S 2.10 Mobile workplace
Description
IT users are becoming increasingly mobile and, thanks to increasingly smaller and more powerful devices, they can work almost anywhere. For this reason, business tasks are often not carried out in the rooms of the company or government agency but at alternating workplaces in different environments, e.g. in hotel rooms, on trains or in the customer's office.
However, the same level of infrastructural security that exists in the company's or government agency's office environment cannot be assumed in these environments. Security safeguards must therefore be implemented to create a security situation comparable to that of an office room.
This module describes the typical threats and safeguards for a mobile workplace.
Threat scenario
The following typical threats to the IT-Grundschutz of mobile workplaces are assumed to exist:
Force Majeure
| T 1.15 | Degradation due to changing application environment |
Organisational Shortcomings
| T 2.1 | Lack of, or insufficient, rules |
| T 2.4 | Insufficient monitoring of security safeguards |
| T 2.47 | Insecure transport of files and data media |
| T 2.48 | Inadequate disposal of data media and documents at the home workplace |
Human Error
| T 3.3 | Non-compliance with IT security measures |
| T 3.43 | Inappropriate handling of passwords |
| T 3.44 | Carelessness in handling information |
Deliberate Acts
| T 5.1 | Manipulation or destruction of equipment or accessories |
| T 5.2 | Manipulation of information or software |
| T 5.4 | Theft |
| T 5.71 | Loss of confidentiality of classified information |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A number of safeguards need to be implemented for mobile workplaces as well. They should be carried out following the example of the life-cycle model.
Planning and design
Safeguard S 1.61 Appropriate selection and usage of a mobile workplace describes the basic design possibilities that should be taken into account when setting up a workplace in a foreign environment.
Implementation
It must be specified for all work done when travelling which information may be transported and processed outside the company or government agency and which protective precautions must be taken. It must also be determined under which framework conditions employees with mobile IT systems may access internal data of their organisation.
Operation
During mobile work, not only the IT systems taken along (e.g. laptop, PDA, mobile phone) but also the information processed when travelling must be carefully handled. This includes following the regulations specified by the employer regarding the working environment and the secure storage of working materials.
Disposal
Especially in foreign environments it is crucial that data media and print-outs are carefully disposed of and not simply thrown in the rubbish bin.
The bundle of security safeguards for mobile workplaces is presented in the following.
Planning and design
| S 1.61 | (A) | Appropriate selection and usage of a mobile workplace |
| S 2.218 | (C) | Procedures regarding the personal transportation of data media and IT components |
| S 2.309 | (A) | Security policies and rules for the use of mobile IT |
| S 2.430 | (C) | Security policies and rules for protecting information while travelling |
Operation
| S 1.15 | (A) | Closed windows and doors |
| S 1.23 | (A) | Locked doors |
| S 1.46 | (Z) | Use of anti-theft devices |
| S 2.37 | (C) | Clean desk policy |
| S 2.389 | (Z) | Secure use of hotspots |
| S 4.251 | (A) | Working with external IT systems |
Disposal
| S 2.13 | (A) | Correct disposal of resources requiring protection |