S 4.63 Security-related requirements for telecommuting computers

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: Head of IT, Administrator

The security-related requirements for the telecommuting computer are based on the protection requirements of the data to be processed on the telecommuting workstation and of the data that can be accessed by the telecommuter through the communications computer of the organisation. The higher the protection requirement, the more safeguards need to be taken to guarantee this protection is available. General security objectives for telecommuting computers include the following:

• Telecommuting computers may only be used by authorised persons.
  
  This ensures that only authorised persons will be able to use the data and programs stored on a telecommuting computer or accessible through the communications computer. Authorised persons include the administrator of the telecommuting computer and the telecommuter him/herself (together with his/her substitute).
• Telecommuting computers may only be used for authorised purposes.
  
  This helps to ensure that the telecommuter is not able to change or use the computer without authorisation. For example, telecommuters should not be allowed to install any programs that have not been approved. This prevents the damage that can be caused by incorrect operation and misuse.
• The damage caused by the theft of a telecommuting computer or a defective telecommuting computer must be tolerable.
  
  Telecommuting computers are usually used in environments offering little protection, which means that theft or malfunction are more likely in such environments than in the protected operating environment of an organisation. This may not only negatively affect the availability of the data stored on the telecommuting computers, but also its confidentiality. To keep the damage caused by theft to a minimum, the data should only be stored in encrypted form, for example. To limit the damage caused by malfunctions, the data should be backed up regularly, for example.
• The telecommuter should be able to detect attempted or successful manipulations of the telecommuting computer.
  
  This ensures the integrity of the telecommuting computer will remain intact even in cases where it is impossible to exclude the possibility of attempted manipulations.

The security objectives, and therefore the security requirements placed on the telecommuting computer, are derived from the protection requirements of the data to be processed on the telecommuter workstation. It must be documented which of the security-related functionality described in the following need to be available on a telecommuting computer and how this functionality is implemented.

The following functionalities are therefore useful on a telecommuting computer:

• The telecommuting computer must have an identification and authentication mechanism available. The following points in particular must be ensured:
  • Critical security-related parameters such as passwords, user Ids, etc. are managed reliably. Passwords are never stored in unencrypted format on telecommuting computers.
  • Access mechanisms respond to incorrect entries in a defined manner. For example, if an incorrect attempt at authentication is made three times in a row, access to the remote workstation is denied, or the time intervals at which subsequent attempts at authentication are allowed become progressively longer.
  • Certain minimum values can be specified for parameters critical to security. For example, passwords should have a minimum length of eight characters.
  • After the mouse or keyboard has remained inactive for a certain period of time, a screen saver is activated automatically. This screen saver can only be deactivated following renewed identification and authentication.

• The telecommuting computer must have an access control mechanism. The following requirements in particular must be implemented:
  • Telecommuting computers can distinguish between different types of users. It is possible to configure at least two separate roles on a telecommuting computer, namely, administrator and user.
  • Access to files and programs can be regulated using different allocations of rights (read, write, execute, ...).

• Telecommuting computers should provide a logging function. The following requirements should be met in this case:
  • It should be possible to parameterise the minimum logging scope of the telecommuting computer. For example, the following actions and errors should be included in logs:
  • • for authentication: user ID, date and time, success, etc.
    • for access control: user ID, data and time, success, type of access, what was changed, read, written, etc.
    • implementation of administrative activities
    • occurrence of operational errors.
  • Unauthorised persons must not be able to disable the logging function, nor should they be able to read or edit the actual logs.
  • Logs must be clear, complete and correct.

• If a telecommuting computer is to be equipped with a log evaluation function, then it might make sense to specify the following requirements:
  • An evaluation function must be able to distinguish between the various data types contained in a log (e.g. "filtration of all unauthorised attempts at accessing any resource over a specified time period").
  • The evaluation function must be capable of generating transparent, readable reports so that no critical security-related activities can be overlooked.

