S 2.235 Guidelines for the use of Internet PCs

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

In order to securely use Internet PCs, it is necessary to define binding guidelines. These guidelines must be communicated to all employees of the organisation who are involved, i.e. at least to the users of the Internet PC and the responsible administrators.

It is recommendable to summarise the guidelines for the use of the Internet PC in a document and to make this document available on the Internet PC as a file, e.g. on the desktop. In doing so, the following items should be taken into account at least:

The users must be informed briefly and comprehensibly about the risks related to the use of the Internet PC. This information simultaneously serves as motivation for the following guidelines.

The internet PC also needs to be administered and maintained by trained personnel. This may either be performed by the existing administration, e.g. for IT systems in the local network, or by other employees who must then receive the corresponding training. The responsibility should be documented in the guidelines.

In some cases, it may be expedient to allow the users to perform certain configuration settings themselves. This should be documented in the guidelines; otherwise, it should be prohibited.

The guidelines should specify which persons are allowed to operate the internet PC when and for which purposes. In this context, it must be particularly defined whether only official or also private use is admissible - e.g. during lunch breaks.

Moreover, it should be documented which programs may be used for using Internet services and whether active content may be executed on the Internet PC, e.g. Javascript, Java, or ActiveX. In this context, it is also important whether users may install and use browser extensions (plug-ins) themselves.

If the operating system used supports user separation, client programs for using Internet services should not be started from the administrator user account, e.g. root or Administrator. Even the administrators should use normal user accounts for this.

Regulations must be defined as to which personal data and which information about the government agency and/or the company may be disclosed over the Internet, e.g. mail addresses. This also includes the question as to whether messages may be sent with an official sender address if the Internet PC is used for email or news.

Furthermore, the guidelines should specify which data may be stored to the Internet PC and which directories are provided for this. The conditions under which data may be transported from the Internet PC to the local network and vice versa must also be regulated.

In both cases, the data must at least he checked for computer viruses. It is recommendable to use a gateway PC for importing data and programs into the local network.

If data is to be stored locally on the Internet PC, it must be regulated whether the users are responsible for any required data backups themselves or whether these are performed automatically and/or by an administrator. This is particularly important if the Internet PC is used for email, banking, electronic procurement, or similar activities.

The users must be instructed as to which offers must not be used in any case, e.g. illegal content, pornography, or extremism. Furthermore, the users must be instructed that they must comply with the applicable legal provisions and "netiquette" when using the Internet, since they act on behalf of the government agency and/or company.

Passwords are usually required for dialling in with the Internet service provider or for local registration to the Internet PC. The guidelines should specify the required format and the minimum length of the passwords and how often they must be changed.

If the application concept contains user authentication, the users must be instructed that they must handle the authentication secrets carefully and that they must log out of the system when leaving the Internet PC.

Ultimately, it should be defined whether the password required for dialling in with the Internet service provider may be stored or whether it must be re-entered during each new dial-in procedure. This decision should be based on an assessment as to the extent of the risk of the Internet connection being misused in the present application environment. Double access protection (first user login, then entry of the one-time password) is often not accepted by the users.

Depending on the application case and the application environment, further guidelines or regulations may be needed for the Internet PC.

Review questions:

• Have binding regulations been defined regarding the use of Internet PCs?
• Are the users and the administrators responsible familiar with the guidelines for the use of Internet PCs?
• Have the users of Internet PCs been informed about the related risks?
• Has it been defined which persons may use the Internet PC at which times and for which purposes?
• Has it been defined whether only official or also private use of the Internet PC is admissible?
• Has it been documented which programs may be used for using Internet services and whether active content may be executed on the Internet PC?
• Has it been ensured that client programs for using Internet services are not started using the administrator user account?
• Has it been regulated which personal data and information about the organisation may be transferred using the Internet access?
• Has it been regulated which data may be stored to the Internet PC and under which conditions data may be transported into or out of the local network?
• Have the users been instructed about the Internet offers that must not be used and about the legal provisions to be observed?
• Have password criteria been defined for the access to Internet services?