S 2.218 Procedures regarding the personal transportation of data media and IT components

Initiation responsibility: Agency/company management, Head of IT Section, IT Security Management

Implementation responsibility: Head of IT Section, IT Security Management

The IT components which are used on a company's/an agency's premises will normally be adequately protected against misuse and theft through infrastructural security measures. But often IT systems and data media also need to be used outside of the organisation's own premises, e.g. on business trips or by teleworkers. To provide protection in such cases also, there must be clear provisions governing the personal transportation of data media and IT components.

The following must be specified:

• Which IT components and/or data media may be taken off site?

• Who may take IT components and/or data media off site?

• What underlying IT security measures need to be considered here (virus protection, encryption of sensitive data, safekeeping)?

The type and scope of the IT security measures to be used for IT components used externally will depend on the one hand on the protection requirement of the IT applications and data stored on them and on the other hand on the security of the location in which they are used or stored.

As a rule, approval should be sought for all IT components which are to be used externally.

In larger organisations in which access to the premises is controlled by reception staff or security guards, the possibility of instructing them to employ spot checks to check the extent to which the procedures regarding the personal transportation of data media and IT components are being adhered to should be considered.

Outside the organisation's own premises, the users are responsible for protecting the IT assets entrusted to them. They must be informed of this and also of the precautions which they need to take. The following procedures apply:

• IT systems must always be stored safely They should never be left unattended during business trips. In particular, they should not be left in parked vehicles (see also S 1.33 Safe keeping of laptop PCs during mobile use).

• IT systems such as laptops or mobile phones and their applications can generally be protected with PINs or passwords. These mechanisms should be used.

• IT systems or data media which contain sensitive data should if possible be encrypted in their entirety (see also S 4.29 Use of an encryption product for laptop PCs).

• The administration, maintenance and passing on of IT systems used externally should be controlled. Here it is possible, for example, to set up pools (see also S 1.35 Pooled storage of a number of laptop PCs and S 2.190 Setting up a mobile phone pool).

• Records should be kept of when and by whom what IT components have been used off-site.

Additional controls:

• Are there established procedures covering the transportation of IT components of all kinds?

• Are staff who use IT components off-site informed of the procedures which they are expected to observe?

• Are staff who use IT components off-site informed of how they should look after them?