S 3.26 Instructing staff members in the secure handling of IT

Initiation responsibility: Head of Personnel, Head of IT, IT Security Officer

Implementation responsibility: Supervisor, Personnel Department

Many security issues are caused by the IT being used and/or configured improperly. In order to avoid such issues, all employees and all external IT users should be instructed in the safe use of the organisation's IT. For this, all employees should be trained accordingly (see also S 3.4 Training before actual use of a program, S 3.5 Training on security safeguards, and S 2.198 Making staff aware of information security issues).

All IT users must be made aware of their rights and obligations regarding the use of IT. The IT users should be provided with specific policies as to what they must observe when using IT. Such a policy should contain the binding specification as to which general conditions must be observed when using the IT systems in question and as to which security safeguards must be taken. The users must be clearly and unmistakably made aware of the things they absolutely must not do. These policies should be binding, comprehensible, up-to-date, and available. In order to document the binding nature of the policies, they should be signed by the Top Management or at least by the person responsible for IT. They should be concise and understandable so that they can be hung up as leaflets, for example. Additionally, they should be available on the intranet.

User guidelines must only include regulations that can actually be implemented. User guidelines should be formulated as positively as possible. For example, instead of:

"Users must not install any software without authorisation."

the guidelines may contain the following note:

"All IT systems are delivered in a default configuration that was adapted to your specific working conditions and provides you with maximum security. Should problems arise, we can guarantee a quick problem solution by re-installing the default configuration. Therefore, please do not change the settings, if possible. If you require additional hardware or software, please contact the user service."

Examples of user guidelines can be found in the Resources for IT Grundschutz.

A user guideline for general IT use should at least cover the following items:

• note that no IT systems or IT components may be used without explicit consent
• note that only authorised employees are allowed to change information on IT systems
• how to handle passwords (see S 2.11 Provisions governing the use of passwords)
• ban on using non-approved software (see S 2.9 Ban on using non-approved hardware and software).
• note that official IT systems must only or predominantly be used for official purposes
• notes on the secure storage and installation of IT systems and data media
• protection against computer viruses and other malware
• performance of data backups
• use of internet services

Along with such guidelines, there must be clear statements as to which users may access which information, to whom the information may be disclosed, and which safeguards are taken if these guidelines are violated.

When leaving the workplace, each user should make sure that each part of the working equipment (documents, data media, etc.) is stored securely (see also S 2.37 Clean desk policy). All IT systems should be protected against unauthorised access with the help of passwords. For unattended IT systems, all open sessions should have been terminated or at least a screen saver should be activated.

The basic configuration of all IT systems should be as limited as possible. The default configuration of workstation computers should only contain those services required by all users of a group (see also S 4.109 Software reinstallation on workstations). Additional programs and functionalities should only be installed and/or released if the users have received instructions regarding their use and have been made aware of possible security issues.

Each user guideline should be drawn up in cooperation with representatives of all groups involved, particularly the Personnel and/or Supervisory Board and the Data Protection Officer and IT Security Officer should be involved. It must be ensured that these people are also involved whenever changes are made to the user guidelines. All users must be notified of the changed user guideline.

The task breakdown should include all tasks and obligations relevant for information security. Amongst other things, this includes the obligation to the organisation's guidelines on information security (see also S 2.198 Making staff aware of information security issues).

If IT systems or services are used in a way contrary to the interests of the government agency and/or company, every person with knowledge of this use should inform his/her supervisors.

Review questions:

• Have all IT users been instructed regarding the safe handling of the organisation's IT?
• Is there a binding, comprehensible, up-to-date, and available policy for IT use?
• Does the task breakdown of the employees also include all tasks and obligations relevant for information security?