IT Baseline Protection Manual S 4.30 Utilisation of the security functions offered in application programs
S 4.30 Utilisation of the security functions offered in application programs
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT-user
Several standard products in the PC sector offer a number of useful IT security functions; while these may be of varying quality, they discourage unauthorised persons and/or prevent potential damage. The following is a brief account of five useful functions of this type:
Password protection when calling up a program: the program can onlybe started if a correct password has been previously entered. This will prevent any unauthorised use of the program.
Protection of access to individual files: the program can only access a protected file if the password associated with that file is entered in its correct form. This will prevent unauthorised access to certain files by means of the program.
Automatic saving of intermediate data: the program will make an automatic backup of intermediate data so that any power failure will only affect those data changes which were made after that automatic backup.
Automatic saving of the precursor file: if a file is saved when a file with the same name exists in the indicated path, the second file will not be deleted but will be labelled differently. In this way, inadvertent deletion of an identically named file will be avoided.
Encryption of data: the program can save a file in an encrypted form so that its unauthorised disclosure can be prevented. Thus, the contents of the file will be available only to those who have the secret key used for that purpose.
Automatic display of macros in data files: This helps to prevent inadvertent execution of macros (macro viruses).
Depending on the software used and the existing additional security functions, it may be advisable to make use of such functions. For IT systems in mobile use, it may be particularly expedient to use password protection during program call-up and automatic backup.
Additional controls:
Which security functions are offered by the software products used?
Which of these functions are being regularly used?
Are the users notified of these functions?
Are the security-relevant instructions in manuals and certification reports adhered to?