S 2.455 Defining a security policy for Groupware

Initiation responsibility: Head of IT

Implementation responsibility: Administrator, IT Security Officer

Just like for any other client/server system used in a government agency or a company, a suitable security policy must also be defined for the use of groupware servers and clients. This security policy describes all regulations which must be observed by groupware administrators and groupware users.

• The security policy for groupware systems must be in compliance with the generally applicable security policies of the company and/or government agency.
• It must be defined when communication, e.g. for network or e-mail communication, must be protected and secured (for example when accessing the communication via the Internet). Here, it must also be specified which mechanisms should be used for this purpose.
• The security policy must be distributed to all persons affected directly and indirectly in the organisation. Preferably, it should be presented as part of internal training. The security policy must be updated at regular intervals. The persons affected must be informed of any changes in a suitable manner.

It makes sense to divide the groupware security policy into a part for users and a part for administrators in order to be able to draw it up in a more understandable form. In the security policy for groupware, specifications must be made for users, for example:

• which users may access what groupware servers and which users should not access what groupware servers (exclusion list),
• which users with which rights may access which groupware databases,
• what information may be disclosed to which communication partners,
• how the information transmitted must be protected (depending on their protection requirements); above all, there should be a rule for when files transmitted must be encrypted and/or digitally signed.

Among other things, the groupware security policy for administrators should include the following aspects:

• how the groupware components must be configured by the administrators in order to allow for adequate security,
• what other servers may access the groupware server and
• from where a groupware server may be accessed.

In the groupware security policy, it would be necessary to define, for instance, which users with which rights may access Microsoft Exchange objects when using Microsoft Exchange. Since Microsoft Exchange systems integrate very closely into the Windows environment, specifically into the Active Directory, the Windows security policy must be taken into consideration.

Review questions:

• Is there an up-to-date security policy for groupware systems?
• Do all users receive information about new or changed security specifications regarding groupware systems?