5.4 DOS PC (multiuser)

Description

The subject here is a commercially available IBM-compatible PC run with DOS or a comparable operating system. This PC is not connected to a network. It is equipped with a floppy disk drive, a hard disk and a mouse. If available, a printer is to be directly connected to the PC. A graphic user interface can also be employed here. It is assumed that several persons use this PC, these having differing access rights to the stored data. It is also assumed that changes in users of the PC do not occur on a frequent basis.

In the event that the user is changed on a frequent basis, alternative security solutions should be considered, such as purchasing additional PCs or even setting up a local network with a possible common data base for reasons of performance and acceptance.

Threat Scenario

The following typical threats (T) are assumed as regards IT baseline protection of a DOS PC (multiuser):

Force Majeure:

• T 1.1 Loss of personnel
• T 1.2 Failure of the IT system
• T 1.4 Fire
• T 1.5 Water
• T 1.8 Dust, soiling

Organisational Shortcomings:

• T 2.1 Lack of, or insufficient, rules
• T 2.7 Unauthorised use of rights
• T 2.9 Poor adjustment to changes in the use of IT
• T 2.21 Inadequate organisation of the exchange of users
• T 2.22 Lack of evaluation of auditing data

Human Failure:

• T 3.2 Negligent destroying of equipment or data
• T 3.3 Non-compliance with IT security measures
• T 3.6 Hazards posed by cleaning staff or outside staff
• T 3.8 Improper use of the IT system
• T 3.16 Incorrect administration of site and data access rights
• T 3.17 Incorrect change of PC users

Technical Failure:

• T 4.1 Disruption of power supply
• T 4.7 Defective data media

Deliberate Acts:

• T 5.1 Manipulation/destruction of IT equipment or accessories
• T 5.2 Manipulation of data or software
• T 5.4 Theft
• T 5.9 Unauthorised use of IT systems
• T 5.18 Systematic trying-out of passwords
• T 5.21 Trojan Horses
• T 5.23 Computer viruses
• T 5.43 Macro viruses

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.

In the following, the safeguard group "DOS PC (multiuser)" is set out:

Infrastructure:

• S 1.29 (3) Adequate siting of an IT system (optional)

Organisation:

• S 2.3 (2) Data media control
• S 2.4 (2) Maintenance/repair regulations
• S 2.5 (2) Division of responsibilities and separation of functions
• S 2.7 (2) Granting of (system/network) access rights
• S 2.8 (2) Granting of (application/data) access permissions
• S 2.9 (2) Ban on using non-approved software
• S 2.10 (3) Survey of the software held
• S 2.13 (2) Correct disposal of resources requiring protection
• S 2.22 (3) Escrow of passwords
• S 2.23 (3) Issue of PC Use guidelines (optional)
• S 2.24 (3) Introduction of a PC Checklist booklet (optional)
• S 2.26 (1) Designation of an administrator and his deputy
• S 2.37 (2) Clean desk policy
• S 2.63 (1) Establishing Access Rights
• S 2.64 (2) Checking the log files
• S 2.65 (1) Checking the efficiency of User separation on an IT System
• S 2.66 (2) The importance of certification for procurement

Personnel:

• S 3.4 (1) Training before actual use of a program
• S 3.5 (1) Education on IT security measures
• S 3.10 (1) Selection of a trustworthy administrator and his substitute
• S 3.11 (1) Training of maintenance and administration staff
• S 3.18 (1) Log-out obligation for PC users

Hardware/Software:

• S 4.3 (2) Periodic runs of a virus detection program
• S 4.4 (3) Locking of floppy-disk drive slots (optional)
• S 4.30 (2) Utilisation of the security functions offered in application programs (optional)
• S 4.41 (1) Use of a suitable PC security product
• S 4.42 (2) Implementation of security functions in the IT application (optional)
• S 4.44 (2) Checking of incoming data for macro viruses

Contingency Planning:

• S 6.20 (2) Appropriate storage of backup data media
• S 6.21 (3) Backup copy of the software used
• S 6.22 (2) Sporadic checks of the restorability of backups
• S 6.23 (2) Procedure in case of computer virus infection
• S 6.24 (3) PC emergency floppy disk
• S 6.27 (3) Backup of the CMOS RAM
• S 6.32 (2) Regular data backup