S 2.172 Developing a concept for using the WWW

Initiation responsibility: Agency/company management; IT Security Management

Implementation responsibility: Head of IT Section, Administrator

Before use is made of WWW services, a concept must first be drawn up describing which services are to be used and which are to be offered. This must include consideration of how the WWW server will be secured, as well as the WWW clients and the communication links between them.

WWW servers can be used solely as an internal information database, as the central point of an intranet, or as an external WWW server that offers a variety of services. The security demands made of the WWW server also vary according to the form that the planned implementation is to take.

In a small organisation in which a WWW server is operated as an intranet server with no critical applications, the requirements are quite different from those imposed on a WWW server that is to be connected to the Internet and perhaps even contains data that should not be retrievable by just anyone.

If it is intended to offer WWW services both in the intranet and on the Internet, it is advisable to use two separate systems: one intranet WWW server and one Internet WWW server. If it is intended to connect the Internet WWW server to the internal network, the connection to the internal network must be protected by a firewall. Factors which have to be taken into account regarding the configuration of information servers are also described in S 2.77 Secure configuration of other components.

The connection to the Internet can only be implemented when it has been checked that all risks can be handled by the chosen WWW concept and the personnel and organisational conditions.

A WWW server used for an organisation's Internet presence does not have to be operated by the organisation itself. If the running costs or administration costs are too high, or if the residual risks appear too incalculable, it is also possible to make use of the services of Internet service providers or other service companies and have them operate a WWW server.