S 4.41 Use of a appropriate security products for IT systems

Initiation responsibility: Head of IT, Data Protection Officer, IT Security Officer, Persons responsible for individual applications

Implementation responsibility: Administrator, Purchasing Department

Depending on the security requirements of an IT system, it is possible that additional security products are needed because existing security functions are not adequate. Typical examples are access control, access rights administration and monitoring, logging or encryption.

For example, it must be ensured for IT systems that:

• only authorised persons can use the IT system (see also BDSG, access control). Suitable authentication mechanisms need to be selected for this purpose.
• the users can only access the data in the way necessary for them to fulfil their tasks. This can be supported by appropriate user separation and assignment of rights.
• irregularities and attempts at manipulation become apparent. Logging functions, encryption and digital signatures can help in this context.
• data is protected against accidental destruction or loss (availability control). Backup programs, for example, can be useful in this case.

If the IT system's logging functions are not sufficient to guarantee adequate evidence retention, they must be upgraded. There are also various laws that require this. For example, according to BDSG, when data is input, "it must be ensured that it is possible to monitor and identify whether and by whom personal data was entered, changed or removed in data processing systems at a later time".

If it is not possible to keep the administrator from accessing specific data or, at a minimum, to log and monitor this access with the IT system, data encryption, for example, can be used to prevent the administrator from reading this data as plain text if he/she does not have the respective key.

Recommended minimum functionality:

IT systems should have the following security features at a minimum. If they are not included in the standard scope, they should be augmented using additional security products.

• Identification and authentication: The system should be blocked following a preset number of incorrect authentication attempts and only the administrator should be able to reset it. If a password is used, it should have at least eight characters and should be stored in the system in encrypted format.
• Rights management and monitoring: Rights should be managed and monitored on hard disks and files where a distinction should at least be made between read and write access. Users should not be able to access the system at operating system level.
• Role separation between administrator and user: There should be a clear separation possible between administrators and users with only the administrator being able to assign or withdraw rights.
• Logging of login, log-off and infringement of rights procedures should be possible.
• Automatic screen lock: After the mouse or keyboard has remained inactive for a certain period of time, a screen lock should be activated automatically. It should also be possible to activate it directly. It should then only be possible to access the IT system again following renewed identification and authentication.
• Boot protection should make it impossible to boot up the PC from other media without authorisation.

If one or more of these security features is not supported by the operating system, other appropriate security products must be introduced.

Additional security product requirements:

• User-friendly interface to increase acceptance.
• Informative and comprehensible documentation for administrator and user.

Desirable additional functionality of security products:

• Role separation between administrator, auditor and user; only the administrator may assign or withdraw rights, and only the auditor has access to the log data,
• Logging of administrator activities,
• Support of log evaluation by means of configurable filter functions,
• Encryption of databases with an appropriate encryption algorithm and in such a manner that loss of data is prevented by the system in the event of malfunctions (power failure, termination of a procedure).

Implementation of this functionality may be effected in both hardware and software. Safeguard S 2.66 The importance of certification for procurement should be taken into consideration when procuring a new product.

Temporary Solution:

If it is not possible to procure an appropriate security product in the short term, other suitable security safeguards must be undertaken. These are typically of an organisational nature and have to be consistently complied with by users. If an IT system, for example, does not have a screen lock, it has to be locked up in the short periods when not in use.

Review questions:

• For increased security requirements of an IT system: Has the use of additional security products been examined?
• Are organisational safeguards undertaken, if it is not possible to procure an appropriate security product in the short term?