S 2.11 Meeting, event, and training rooms
Description
Meeting, event, and training rooms are predominantly characterised by the following:
- They are used by different persons and/or groups of persons
- They are used both by internal and external employees
- A coherent use by the same group of persons mostly lasts for a short period only, from a few hours to a few days.
- IT systems brought along are operated together with internal IT (e.g. external laptop connected to the organisation's beamer),
- The information used there is normally present locally (e.g. on laptops or mobile data media) or made available in a specifically configured test or training network. Sometimes, a LAN connection is even present so that internal data of the organisation can be accessed.
These extremely different uses result in a threat scenario that is not really comparable to the threat scenarios of any other room. In this, the focus is on the threat caused by the "play instinct" of the people present, along with the usual threats for rooms of any kind.
Threat scenario
The following typical threats to IT-Grundschutz regarding meeting, event, and training rooms are assumed to exist:
Organisational Shortcomings
| T 2.1 | Lack of, or insufficient, rules |
| T 2.2 | Insufficient knowledge of rules and procedures |
| T 2.14 | Impairment of IT usage on account of adverse working conditions |
| T 2.104 | Incompatibility between external and own IT systems |
Human Error
| T 3.6 | Hazards posed by cleaning staff or outside staff |
| T 3.78 | Exposed cables |
Technical Failure
| T 4.1 | Disruption of power supply |
| T 4.2 | Failure of internal supply networks |
Deliberate Acts
| T 5.4 | Theft |
| T 5.71 | Loss of confidentiality of classified information |
Method recommendation
To secure the information system examined, other modules must be implemented in addition to this module, with these modules being selected based on the results of the IT-Grundschutz modelling process.
Planning and design
The uses of meeting, event, and training rooms vary strongly.
Since the required security safeguards also depend on the aforementioned, a use overview should be initially drawn up taking into consideration the planned application scenarios (see S 2.331 Planning rooms for meetings, events and training).
Based on the use concept, suitable premises should be selected and equipped (see S 2.332 Equipping meeting, event and training rooms).
If access to LANs or the internet is required, the network accesses in the meeting, event, and training rooms must be protected carefully (see S 5.124 Network connections in meeting, event and training rooms).
Implementation
Security regulations for meeting, event, and training rooms must be specified and implemented from a technical and organisational point of view. All employees must be informed of the use regulations to be observed (see S 2.333 Secure use of meeting, event and training rooms).
Operation
The equipment and the technology present in meeting, event, and training rooms must be handled with care as well. This includes following the regulations specified by the organisation regarding the working environment and the secure storage of working materials.
Disposal
Particularly for meeting, event, and training rooms with frequently changing users, it is important to carefully dispose of working materials such as data media and documents and to not to simply leave these about.
The bundle of security safeguards for the field of "meeting, event, and training rooms" is presented in the following:
Planning and design
| S 2.331 | (A) | Planning rooms for meetings, events and training |
| S 2.332 | (B) | Equipping meeting, event and training rooms |
| S 3.9 | (Z) | Ergonomic workplace |
| S 5.77 | (Z) | Establishment of subnetworks |
| S 5.124 | (C) | Network connections in meeting, event and training rooms |
Implementation
| S 2.69 | (B) | Establishing standard workstations |
| S 2.204 | (A) | Prevention of insecure network access |
| S 2.333 | (A) | Secure use of meeting, event and training rooms |
| S 4.252 | (C) | Secure configuration of training computers |
Operation
| S 1.15 | (A) | Closed windows and doors |
| S 2.16 | (B) | Supervising or escorting outside staff/visitors |
| S 4.109 | (Z) | Software reinstallation on workstations |
| S 4.293 | (Z) | Secure operation of hotspots |