• Telecommuting computers should provide functions for backing up data. These functions should fulfil the following requirements, among others:
  • The data backup program is user-friendly and fast, allowing automatic execution.
  • Specifications can be made as to which data should be backed up when.
  • An option for loading any required data backup is available.
  • It is possible to backup several generations.
  • It is possible to backup instantaneous data at specified intervals while an application is being run.

• Telecommuting computers should be equipped with an encryption component. The required functionality must first be determined: Encryption of selected data (offline) or automatic encryption of the entire hard disk (online). Automatic encryption should be preferred as a general rule for all data media because it is more user-friendly and more efficient. However, automatic encryption requires the use of a suitable encryption product and that any data lost due to a malfunction (power failure or cancellation of the encryption process) can be restored by the system. It may also make sense to specify the following requirements:
  • The implemented encryption algorithm should meet the requirements in S 2.164 Selection of a suitable cryptographic procedure.
  • Key management must be harmonious with the functionality of the telecommuting computer. In particular, fundamental differences between algorithms must be considered in this context: Symmetric techniques use a confidential key for encrypting and decrypting; asymmetric techniques use a public key for encrypting and a private (confidential) key for decrypting.
  • The telecommuting computer must safely manage critical security parameters such as keys. These keys (including ones which are no longer in use) must never be stored on the telecommuting computer in an unprotected - i.e. readable - form.

• If the telecommuting computer provides mechanisms for performing integrity checks, then it may make sense to specify the following requirements:
  • Integrity checking procedures should be used which can reliably detect intentional manipulation of IT and data on the telecommuting computer, as well as unauthorised installation of programs.
  • Mechanisms should be used which can detect intentional manipulation of address fields and payload data during data transmission. Mere identification of the algorithms employedwithout the need for certain additional details should not suffice to perform undetected manipulation of the above-mentioned data.

• The telecommuting computer should provide a boot protection mechanism to prevent booting from removable data media, e.g. from DVDs or USB sticks, without authorisation (see S 4.4 Correct handling of drives for removable media and external data storage).
• It should be possible to restrict the user environment of the telecommuting computer. The administrator should be able to define which programs can be executed by the telecommuter, which peripheral devices can be used, and which changes the telecommuter can make on the system. Furthermore, the telecommuter should not be able to change the settings required for secure operation without authorisation and should not be able to install third-party software without permission.
• A resident computer virus scanning program must be installed on the telecommuting computer to continuously scan the computer for computer viruses (see S 4.3 Use of virus protection programs). A virus scan must be performed before reading or copying data from removable data media, giving data media to other people, or sending or receiving data (see S 4.33 Use of a virus scanning program on exchange of data media and during data transfer).
• If the telecommuting computer will be administered using remote maintenance functionality, then it must be ensured that only authorised personnel are allowed to perform remote administration. In this case, the remote maintenance personnel must provide authentication, the data transmitted must be encrypted, and the logging of all administration activities must be guaranteed.
• The software installed on a telecommuting computer should be user-friendly. It should be easy to operate, easy to understand, and easy to learn how to use because telecommuters work more independently than other employees. In particular, the users should be provided with informative and understandable documentation of the operating system and of all installed programs.

The functionality needed by the telecommuting computer according to the security requirements must be selected from the functionality listed above. A suitable operating system must then be selected as a platform based on the functionality chosen. If the operating system does not support all required functionality, then additional products must be used to provide it. If possible, every telecommuting computer in an organisation should be identically equipped in order to simplify maintenance and support. Module S 1.10 Standard software should be considered for the security-related suitability tests.

The overall system must be configured by the administrators so that the maximum level of security can be reached.

Review questions:

• Is the security-related functionality a telecommuting computer needs to provide documented together with how this functionality must be implemented?
• Has it been ensured that only authorised persons have access to the telecommuting computer and to the communications computer?
• Has it been ensured that telecommuting computers are only used for authorised purposes?
• Has it been ensured that manipulations to data, the telecommuting computers, and the communications computers can be detected?