S 6.79 Protection of Data on Internet PCs

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Internet PCs can be used in various application scenarios: on one hand, they may be used in addition to other Internet access possibilities, for example when workstation PCs have Internet connections but prohibit active content - such as JavaScript - for safety reasons; on the other hand, in many cases Internet PCs may provide the only access to the World Wide Web, e-mail and other web services.

Which of these applies to your Internet PCs will determine their required availability. High or extremely high availability can be ensured, for example, with redundant Internet PCs or connections. To allow a quick system restoration when an Internet PC fails, for example due to technical problems or an attack, a data backup policy is essential. The data you will need to back up falls into two categories: system, program and configuration files on one hand, and application data on the other.

Backing up system, program and configuration files

To allow a quick restoration of the Internet PC after a failure, you save an image of all required operating system and software components and their configurations after their installation.

This involves either backing up all system, program and configuration files using a backup program or backing up the entire hard disk byte for byte with a special tool. The latter method should be used only when there is no application data on the hard disk.

You should make a image backup of the system

• as soon as you have finished installing and configuring the Internet PC,
• each time you install, remove or update operating system or software components, for example after installing patches, and
• after every major change or a change affecting system security of the configuration.

This will allow you to simply restore the whole system in one go after a failure rather than having to separately reinstall and configure each software component on the Internet PC.

Backing up application data

If the concept of use specifies local saving of data, in addition to the system, the application data must also be backed up regularly.

You should specify one or more directories on the Internet PC to which application data can be saved and which will be included in the backup. Users must be informed of the directories they can use for saving data and how to access them.

Because the application data volume to be backed up may grow rapidly, the data backup policy should specify a volume limit and what should happen if this volume is exceeded.

Data backup policy

The data backup method should be documented in a policy, which should cover at least the following points:

• scope of data backup (i.e. which directories, partitions, etc.),
• frequency and time of data backup,
• data backup medium,
• responsibility for data backup,
• storage location for backup media.

All users of the Internet PC must be made aware of the data backup policy. For further recommendations about developing a data backup policy, see safeguard S 6.33 Development of a data backup policy.

Examples:

• Scenario 1:
  
  An Internet PC is installed in a company as an additional offer because active content is prohibited by the in-house network. The system is reinstalled weekly from an image. The users have been informed that they are responsible for backing up their own application data on the Internet PC if they need them later on.
• Scenario 2:
  
  The in-house network in a company is not connected to the Internet. Several Internet PCs are installed and networked with each other for the use of e-mail. Incoming and outgoing e-mails are backed up daily with a CD writer installed in one of the Internet PCs. Backups are carried out manually to CD-R or CD-RW media by an administrator and his/her substitute.

Review questions:

• Is an image of the system created after installation and configuration of Internet PCs?
• Is the application data of Internet PCs backed up regularly, if the concept of use specifies local saving of data?
• Is there a data backup policy for Internet PCs?
• Is the data backup policy known to all users of Internet PCs?