S 3.74 Administrator training on groupware system architecture and security

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

In order to properly and securely administrate a groupware system, the administrators responsible must be trained accordingly. Even minor errors in the configuration may affect the system's security adversely. For this reason, administrators must be trained accordingly regarding the system architecture and specifically regarding the specific security mechanisms of the groupware used.

The operation of groupware systems is complex and many areas are involved. Therefore, it must be ensured that the operators receive the training required for their activity. In this regard, the recommendations in S 3.11 Training of maintenance and administration staff must be taken into consideration.

Furthermore, the administrators must be trained for their tasks by participating in training measures such as seminars or user conferences. Consideration should be given to determining the training using a training plan.

The administrators should be trained in all security-relevant areas of the groupware system. Along with an overview of the security functions of the groupware components used, this includes aspects such as

• current threats for groupware systems, e.g. denial-of-service attacks, malware, default settings as a source of risk, etc.
• overview of SMTP security
• protection against malware and spam (development and integration of anti-spam and anti-virus solutions)
• overview of the relevant legal aspects during groupware administration such as data protection, for example
• handling of all relevant security mechanisms of the groupware components used.
• configuration of authorisations and integration of authorisations into the operating system authorisations, authentication mechanisms
• overview of the different solutions for message security, e.g. encryption, digital signature, VPNs
• logging
• securing and administration of configuration data
• data backup
• incident handling and disaster recovery safeguards

Furthermore, knowledge regarding the configuration options of the server, client, and database platforms is required in order to administrate the groupware components. It is absolutely necessary that all administrators have a general basic knowledge. The individual key aspects can then be expanded and maintained building upon this general knowledge.

Review questions:

• Did all administrators receive training regarding their work with the groupware system?