S 2.23 Issue of PC Use Guidelines

Initiation responsibility: IT Security Officer, Top Management, Head of IT

Implementation responsibility: User, Head of IT

In order to promote the secure and proper use of information technology in larger-size companies or government agencies, guidelines should be prepared which lay down mandatory provisions on what general requirements must be met and which security safeguards will have to be taken. All users must be notified of these guidelines, in electronic form on an intranet server, for example. Every new user must confirm that he/she has read the guidelines before being allowed to use the information technology. After more comprehensive changes to the guidelines or after 2 years at the latest, a new confirmation is required.

The following gives a rough outline of the contents that are advisable for such guidelines:

Objectives and definitions

The first part of the guidelines serves to raise the IT security awareness and motivation of the users. At the same time, the concepts required for shared understanding are defined, such as PC, server, network, user, objects requiring protection.

Scope of application

In this part, the units of the company or government agency to which the guidelines are to apply must be laid down in a binding form.

Legal regulations and internal regulations

Here, information is given on the legal provisions to be complied with, e.g. the Federal Data Protection Act and the Copyright Act. Examples should be provided to explain the effects of this on the use of information technology in the particular environment. In addition, all relevant in-house regulations can be listed in this section.

Distribution of responsibilities

This section defines what function will be associated with what responsibility in the context of IT use. In particular, a distinction has to be made between the functions of user, supervisor, administrator, auditor, data protection officer, and security management team.

Contact persons

The guidelines should contain contact persons and contact information (telephone, e-mail etc.) for the users who can answer any questions relating to information security or can point out where this information can be found. It should be noted, though, that stating too many different contact persons to the users often leads to confusion. It is usually better to state just a few contact persons who can then refer the users to the correct location when needed (help desk concept).

IT security measures to be implemented and observed

In the final section of the IT use guidelines, those security safeguards which are to be observed and implemented by the user must be laid down Depending on the required level of protection, this can exceed the IT-Grundschutz safeguards. Typical examples for security safeguards at the work place are secure login and logout on the PC, proper handling of passwords and codes of conduct for using the internet.

If telecommuters are employed by the company or government agency, the guidelines should be extended by rules pertaining to telecommuting workstations.

Review questions:

• Are the PC Use Guidelines updated regularly, after 2 years at the latest?
• Has it been ensured that the PC Use Guidelines are available to all relevant parties?
• Do binding rules exist specifying that the user must read the PC Use Guidelines before using an internal IT system for the first time?
• When use is made of telecommuting: Do the PC Use Guidelines contain specific rules pertaining to telecommuting workstations?