S 5.52 Security-related requirements for communications computers

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

A telecommuter accesses the data of the organisation in different ways depending on the type of telecommuting and the tasks to be performed by the telecommuters. It may be the case in some situations that only e-mail is exchanged between telecommuters and the organisation. In other cases it might be necessary for telecommuters to access servers at the organisation. Regardless of how access is obtained, the communications computer at the organisation will generally need to fulfil the following security requirements:

• Identification and authentication: All users of the communications computer, meaning administrators, employees in the organisation, and telecommuters, must provide identification and authentication before accessing this computer. Access to the computer should be blocked after multiple failed attempts to log in. The default passwords must be changed.
  
  It may also be necessary for the communications computer to require the telecommuter or the telecommuting computer to provide authentication again during the data transmission in order to defend against interception by attackers.
  
  The identification of the telecommuting computer should also be checked in the framework of the identification and authentication process of the user (using telephone numbers and callback procedures, for example).
  
  Consideration should be given to the use of strong authentication procedures only, to secure access while telecommuting. It is possible to use smart cards, tokens, or even biometric procedures for this purpose.
• Separation of roles: The roles of the administrators and users of the communications computer must be separated. Only administrators should be able to grant rights.
• Rights management and monitoring: Access to files on the communications computer must only be allowed within the framework of the rights granted. Furthermore, it is especially necessary to control access to the computers connected to it in the organisation and to the files stored on it. Physical and data access capabilities must be restricted to the bare minimum.
  
  In the event of a system failure or irregularities, the communications computer must assume a stable state, whereby it might no longer be accessible.
• Minimisation of services: Services provided by the communications computer must follow the principle of minimalism which states that anything not explicitly allowed is prohibited. The scopes of the services themselves must be restricted to the minimum required by the telecommuters to perform their tasks.
• Logging: Data transmissions to, from, and via the communications computer must be logged with the time and date, users, addresses, and service.
  
  The administrators and auditors should be provided with tools for evaluating the log data. Any irregularities detected during evaluation should be reported automatically.
• Automatic scanning for computer viruses: All data transferred should be scanned automatically for computer viruses.
• Encryption: Data stored on the communications computer for the telecommuter must be encrypted if its protection requirement in terms of confidentiality (according to the organisation-wide information security policy) makes encryption necessary. In general, communication between the telecommuting computer and communications computer should be encrypted.
• Preventing or securing remote administration: If the communications computer does not require remote administration, then all functionality for remote administration must be disabled. However, since remote administration capabilities are usually needed, they need to be adequately protected (e.g. using a VPN tunnel or a dedicated connection). Remote administration operations may only be allowed after successful identification and authentication. Consideration should be given to logging the tasks performed during remote administration sessions. Administration access data and configuration data may only be transmitted in encrypted form. All default passwords and cryptographic keys must be changed.

Review questions:

• Is the communications computer configured according to the security requirements?
• Are all users of the communications computer required to provide identification and authenticate themselves before they can access the communications computer?
• Are the physical and data access capabilities on the communications computer restricted to the minimum necessary?