S 2.178 Drawing up a set of security guidelines for the use of faxes

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Prior to the installation, configuration and release/approval of fax servers, a set of security guidelines should be specified for the use of faxes. The following aspects usually fall within the scope of such guidelines:

1. Application concept

Before a fax server is released and approved for use, the type of application in which the system is to be operated must first be specified. For example, it is possible that a fax server is only used to receive faxes via the LAN and to send them out afterwards. A fax server, however, can also receive incoming fax messages from outside. In this case, it must be defined how the incoming fax messages are forwarded to the recipients. One option is for the fax server itself to forward these faxes, possibly using a connection to an existing e-mail or workflow system. Another option is to forward the incoming fax messages manually using the fax mail centre. Here, it is possible to forward the faxes by e-mail. However, it is also conceivable that the fax mail centre prints out incoming faxes and forwards these printouts to the respective recipient (see S 2.181 Selection of a suitable fax server).

2. Integration into business processes

The operating mode also determines how faxes which have been sent or received are integrated into business processes. A procedure whereby the fax mail centre prints out all incoming faxes and forwards the printouts to the relevant recipients corresponds to the common practice for conventional fax machines. However, procedures whereby faxes are sent directly from an application on the user's workstation computer or incoming faxes are sent directly to the recipient are significantly different from those which apply to use of conventional fax machines. In this case, the guidelines for the use of faxes should specify which incoming and outgoing faxes have to be printed out for the files.

3. Regulations governing the use of fax servers

To ensure the secure operation and use of a fax server, a number of regulations should be drawn up (see S 2.179 Procedures controlling the use of fax servers).

4. Restrictions regarding fax contents

In addition, the set of security guidelines for the use of faxes should also specify what information may actually be passed on by fax. In these guidelines, it can also be defined which communication partners may receive which information.

This ensures that recipients are actually adequately authorised to process the information. For example, the guidelines might specify that price lists may only be sent to buyers or that project documentation can only be sent by fax to project team members.

5. Contingency planning and operational reliability

Furthermore, the set of security guidelines for the use of faxes should also cover contingency planning and reliability of fax operations. Depending on the availability requirements, it may be appropriate to have redundant fax servers. In this context, consideration should also be given to the question as to whether conventional fax machines are to be kept available for use in emergency situations (see also S 6.69 Contingency planning and operational reliability of fax servers).

6. Data backups

The fax server should be included in the organisation's data backup policy (see module S 1.4 Data backup policy). In particular, it should be specified who is responsible for carrying out the data backups and what items should be backed up. The items subject to the data backup may include software, configuration data, saved or archived fax data or log files. Decisions must also be made regarding the intervals at which backups should be made and the number of generations which must be kept. It must also be defined who is responsible for checking any log files generated during the data backup. Finally, the fact that both the data backup has been performed and the log files have been evaluated should be documented.

7. Training

In addition, the set of security guidelines for the use of faxes should be supplemented by an organisation-wide training concept. As a first step, the personnel responsible for the administration of the IT system and fax server application must be given appropriate training. The users must then be made aware of the risks which apply to the use of a fax server as compared to a conventional fax system.

Review questions:

• Is a set of security guidelines drawn up for the use of faxes?
• Has the type of application in which the system is to be operated been specified?
• Fax server for incoming fax messages: Has it been specified how fax messages are forwarded to the recipients?
• Does the set of security guidelines for the use of faxes describe how incoming and outgoing faxes are to be processed?
• Does the set of security guidelines for the use of faxes also specify what information may actually be passed on to which communication partners by fax?
• Does the set of security guidelines for the use of faxes also cover information and instructions regarding contingency planning and reliability of fax operations?