S 2.183 Performing a RAS rgequirements analysis

Initiation responsibility: Head of IT Section, IT Security Management Implementation responsibility: Administrators

Before a system is used for remote access, a requirements analysis should be performed. The aim of the requirements analysis is, firstly, to determine all the operational scenarios likely to occur in the specific case and, secondly, to derive from these the requirements for the hardware and software components that will be needed. If practical scenarios are drawn up and "acted out", any special requirements can be identified, so that any corresponding requirements (critical criteria) as regards the RAS system architecture or the RAS software can be formulated.

The issues to be clarified in the course of the requirements analysis include the following:

• Which users will have RAS access (teleworkers, employees working out in the field, employees on business trips)?

• Are any mobile users to have RAS access?

• For what purpose will RAS access be used in each case (to retrieve information, upload information, use programs)?

• Will the remote users need to access the entire LAN, i.e. all the data and services available there?

• Will special software products need to be accessed remotely?

• Will special protocols need to be used during RAS access?

• From which (remote) locations will remote access be required (national, international)?

• Which telecommunications access technologies may be used (fixed network, mobile phone, Internet)?

The requirements for the planned scenarios should be documented and agreed with network administrators and technical staff. These requirements will then determine how one proceeds from here (architecture, procurement, use).

Additional controls:

• Has a RAS requirements analysis been performed?

• Have all the special requirements which are specific to the local circumstances been captured?

• Has the list of requirements been agreed with the network administrators and technical staff?