S 2.179 Procedures controlling the use of fax servers

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

To ensure the smooth operation of the fax server(s), the following aspects and procedures must be specified:

1. Definition of responsibilities

A fax server consists of an IT system, the operating system installed on it and the fax server application. Then there is also the area of the users' fax clients. Accordingly, the support and maintenance for the fax servers must be organised. Depending on the existing organisational structure, persons responsible for these areas must be appointed. In extreme cases, this can mean that each of these areas is supported by different administrators. For example, the administration of the operating system can be performed by the organisational unit which is also responsible for the administration of the other IT systems. However, the administration of the fax application should be carried out by the fax mail centre. Depending on the type of use, the fax mail centre is also responsible for ensuring that incoming fax messages are forwarded to the respective person responsible. This centre should then also be responsible for granting authorisations for the fax server. Other tasks include resetting passwords and configuring new user accounts. Thus it is especially important to define the tasks and responsibilities of the fax mail centre (see S 2.180 Setting up a fax mail centre).

2. Definition of the user group

In addition, the group of persons who are authorised to use the fax server should be specified. Authorisations for incoming fax messages might include the following:

• read,
• forward, and
• delete.

Authorisations for outgoing fax messages might include the following:

• send,
• suspend,
• delete, and
• alter transmission options.

If possible, these authorisations should be granted only to user groups and, only in exceptional cases, to individual users, as is common practice in administration (see also S 2.30 Provisions governing the configuration of users and of user groups).

3. Definition of usage profiles

The question of to what extent authorised users may use the fax server should also be specified in the procedures. This is of particular importance in order to prevent the server from being overloaded by serial faxes.

4. Times during which the facilities may be used

Consideration should also be given as to whether using the fax servers should only be permitted at certain times. Thus, it would be possible to prevent faxes from being sent outside working hours.

5. Configuring groups

If incoming faxes are automatically forwarded by fax servers to the recipients, separate fax numbers should be configured for certain functions and tasks. All members of a group can then be granted access to the incoming fax messages associated with the respective fax number. This also simplifies any substitution arrangements.

Example: In a company, a fax server automatically forwarding incoming fax messages to the recipients is operated. A fax number is assigned for the order processing department. The fax server forwards all fax messages with orders transmitted to the company using this fax number not to one individual employee but to all members of the order processing department. This requires that the company specify in which order the employees process incoming fax messages in order to prevent orders from being performed twice.

6. Substitution arrangements

Especially when using fax servers which deliver incoming faxes to individual users, it is essential that substitution arrangements are in place to deal with absences and, thus, to include corresponding provisions in the security strategy. Otherwise, it cannot be ruled out that important incoming faxes are not read for longer periods of time. In this respect, the procedure for the use of fax servers differs significantly from that applying to the use of conventional fax machines. In the latter case, incoming faxes are noticed by the respective substitutes, as the faxes are available as hard copy.

7. Logging

Procedures for dealing with any log data generated should be defined. For example, it should be specified who is responsible for evaluating what logged data and at what intervals (see S 2.64 Checking the log files).

8. Address books

It should also be specified which address books are used and who is responsible for maintaining them. Many fax server applications provide the possibility of creating address books both for individual users and also for use throughout the organisation.

Moreover, it is often also possible to synchronise fax server address books with distribution lists/address books already available in e-mail systems. Whereas address books which are to be used throughout the organisation should be maintained centrally by the fax mail centre, users must perform the task of maintaining their own address books themselves. Users should also be required to check recipients' fax numbers in the case of important fax messages (e.g. individual quotations).

9. Use of the fax server

Procedures covering the use of the fax servers by the employees must also be drawn up (see S 3.15 Information on the use of fax machines for all employees). Finally, it must also be specified which rights the employees may exercise on the fax server.

10. Protection of the fax client

Appropriate organisational and technical safeguards must be taken to ensure that faxes cannot be read without authorisation and/or cannot be sent without authorisation or unintentionally. Users must therefore be trained in the use of the fax programs and made aware of the potential risks.

Authentication of employees on the fax server is of particular importance. This can be performed explicitly using a fax client or else by logging on to a directory service, a domain controller (in a Microsoft Windows NT environment) or an e-mail system. If employees are authenticated to the fax server using a client, the login password should, wherever possible, not be stored on the hard disk, as this would invalidate its value as a security mechanism. Anyone who has access to the respective fax client can send faxes under another name and read incoming fax messages without authorisation. Furthermore, employees should be encouraged to log off from the fax server after collecting incoming fax messages and sending outgoing faxes. Steps should be taken to ensure that the computer is protected when employees leave their desks, for example by using a password-protected screen saver or other mechanisms of the operating system used (see S 4.1 Password protection for IT systems and S 4.2 Screen lock).

11. Repair and maintenance

Procedures covering repair and maintenance work performed on the fax server should also be defined. System administrators must know whom to inform and contact when maintenance or repair work is necessary. Procedures for handling defective data media and defective hard disks in particular should also be specified.

Review questions:

• Was it checked whether using the fax systems should only be permitted at certain times?
• Are substitution arrangements and associated provisions regarding incoming faxes taken into consideration in the set of security guidelines?
• Are there procedures for dealing with the logged data of the fax server?
• Are procedures controlling the use and maintenance of address books for the fax systems?
• Has it been ensured that it is not possible to read or send faxes without authorisation?
• Do the employees authenticate on the fax server?
• Are there procedures controlling repair and maintenance work performed on the fax server?