users are automatically logged out of the IT system on disruption of a modem link, otherwise the next caller would be able to proceed using the same user ID without having to log-in first. The next caller could then work with the same user ID, without any need to log on to the system

Additional controls:

• Have the modem settings been checked to determine whether they effectively prevent unauthorised use?

• Is the modem disconnected when users log-out?

• Are users logged-out automatically on disconnection of the modem?