S 2.178 Stipulating a set of security guidelines for the use of faxes

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

Before any fax servers are installed, configured and cleared for use, a set of security guidelines should be specified for use of faxes. The points outlined below normally fall within the scope of such guidelines.

1. Concept of use

Before a fax server is cleared for use, the manner in which the system will be operated must be specified. For example, it might be desirable to have one fax server used solely to receive faxes over the LAN and then to send them outside. But a fax server can also receive incoming fax transmissions from outside. In this case how the incoming fax transmissions are forwarded to recipients must be specified. Under the first option, these transmissions are routed by the fax server itself, possibly using a connection to an existing E mail or workflow system. Another option is manual forwarding of incoming fax transmissions via the fax mail centre. Once again forwarding could be performed using E mail. However, another possibility is that the fax mail centre prints out incoming faxes and sends these printouts on to recipients (see S 2.181 Selection of a suitable fax server).

2. Integration with business operations

The mode of operation of the fax server also determines how faxes which have been sent or received are integrated within business operations. A procedure whereby the fax mail centre prints out all incoming faxes and sends the printouts to the relevant recipients corresponds to the way in which fax machines are customarily used. However, procedures whereby faxes are sent directly from an application on the user's workstation or incoming faxes are sent directly to the recipient from the fax server are significantly different from those which apply to the use of conventional fax machines. Hence in this case the guidelines for the use of faxes need to specify which incoming and outgoing faxes have to be printed out for the files.

3. Procedures controlling the use of fax servers

To ensure that a fax server is operated and used securely, a number of rules must be drawn up (see S 2.179 Procedures controlling the use of fax servers).

4. Restrictions as to material which may be faxed

The fax security guidelines must specify what information is allowed to be transmitted by fax. The fax security guidelines can also specify which communication partners may receive what information. This ensures that recipients are actually authorised to handle the information. For example, the guidelines could specify that price lists may only be sent to buyers or that project documents can only be sent to project team members by fax.

5. Contingency planning and operational reliability

The fax security guidelines should also cover contingency planning and fail-safe fax operation. If availability is an important factor, it may be appropriate to have redundant fax servers. In this connection consideration should also be given to the question of whether conventional fax machines should be kept available for use in emergencies (see also S 6.69 Contingency planning and operational reliability of fax servers).

6. Data backup

The fax server should be included in the data backup policy of the organisation (see Section 3.4). In particular, the data backup policy must specify who is responsible for taking the backups and what should be backed up. The items subject to backup can include software, configuration data, saved or archived fax data and even log files. The intervals at which backups are taken and the number of generations which must be kept should also be specified, as must the person responsible for checking any log files generated during data backup. Finally, the fact that a backup has been performed or that the log files have been evaluated should be documented.

7. Training

In addition, the fax security guidelines should be supplemented by an organisation-wide training concept. As a first step, the staff responsible for administering the IT system and the fax server application must be given appropriate training. The users must then be made aware of the dangers which apply where a fax server is used in comparison with a conventional fax system.

Additional controls:

• Are there any security guidelines for the use of faxes?

• Are the security guidelines for the use of faxes regularly updated in line with changes to the environment in which they are used?