S 2.460 Regulated use of external services

Initiation responsibility: Top Management, Head of IT, Head of Organisation, IT Security Officer

Implementation responsibility: Employee

Numerous attractive services are offered on the internet which facilitate work in teams or lighten workloads, not only privately, but also in the working environment. For example, these include webmail services, group appointment calendars, remote support software, internet text processing systems, online office programs, address book management, data storage, and many more. The majority of these services can be used directly without any great effort and may provide support for a large number of different workflows in an organisation.

As a matter of principle, all employees should be aware of the fact that they may only use external services approved by their organisation. Both the unauthorised use of external services, as well as the installation of unapproved software may entail a large number of security and data protection issues (see T 3.105 Unapproved use of external services).

Employees must receive information regarding this problem and the security risks the unauthorised use of such services may entail. For example, this may be addressed within the framework of suitable internal events or with the help of information on the intranet providing specific examples. The Resources for IT-Grundschutz contain a sample staff announcement regarding the unauthorised use of external IT services that may be used as a reasonable basis for a corresponding publication.

However, the causes and solutions should also be investigated within the institution as a matter of principle if employees want to use external services to support their work. For example, it may be considered whether the internal IT department is able to provide a comparable service quality or whether a license agreement can be concluded with a trustworthy provider.

Review questions:

© Federal Office for Information Security. All rights reserved.