S 2.393 Regulations concerning information exchange
Initiation responsibility: IT Security Officer, Head of Organisation, Head of IT
Information can be available in many different forms. Usually, IT-Grundschutz entails examining information in paper form and/or information recorded electronically. In general, all information needs to be adequately protected, starting from the thoughts and ideas to hand-written and printed diagrams and up to electronic messages and voice, image, or video recordings.
If information is to be exchanged between two or more communication partners, a host of different aspects must be taken into consideration in order to protect the information. The following must be clarified before performing any kind of information exchange:
- how much protection it requires (see S 2.217 Careful classification and handling of information, applications, and systems),
- with whom this information may be exchanged (see S 2.42 Determination of potential communications partners), and
- how this information must be protected during the exchange.
There should be clear and understandable rules regarding these questions covering all forms of information exchange, for example verbal exchange as well as data exchange using data media, mail, fax, (mobile) telephones, or the internet. In general, it should be ensured that information cannot fall into the wrong hands, be overheard or read, or be changed unobtrusively.
All employees should be aware that they are responsible for adequately protecting internal information. For example, ideas sketched out on paper should not be left on the table in a meeting room, project plans should not be discussed in public transportation or at a restaurant, and callers should not be provided with internal information without approval. Information requiring protection should not be printed unsupervised on printers or fax machines, nor should it simply be left there without picking it up. Blackboards and whiteboards in meeting, training, and event rooms should be wiped clean at the end of each session, and used flipchart sheets should be removed when necessary. Such aspects should be pointed out to employees regularly, for example by posting the appropriate explanations and illustrations on the intranet or in the corporate magazine.
Communication partners should be checked regularly to ensure they are authorised to receive the corresponding information. For example, the person's mailing address, email address, or fax number may have changed, or maybe the person has even left the company, in which case the information transmitted will be sent to the wrong person. When contacting a partner for the first time, his/her identity should also be checked since business cards can be printed with any name on them. For this reason, it is recommended to ask if the new business partners work in the corresponding government agency or company or to request references.
How analogue and electronic information needs to be protected during information exchange is described in detail in the modules 5.2 Exchange of data media and 5.3 Groupware, as well as in other modules.
Review questions:
- Have rules been created and announced informing the employees of what to consider when exchanging information?
- Have all employees been adequately sensitised to the potential threats involved when exchanging information?