|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Head of IT Section
A provider via which users are connected to the Internet accumulates information not only about incoming and outgoing e-mail but also about all of the WWW pages which the users call up. In addition, all data that is exchanged between the user's computer and a server in the Internet passes through the provider's IT systems.
When selecting an Internet service provider, the following questions should be asked:
Confirmation of secure operation of the provider's IT systems should be obtained, i.e. for example proof that the conditions specified in S 2.174 Secure operation of a WWW server have been fulfilled. All relevant measures specified in Chapter 6 on networked systems and in Chapter 7 on data communication equipment should be put into practice. An IT security concept and security guidelines should be a matter of course with every provider. It should be possible for external users to inspect the security guidelines. The staff of the provider should be made aware of IT security aspects and be under obligation to observe the security guidelines; they should also be given regular training (not only in security matters).
The provider stores user data for invoicing purposes (name, address, user ID, bank account) as well as connection data and transmitted contents (over a period of time which varies from one provider to another).
Users should ask their provider for how long which items of data concerning them remain stored. When selecting a provider, it should be taken into account that German providers must comply with data privacy regulations applying to the processing of this information.
Supplementary checks:| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |