S 2.333 Secure use of meeting, event and training rooms

Initiation responsibility: IT Security Officer, Head of Organisation

Implementation responsibility: User

There should be defined rules for using these rooms in every organisation. These should, amongst other things, include general behavioural rules for the users, but also rules regarding the use of both stationary and brought devices.

In this, the following aspects should be taken into account, amongst other things:

• External participants of meetings or training measures should not be left unattended outside of the meeting and training rooms (see also S 2.16 Supervising or escorting outside staff/visitors).
• The general conditions applicable to outsiders being allowed to use brought IT systems such as mobile phones or laptops must be clarified.
• Existing landline phone connections must be protected against misuse, for example by only allowing external phone numbers to be dialled upon password entry.
• The phone numbers of contact persons for problems such as IT support or key administration should be posted in the room. The contact persons must be available at any time during the normal office hours.
• If the room contains a stationary projector or other stationary equipment, the security safeguards required for protecting this equipment against theft must be taken. For example, this equipment may be equipped with anti-theft devices such as steel cables. Lockable cabinets for materials also make sense.

• At the end of each event, all material that may contain sensitive information must be removed. Therefore, used flipchart paper should be removed and whiteboards should be cleaned, for example. Drafts thrown into the wastepaper bin must not be forgotten either.
• Meeting, event, and training rooms are often equipped with stationary IT systems such as training computers. The following must be taken into account in this regard:
  • The IT in conference and training rooms must be configured and administrated according to the requirements (see also S 4.225 Use of a log server in a security gateway). The person responsible for the administration of the training computers must be defined. In addition, points of contact must be named for problems that tend to recur frequently. The contact person must be able to provide assistance at short notice.
  • In rooms with training computers nothing that could harm the operability of the IT systems, such as beverages and sticky candy bars, should be brought in. This also means that coffee breaks must take place outside the room.
• There must be clear regulations for accesses to LAN and PBX interfaces from meeting and training rooms.
• Furthermore, notes regarding escape routes and the proper behaviour in the event of fire should not be omitted (see S 1.6 Compliance with fire-protection regulations).

The respective contact persons should be informed in the event of problems such as a lack of paper for flipcharts or faulty equipment so that these problems can be eliminated promptly.

As a matter of principle, there are two contradictory solutions for locking meeting, event, and training rooms. If the room is locked permanently, except during times of use, the IT contained therein is protected properly against a host of threats, but spontaneous use of the room is not possible. On the contrary, permanently unlocked meeting, event, and training rooms can be used at any time, but the risk for the IT is significantly higher. Locking these rooms furthermore provides the advantage of the equipment of the training room being left in the desired condition. From an information security point of view, meeting, event, and training rooms must be locked when they are not being used. At the same time, it must naturally be ensured that access is possible quickly and easily in case of need. The keys for the meeting, event, and training rooms should be administered by a central location (e.g. gatekeeper or internal service).

In meeting, event, and training rooms, there is usually no place to lock away documents, IT systems, and such like. For this reason, it should be possible to lock such rooms or have an internal employee keep an eye on the room when all participants leave the room.

Review questions:

• Are the conditions applicable to outsiders being allowed to use brought IT systems defined?
• Has the equipment present in the rooms been protected against theft sufficiently?
• Is it ensured that no sensitive information is left in meeting, event, and training rooms?
• Are the responsibilities for administrating IT systems frequently installed in a stationary manner in meeting, event, and training rooms defined?
• Have regulations for accesses to LAN and PBX interfaces from meeting and training rooms been defined?
• Are the keys for the meeting, event, and training rooms administered by a central location?