S 4.41 Use of a suitable PC security product

Initiation responsibility: Head of IT Section, IT security management, data privacy officer, persons responsible for individual IT applications

Implementation responsibility: Procurement department, administrator

Provision of a PC security product must be arranged for the DOS PC with several users. The following minimum functionality may be used as a standard for procuring a product or for reviewing products already in use. The aim of this minimum functionality is to ensure that

• only authorised persons can use the PC,

• the users can only access the data in the way necessary for them to fulfil the task,

• irregularities and attempts at manipulation become apparent.

Recommended minimum functionality for PC security products for use in DOS PC's with several users:

• Identification and authentication of the administrator and the users. Lock-out from the system which can only be reset by the administrator should take place after 3 incorrect attempts at authentication. If a password is used, it should have at least six characters and should be stored in the system in encrypted form.

• Administration and monitoring of rights on hard disks and files where there should at least be differentiation between read and write access.

• Role separation between administrator and user. The administrator alone may assign or withdraw rights.

• Logging of logging-on, logging-off and infringement of rights procedures should be possible.

• No system access at operating system level (DOS) must be possible for users.

• Screen lock following inactivity of the keyboard or mouse for some time and re-activating by means of identification and authentication.

• