S 2.458 Guideline for using the Internet

Initiation responsibility: Head of Personnel, Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

A binding guideline must be specified for using the Internet in government agencies or companies. This guideline must clearly specify the rights and duties of all employees when using the Internet. Under certain circumstances, there may be additional guidelines for certain Internet services (e.g. e-mail) which naturally must also be observed. Every employee must be informed of these guidelines and reminded of them at regular intervals.

For this, it makes sense to keep the guideline for using the Internet as well as other guidelines available on the intranet. An example of a security guideline for using the Internet can be found on the BSI websites in Resources for IT-Grundschutz. A guideline for using the Internet should cover the following aspects at a minimum:

• The users must be informed briefly and comprehensibly about the risks related to the use of the Internet.
• The users must have the knowledge required for responsible Internet use. They should know how to use browsers and typical Internet services correctly in order to avoid incorrect operation and unsafe behaviour. They should of course also be familiar with the organisation's internal guidelines. In particular, they must be made aware of the potential risks and threats involved, and they must be informed which security safeguards they need to follow (see also S 3.77 Awareness-raising for secure Internet use for more information).
• The guideline should specify the general framework in which Internet services may be used. As an example, it could contain a rule specifying that a translation service in the Internet may be used for publicly accessible documents, but not for confidential information. In this context, it should also be specified whether Internet services may be used exclusively for company purposes or also for private purposes, for example, during lunch break.
• In addition, it must be specified which applications may be used for accessing Internet services. There should be a rule specifying that users are not allowed to install non-approved software for the use of Internet services. This also includes browser extensions ("plug-ins"). The browsers to be used by the users must be configured in advance by the administrators so that maximum security can be achieved without further intervention of the users (see also S 5.45 Secure use of browsers).

Confidential information or information that may create a misleading image of the company may not be disclosed via unprotected Internet services. This means that such information must not be uploaded to web servers or distributed via mailing lists. By the same token, users should be instructed that they must not download or otherwise actively procure such information without authorisation. For example, files whose contents may be considered offensive must not be requested from web servers. The type of content considered offensive must be specified. The guideline must also specify how to proceed with information obtained from the Internet. Employees must be informed that copyrights and terms and conditions of use must be observed when using third-party information. Furthermore, not all sources are trustworthy. Apart from the fact that data from untrusted sources may contain malware, incorrect information can also cause damage if used without checking. Even well prepared webpages may contain incorrect information. In this context, it must also be specified under which conditions data from the internal network may be transported via the Internet.

For this reason, criteria must be defined which make it easier for the employees to derive which information may or may not be disclosed in the Internet. This also includes rules on whether and how the data must be protected during transmission and processing.

All employees should know which websites and Internet services they may use, how they can use these in a secure and trusted manner, and which behaviour is recommended (see also S 3.78 Correct behaviour on the Internet).

The use of websites often requires registration during which the user name, e-mail address, and sometimes additional information must be provided which makes it possible to draw inferences about the person or the organisation. It must be clarified whether references to the organisation are undesirable and therefore official e-mail addresses must not be used for Internet services. In general, it must be specified which personal data and which information about the organisation may be disclosed, for example, in order to avoid triggering advertisement campaigns or disclosing information for successful social engineering (see also S 2.313 Secure registration with Internet services).

In addition, the users must be informed

• of which data are logged,
• of who should be contacted in case of security problems, and
• that the configuration of the browsers and other programs must not be changed without authorisation.

Depending on the application case and the application environment, further aspects may need to be regulated.

The Internet security guideline should briefly explain the available communication services and list all relevant regulations. Legal regulations, particularly regarding data protection, must of course be observed. The Data Protection Officer and the personnel representative should be involved early on.

It might be advisable to obtain signed confirmation from the users that they have read the regulations for using the Internet and that they will observe them when using the communication services.

Review questions:

• Is there a security guideline for using the Internet?
• Have all employees been informed of the guideline for secure Internet use?