IT Baseline Protection Manual S 1.32 Adequate siting of the consoles, devices with exchangeable data media, and printers
S 1.32 Adequate siting of the consoles, devices with exchangeable data media, and printers
Initiation responsibility: Head of IT Section: PBX officer; IT Security Management
Implementation responsibility: Administrators
This measure serves to protect the interfaces of an IT system against external factors in order to meet the security requirements, also in these cases, as regards stored and processed data, which are ensured within the IT system by the internal security mechanisms and by measures taken in the hardware/software field. Protection against unauthorised reading of information, which within the system is ensured by access control mechanisms, must, at these interfaces, be provided primarily by infrastructure or organisational measures.
In order to prevent manipulation of the console, of devices with exchangeable data media and of printers, these must be installed in locations which can be accessed by authorised persons only.
In particular, the following provisions apply:
In the case of Unix systems, unauthorised persons must not be given access to the console since they might boot the Unix computer in single-user mode or activate the hardware monitor and thus acquire system administrator rights.
It must be ensured that devices for exchangeable data media - such as streamers, floppy disk drives, removable disks - do not allow illicit import or reading out of files.
Only authorised persons may have access to rooms with printers/print-outs. This can be achieved, for instance, by locating printers in a locked room and by having print-outs distributed by a trustworthy person to pigeon-holes which can be accessed only by the intended recipients. Therefore, the names of the recipients must be indicated on print-outs. This can be done automatically by means of print programs.
This measure is complemented by the following:
S 4.18 Administrative and technical means to control access to the system-monitor and single-user mode
S 4.21 Preventing unauthorised acquisition of administrator rights
Additional controls:
Are the console, devices for exchangeable data media, and print-outs protected against unauthorised access?