S 3.25 Training on Lotus Notes security mechanisms for users

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT Security Management

Lotus Notes is a complex system under which, as with all complex systems, it is easy for incorrect usage or unintended mistakes in the configuration to create security weaknesses. This applies particularly when users are using a Notes system without having had appropriate training. It is true that the system configuration is normally set so that only a limited number of parameter settings can be changed by users, but ignorance as to the security mechanisms and settings available to a user can result in the system being used in an insecure manner.

Therefore all users should be trained in how to work with Lotus Notes. In addition to pure use of the client software, however, it is also necessary to explain how the databases which users are likely to need to use function and to train the users in how to use them. This is necessary as Notes databases can offer many functions so that they constitute more than a pure data store (this is why databases are referred to as "Notes applications").

In particular the security mechanisms that are available to the users must be made clear to them, so that they are in a position to use them correctly and sensibly. A training course should include the following topics:

• Overview of the mechanisms for controlling access to a server

• Overview of the mechanisms for controlling access to databases

• Detailed coverage of the use of access control lists (ACLs) for controlling access to databases

• Secure use of Notes ID and use of the content of a Notes ID

• Authentication on the Web interface and its strengths and weaknesses

• Setting up access restrictions for Web access to databases

• Overview of how symmetric and asymmetric cryptographic procedures function

• Handling of cryptographic certificates (recognition of certificates, significance of cross-certificates)

• Secure handling of Internet certificates

• Enforced protection of communications using port encryption and SSL

• Restrictions on the execution of active content in the Notes client (Execution Control List, ECL)

• Use of encryption procedures for databases (database and field encryption)

• Use of e-mail encryption and the purpose of e-mail signatures (Notes client and browser)

• Security differences between access with a Notes client and access with a browser

If necessary, this list of topics must be modified and expanded to reflect the actual circumstances. As well as pure training on the Notes security mechanisms, however, the users must also possess a knowledge of the security guidelines of their organisation, so as to ensure that these are implemented appropriately in the use of the security mechanisms (see S 2.207 Defining security guidelines for Lotus Notes).

Additional controls:

• Are the users familiar with the Notes security mechanisms and are these also used?

• Are all the users familiar with the content of the organisation's own security guidelines for Lotus Notes?