S 3.402 Fax machine
Description
This chapter considers information transfer via facsimile (fax). Here, the contents of a printed page are scanned and transmitted by the sending machine and reconstructed by the receiving machine. The transmission standard (e.g CCITT group 3) was not used for differentiation purposes in the selection of safeguards as part of IT-Grundschutz. This module only covers commercially available stand-alone fax machines in its consideration of the technical basis of sending faxes, and does not cover fax cards or fax servers (see module S 5.6 Fax servers).
Threat scenario
The following typical threats are assumed for fax transfer as part of IT-Grundschutz:
Organisational Shortcomings
| T 2.20 | Inadequate or incorrect supply of consumables |
Human Error
| T 3.14 | Misjudgement of the legal force of a fax |
Technical Failure
| T 4.14 | Fading of special fax paper |
| T 4.15 | Fax transmission errors |
Deliberate Acts
| T 5.7 | Line tapping |
| T 5.30 | Unauthorised use of fax machine or fax server |
| T 5.31 | Unauthorised reading of incoming fax transmissions |
| T 5.32 | Evaluation of residual information in fax machines and fax servers |
| T 5.33 | Sending faxes under a false identity |
| T 5.34 | Deliberate re-programming of the destination keys on fax machines |
| T 5.35 | Overload due to incoming fax transmissions |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A number of safeguards need to be implemented for fax machines, from purchasing and operation right through to contingency planning. The steps to take to accomplish this as well as the safeguards to implement in each phase are listed in the following.
Purchasing
Safeguard S 2.49 Procurement of suitable fax machines contains the most important criteria to be used when selecting a fax machine.
Implementation
When installing a fax machine its location should be chosen on the basis of its convenience and accessibility. Employees who are required to use the fax should be trained how to operate the machine.
Operation
Measures should be taken to ensure that there is an adequate supply of the necessary consumables at all times in order to prevent information being lost because there was no paper or toner available when the message came through. As a general rule it is advisable to send a cover sheet with a fax for ease of identification. Regular checks of the transmission and receipt logs help to detect any misuse of the fax machine, and occasional checks of addresses programmed into the machine help to prevent faxes being transmitted to the wrong recipient.
Disposal
When disposing of consumables and spare parts, care should be taken to ensure that they cannot fall into the hands of unauthorised persons who may be able to gain access to images of faxes transmitted or received on thermal transfer film, imaging drums or on paper.
The bundle of safeguards for fax machines is presented in the following.
Purchasing
| S 2.49 | (Z) | Procurement of suitable fax machines |
Implementation
| S 1.37 | (A) | Suitable siting of a fax machine |
| S 2.47 | (B) | Designating a person in charge of the fax system |
| S 3.15 | (A) | Information on the use of fax machines for all employees |
| S 4.36 | (Z) | Blocking fax recipient numbers |
| S 4.37 | (Z) | Blocking fax sender numbers |
Operation
| S 2.48 | (Z) | Designating authorised fax operators |
| S 2.51 | (Z) | Producing copies of incoming fax messages |
| S 2.52 | (C) | Supply and monitoring of consumables |
| S 2.53 | (Z) | Deactivation of fax machines after office hours |
| S 4.43 | (Z) | Fax machine with automatic envelopment sealing system |
| S 5.24 | (Z) | Use of a suitable fax cover sheet |
| S 5.25 | (A) | Using transmission and reception logs |
| S 5.26 | (Z) | Announcing fax messages via telephone |
| S 5.27 | (Z) | Acknowledging successful fax reception via telephone |
| S 5.28 | (Z) | Acknowledging correct fax origin via telephone |
| S 5.29 | (C) | Periodic checks of destination addresses and logs |
Disposal
| S 2.50 | (B) | Appropriate disposal of consumable fax accessories and spare parts |
Contingency Planning
| S 6.39 | (C) | Listing dealerships for re-procurement of fax products |