S 4.251 Working with external IT systems

Initiation responsibility: User, Supervisor, IT Security Officer

Implementation responsibility: User

It is often necessary to be able to access different types of electronic information when travelling, e.g. to synchronise calendars, send e-mails and retrieve certain files. Often, the easiest way to do this is by using external IT systems or communication connections, e.g.

• downloading files from an Internet café,
• accessing the company network via the PCs or the Intranet of an office of a visited organisation or
• via WLAN via a hotspot in a hotel.

It should be clear to all users that this IT is administrated by third parties and that additional security safeguards must therefore be implemented. One should always assume that the security level of the foreign environment is unknown and must therefore be judged as low. All employees should be aware that external computers and foreign environments always pose higher IT security risks. Even if the level of security makes an excellent impression, this could be a misapprehension.

For example, the existing network environment could be protected more poorly than one's own laptop, so that problems such as computer viruses or Trojan horses could be imported. It may turn out that at the organisation visited, a totally different understanding of security prevails, so that there is no consensus on security objectives, the security level and security safeguards.

It can occur in mobile networks that the network participants constantly change, meaning that new ones are included in and others leave the network. In this case it is difficult to trace which persons were also active in the network at a given point in time. Therefore, mobile networks are prone to attacks that may not even be traceable and it is extremely difficult to make any type of judgement regarding the existing security level.

Before users log on to external networks or make use of service offers, they should consider how trustworthy they are. Extremely reasonable offers could very well be provided for the sake of spying out or manipulating data on mobile terminal devices. For example, an attacker could provide free Internet access or WLAN access in order to easily read the data transmitted from there.

Even when using comparatively simple and comprehensible services, users must take the necessary care. It could become necessary when travelling to print out data from the laptop, for example. Printing services in hotels, Internet cafés or copy shops or the printers at the company being visited can be used. However, the printed information is thus made accessible to external persons, namely the respective service providers. The file to be printed must be transmitted to the printer and is thus possibly cached on IT systems. Printouts can be made several times without being noticed, or paper can simply remain in the printer.

For this reason, users should take the following recommendations into account before working on external IT systems or using service offers:

• They should inform themselves of the existing security safeguards.
• They should make careful considerations and/or use the specifications and regulations for the mobile use of IT as orientation. External IT systems and service offers should not be used for all kinds of activities and data.

• As soon as work is finished, all temporary data created on an external computer should always be deleted. This is usually not easy, though, because with many operating systems temporary data are created at numerous locations. Moreover, it can occur on external IT systems that the access rights do not allow the deletion of all the data that have been created. At least the cache should be deleted.
• In no case should browser functions to "automatically complete" user names and passwords be used, so that subsequent users do not have the possibility to log on with the user name at other places.

Review questions:

• Have all employees been informed on what to observe when using external IT systems?
• Do all employees know that as soon as work is finished, they must always delete all temporary data created on external IT systems?
• Do all employees know that browser functions to automatically complete or save passwords should never be used?