T 3.105 Unapproved use of external services

It is a relatively common occurrence that employees use external services without this being coordinated within your organisation. This might be due to the fact that they did not know which steps need to be taken internally for this purpose. However, the reason might also be that

• They were familiar with the approval procedures, but these are too complex or take too long
• They also use these services for private purposes and thus take them for granted.

When using these services for professional purposes, however, other general conditions apply than for private purposes in many cases. Problems can occur if

• using external services is not contractually agreed upon,
• this results in new data flows that are unknown to information security management and thus uncontrolled,
• confidential data is passed on to third parties in an unauthorised manner and internal security policies or data protection regulations are thus violated,
• technical security safeguards such as virus protection are circumvented.

Examples:

• Employees use web mail services to be able to access their e-mails in a more flexible manner whilst travelling. If they are absent, they automatically forward their official and/or professional e-mails to these web mail services. Thus, confidential data might end up at competitors or personal data at foreign providers.
• Online office programs such as Google Documents or Microsoft Office 2010 Web Apps allow quick access to documents to be processed from anywhere. Thus, however, access rules of your own organisation are not only circumvented under certain circumstances. Furthermore, the data used is stored at the premises of a service provider which might thus receive access to confidential data or even rights of use.