S 2.187 Definition of a set of RAS security guidelines

Initiation responsibility: IT Security Management Team

Implementation responsibility: IT Security Management Team, Administrator

As part of the process of planning RAS access to a LAN, it is also necessary to define a set of security guidelines for remote access. The organisation-wide IT security guidelines must be modified and expanded accordingly. The RAS-specific rules must be documented and updated in the event of any changes.

The security rules governing remote access to the local network must be distributed to all users who will be allowed remote access (see also S 2.184 Development of a RAS concept). The rules contained in the security guidelines should cover the following subject matter:

• Which users may access what data?

• Which users may use which applications?

• Which users may access which services and computers?

• Which users may establish a connection, at what times and with which RAS connection?

• Which administrators have which tasks?

• Which authentication mechanisms must be used for access?

• Which access rights are granted to each RAS user?

• Is Write access to data permitted?

• Is only a special data area to be used for Write access (e.g. incoming directory)?

• How are multiple authentication errors handled (e.g. by lengthening time-out, blocking users or blocking RAS access)?

• Under what circumstances can a blocked RAS connection be activated again? What is the organisational sequence of events that this entails?

• Under what circumstances can a RAS connection also be released remotely? What is the organisational sequence of events that this entails?

• What data is logged?

This list of questions must be expanded, modified and made specific so as to take local circumstances into account. This process should entail consideration of the existing security guidelines. The general security requirements must not be undermined by the RAS security guidelines.

Within the framework of the IT security concept, the rules provided in the RAS security guidelines should also specify possible responses to breaches of the rules. Every RAS user must be aware of these.

Additional controls:

• Are all relevant RAS components (client, server, network switching elements) covered in the RAS security guidelines?

• How is compliance with the RAS security guidelines checked?

• Are the RAS security guidelines updated to accommodate changes in the underlying environment?