S 2.218 Procedures regarding the personal transportation of data media and IT components

Initiation responsibility: Head of IT, Top Management, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

In general, the IT components used on the premises of a company or government agency are adequately protected against misuse and theft through infrastructural security safeguards. However, IT systems and data media also often need to be used when off the premises, e.g. during business trips or when telecommuting. To provide adequate protection in such cases, there must be clear rules governing the transportation of data media and IT components.

The following must be specified:

• Which IT components and data media are permitted to be taken off the premises

• Who is permitted to take IT components or data media off the premises

• Which underlying IT security safeguards must be followed in this case (virus protection, encryption of sensitive data, storage, etc.).

The type and scope of the IT security safeguards to be implemented for IT components used off the premises depends on the protection requirements of the IT applications and data stored on them as well as on the level of security available at the location where they are used or stored.

As a rule, corresponding authorisation should be obtained for the use of any IT components off the premises.

In large organisations in which access to the premises is controlled by gatekeepers or security guards, consideration should be given to the possibility of instructing them to perform spot checks to check the extent to which the rules regarding the personal transportation of data media and IT components are being followed.

The users are responsible for protecting the IT assets entrusted to them when off the organisation's premises. They must be informed of this fact and of the precautions they need to take in this case. The following rules should apply:

• IT systems must always be stored safely. They should never be left unsupervised during business trips. In particular, they should not be left in parked vehicles (see also S 1.33 Safekeeping of laptop PCs during mobile use).

• IT systems such as laptops or mobile phones and their applications can generally be protected with PINs or passwords. These mechanisms should also be used.

• IT systems or data media containing sensitive data should be completely encrypted, if possible (see also S 4.29 Use of an encryption product for laptop PCs).

• The administration, maintenance, and transfer of IT systems used off the premises should be controlled. It is possible, for example, to set up pools for this purpose (see also S 1.35 Pooled storage of portable IT systems and S 2.190 Setting up a mobile phone pool).

• Records should be kept of who has used what IT components at what times while off the premises.

Review questions:

• Are there rules regarding the personal transportation of data media and IT components?
• Are the users who use IT components off the premises informed of the rules they are required to follow?
• High protection requirement in terms of its confidentiality: Are mobile IT systems or data media protected by full encryption of the data media?
• Are the authentication mechanisms offered used when IT components are used off the premises?