S 2.179 Procedures controlling the use of fax servers

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator of the fax server, fax mail centre

To ensure the smooth operation of the fax server(s), procedures must be put in place covering the points set out below.

1. Specification of responsibilities

A fax server consists of an IT system, the operating system installed on it and the fax server application. Then there are the fax clients of the users. Accordingly the maintenance for the fax server must be organised. Depending on the existing organisational structure, persons who will have responsibility for these areas must be appointed. In some cases this can mean that each of these areas is supported by different administrators. For example, the operating system could be administered by the organisational unit which is also responsible for administration of the other IT systems. On the other hand, the fax application should be administered in the fax mail centre. Depending on the type of use, the mail centre is also responsible for ensuring that incoming fax transmissions are forwarded to the responsible person. Responsibility for issuing access authorisations for the fax server should lie in the mail centre as well. Other tasks include resetting passwords and configuration of new users. Thus it is especially important to define the tasks and responsibilities of the fax mail centre (see S 2.180 Setting up a fax mail centre).

2. Definition of the user community

The group of persons who are authorised to use the fax server must also be specified. Authorisations for incoming fax transmissions could include the following:

• Read rights,

• Forwarding rights

• Delete rights.

• Send rights,

• Suspend rights,

• Delete rights,

• right to alter transmission options.

These classes of authorisation should if possible be granted only to user groups and only in exceptional cases to individual users, as is customary in administration generally (see also S 2.30 Provisions governing the configuration of users and user groups).

3. Specification of utilisation profiles

The question of how much use authorised users may make of the fax server should also be covered in the procedures. This is especially important to avoid overloading of the server with serial faxes.

4. Times of use

Consideration should be given as to whether use of fax servers should be permitted only at certain times. Thus it would be possible to prohibit the sending of faxes outside working hours.

5. Configuring groups

Where incoming faxes are to be automatically routed to recipients through the fax server, separate fax numbers should be configured for certain functions and tasks. All members of a group can then be granted access to the incoming fax transmissions associated with a given call number. This also simplifies procedures for covering absences.

For example, supposing a fax server is operated in a company so that it automatically forwards incoming fax transmissions to their recipients. A fax call number is assigned for the Order Entry department. The fax server forwards all fax transmissions with orders which are transmitted to the company using this call number, not to one individual person but to all members of the Order Entry department. This requires that the company specifies the sequence in which employees process incoming fax transmissions in order to avoid executing orders twice.

6. Arrangements for covering staff absences

Where fax servers which deliver incoming faxes to individual users are used, it is essential that arrangements are in place to deal with absences, and provisions dealing with this point must be included in the security policy. Otherwise there is no way of ensuring that important incoming faxes cannot remain unread for prolonged periods. In this respect, the procedure for use of fax servers is significantly different from that which applies to the use of conventional fax machines. In the latter case incoming faxes are noticed by staff standing in, as the faxes are available as hard copy.

7. Logging

Procedures should be defined for dealing with any log data generated. These should specify who is tasked with analysing what logged data and at what intervals (see S 2.64 Checking the log files).

8. Address books

Which address books are used and who is responsible for maintaining them. Many fax server applications provide facilities for creating address books both for individual users and also for use throughout the organisation. Moreover, it is often also possible to synchronise fax server address books with distribution lists and address books already available in e-mail systems. Whereas address books which are to be used throughout the organisation should be maintained centrally through the fax mail centre, users must perform the task of maintaining their own address books themselves. Users should also be required to check recipients' call numbers in the case of important fax transmissions (e.g. individual quotations).

9. Use of the fax server

Procedures covering use of the fax server by staff must also be drawn up (see S 3.15 Information on the use of faxes for all employees). Finally, which rights employees may exercise on the fax server must also be specified.

10. Protection of the fax client

Appropriate organisational and technical measures must be taken to ensure that no faxes can be read without authorisation or can be sent either without authorisation or unintentionally. Users must therefore be trained in use of the fax programs and made aware of the potential risks.

Authentication of employees on the fax server is especially important. This can be effected explicitly via a fax client or else by logging on to a directory service, a domain controller (in a Microsoft Windows NT environment) or an e-mail system. Where employees are authenticated to the fax server over a client, if possible the logon password should not be stored on the hard disk as that would invalidate its value as a security mechanism. Anyone who has access to the appropriate fax client can send faxes under another name and read incoming fax transmissions without authorisation. Moreover, employees should be encouraged to log off from the fax server after collecting incoming fax transmissions and sending outgoing faxes. Steps should be taken to ensure that the computer is protected when staff leave their desks, e.g. through the use of password-protected screen savers or some mechanism of the operating system used (see S 4.1 Password protection for IT systems and S 4.2 Screen lock).

11. Repairs and maintenance

There should also be procedures covering repairs and maintenance work performed on the fax server. System administrators must know whom to contact when maintenance work or a repair is necessary. Procedures for handling faulty data media and especially faulty hard disks must also be defined.

Additional controls:

• Are the procedures for use of the fax server regularly updated in line with changes to the environment in which they are used?

• Are procedures covering the forwarding of incoming fax transmissions when recipients are absent from the office absent in force?

• Are there any procedures relating to training of staff in the use of fax programs?