S 2.23 Issue of PC Use Guidelines

Initiation responsibility: Agency/company management; IT Security Management; Head of IT Section

Implementation responsibility: Head of IT Section; IT users

In order to promote the secure and proper use of personal computers in larger-size companies/agencies, PC Use Guidelines should be prepared which lay down mandatory provisions on what general requirements must be met and which IT security measures will have to be taken. As a minimum, such PC Use Guidelines are to regulate the use of non-networked PCs; if PCs are operated within a network or are used as intelligent terminals, these aspects will have to be covered by the Guidelines. The following is to give a broad outline of the items which might expediently be included in such PC Use Guidelines.

The contents of PC Use Guidelines may be structured as follows:

• Objectives and definitions

This introductory part of the PC Use Guidelines serves to raise the IT security awareness and motivation of PC users. At the same time, the concepts required for shared understanding are defined, such as PC, users, objects requiring protection.

• Scope of application

In this part, the units of the company/agency to which the PC Use Guidelines are to apply must be laid down in a binding form.

• Legislation and in-house regulations

Here, information is given on the legal provisions to be complied with, e.g. the Federal Data Protection Act and the Copyright Act. In addition, all relevant in-house regulations can be listed in this section.

• Distribution of responsibilities

This section defines what function will be associated with what responsibility in the context of PC use. In particular, a distinction will have to be made between the functions of user, superior, auditing officer, departmental data privacy officer, and IT Security Management.

• IT security measures to be implemented and observed

In the final section of the PC Use Guidelines, those IT security measures which are to be observed and implemented by the IT user must be laid down. Depending on the required level of protection the measures can exceed the IT base protection.

If telecommuters are employed by an enterprise or agency, the PC usage guidelines should be extended by rules pertaining to telecommuting workstations. Also refer to Chapter 9.3.

Additional controls:

• Have PC Use Guidelines been established?

• How is compliance with the PC Use Guidelines monitored?

• Is it necessary to update the contents, especially as regards IT security measures?

• Does every PC user have a copy of these PC Use Guidelines?

• Are such PC Use Guidelines covered by the curriculum for training in IT security measures?