S 3.77 Awareness-raising for secure Internet use

Initiation responsibility: Supervisor, Head of Personnel, IT Security Officer

Implementation responsibility: Personnel Department, IT Security Officer

In companies or government agencies, the Internet can be used for a variety of purposes and via various services. This includes, for example, communication with customers via e-mail, instant messaging, discussion forums or blogs, the representation of the organisation via its own websites or information searches. To be able to use the Internet securely from the organisation's point of view, the use of certain services or sites can be prohibited or restricted. As it is not possible to prevent the use of all undesired services by technical means, among others reasons, because new offers and services are constantly introduced, it makes more sense to train the users in the secure and reasonable use of the Internet. This also includes informing the employees on how they can avoid leaving undesired traces of data during Internet use through correct behaviour and optimal configuration of the Internet applications such as the browser.

The employees must be made aware of potential threats and security safeguards to be followed during Internet use. In particular, they should be informed of the following:

• the organisation's existing regulations regarding Internet use (in addition to a policy for Internet use, separate policies for handling e-mails, blogs. etc. may exist),
• the handling of downloaded files and the regulations regarding the installation of software and plugins from the Internet,
• potential threats during Internet use and how the security safeguards implemented counteract them,
• active content such as Java applets, ActiveX controls, and JavaScript, and the organisation's decision on how active content should be handled,
• the organisation's information policy, i.e. which information must not be disclosed in the Internet, for example because the content is confidential or not suitable for disclosure,
• the correct behaviour when using Internet services since, as employees, they act on behalf of the government agency or company,
• strategies to avoid spam,
• legal requirements (copyright, e.g. regarding the use of material from the Internet, illegal, anti-constitutional or extremist content, pornographic content, etc.),
• basic knowledge of encryption and digital signatures to be able to use SSL and encryption programs correctly,
• the fact that information and offers in the Internet, like many other media, originate from sources with different levels of trustworthiness and that their further use must be critically examined or reviewed.

A one-off instruction on the secure use of the Internet is not sufficient. Instead, the employees should be continuously informed of the latest developments. In addition to traditional training, web-based interactive programs and information in the intranet could also be considered for this purpose. Current developments may also be communicated with the help of newsletters or circular letters and within the framework of regular events such as department meetings.

Review questions:

• Have the employees been informed of the current threats and security safeguards during Internet use?