S 3.26 Briefing of staff in the secure handling of IT equipment

Initiation responsibility: Head of Human Resources, Head of IT Section, IT Security Management

Implementation responsibility: Human Resources, line managers

Many IT security problems arise due to incorrect usage or configuration of IT assets. To avoid such problems, all employees should be instructed on the secure handling of IT equipment. To this end all employees should be given appropriate training (see also S 3.4 Training before actual use of a program, S 3.5 Education on IT security measures and S 2.198 Making staff aware of IT security issues).

IT users should be given specific guidelines as to what they should look out for when handling IT equipment. Such guidelines should contain mandatory provisions regarding what framework conditions are to be adhered to when the IT systems concerned are used and what IT security measures must be taken. Instructions as to what users must not do under any circumstances must be clear and incapable of being misunderstood. These guidelines should be mandatory, understandable and on hand. To document their binding nature, they should be signed by senior management or as a minimum by the IT officer. They should be kept short and easy to understand so that, for example, they can be hung up as a reminder. In addition it should be possible to retrieve them on the intranet.

User guidelines should basically contain only procedures and rules that can also be implemented. User guidelines should be worded in as positive a way as possible. For example, instead of reading like this:

Users are not allowed to install any software independently.

the following entry could be included:

All IT systems are supplied in a standard configuration which has been adapted to your specific work conditions and provides you with maximum security. Should you have any problems we can guarantee a rapid solution by reinstalling the standard configuration. Therefore please do not alter the settings if possible. If you need any extra hardware or software, please contact the user service.

Examples of user guidelines are contained in the auxiliary aids contained in the annex.

A set of user guidelines for general IT usage should cover the following points as a minimum:

• instruction to the effect that no IT systems or IT components may be used without express permission;

• instruction to the effect that information on IT systems may only be altered by employees authorised to do so;

• use of passwords (see S 2.11 Provisions governing the use of passwords);

• ban on the use of non-approved software (see S 2.9 Ban on using non-approved software)

• instruction to the effect that office IT systems may only be used for work purposes;

• instructions on the secure custody and listing of IT systems and data media;

• protection against computer viruses;

• carrying out data backups;

• use of Internet services.

In addition to such guidelines, there must be clear statements as to which users are allowed to access what information, to whom they may pass on this information and what measures are to be taken in the event of a violation of these guidelines.

Whenever a user leaves his desk he must satisfy himself that all the resources used for work (documents, data media etc) are secure (see also S 2.37 Clean desk policy). All IT systems should be protected against unauthorised access through passwords. Where an IT system is unattended, all open sessions should be terminated or at least a screensaver should be activated.

The basic configuration of all IT systems should be as restrictive as possible. In the standard configuration of workstations, only those services which are needed by all the users in a group should be available (see also S 4.109 Software reinstallation on workstations). Other programs or functionality should only be installed or released after the users have been instructed on how to use them and made aware of any security problems.

All user rules should be drawn up in co-operation with representatives of all the groups involved; in particular, the works council, staff council, Data Privacy Officer and IT Security Officer must be involved at the right time. Whenever a user rule is altered, the latter parties must be involved once again. The amended user rule must be notified to all the users.

Task descriptions should contain all tasks and duties that are relevant to IT security. These include the duty to observe the in-house IT security guidelines (see also S 2.198 Making staff aware of IT security issues).

If any IT systems or services are used in a way which conflicts with the interests of the agency/company, anyone who becomes aware of this should advise his line manager. If necessary, disciplinary measures should be taken.