S 2.457 Concept for secure Internet use

Initiation responsibility: Head of IT, Top Management, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

Today, almost every organisation uses the Internet. In addition to the numerous advantages of the Internet, there are constantly new warnings regarding risks the users are exposed to during Internet use. In order to minimise these risks, every new variant of Internet use should be planned carefully, and IT components and their connection to the relevant networks should be installed and configured securely.

In a concept for secure Internet use, it must be clarified first of all who may use which Internet services, what rules have to be observed in doing so, and how the internal IT systems are to be protected. The concept must be embedded in the general security strategy of the particular organisation and therefore needs to be co-ordinated with the information security management.

Planning

It must also be specified which types of Internet communication are allowed (see also S 2.459 Overview of Internet services). For this purpose the aims to be achieved by using the Internet must be clarified. A suitable selection of Internet services which meets the organisation's requirements must be made. This can range from the extreme where only selected employees have access to the Internet and the Internet is handled restrictively to the other extreme where every workstation has access to Internet applications of all kinds. Security aspects must be taken into account very early in the planning phase so that the architecture under development can be designed to be sufficiently secure.

If no or only restricted Internet use is permitted for certain areas it may make sense to provide stand-alone Internet PCs for Internet access in these areas (see module S 3.8 Internet PCs).

The following questions should be answered in the security strategy for Internet usage:

• Who is allowed to access the Internet?
• Under what conditions and for what purpose may the Internet be accessed?
• Which services may be used in the Internet?
• Which information may or may not be disclosed in the Internet?
• Do the users need training, and if so, how will they be trained?
• How will technical support for the users be guaranteed?

There should be rules regarding the use of individual Internet services and it should be clarified for every group of users and/or IT systems which security requirements must be observed. Only the services absolutely necessary for completing the tasks should be permitted. Services for which no explicit rules have been defined yet must not be used before either new rules have been defined or existing rules have been adapted. This includes, for example, the security concept and the user policies. In addition, rules must be specified regarding private Internet use.

The decisions made regarding the use of different Internet services should be documented in an understandable manner together with the reasons for these decisions.

Up-to-dateness

The concept for Internet use must be updated in regular intervals, at least once a year, as this area is subject to rapid development. In addition, the concept for Internet use should be developed and updated in line with the development of the concept for the Internet connection to ensure secure connection to the Internet and therefore secure use of the Internet.

If the objectives, strategies or the threat scenario of the organisation change, then the Internet use must be checked to see if it is affected by the changes.

Review questions:

• Is there an up-to-date concept for Internet use?
• Is the concept regularly reviewed and modified, if necessary?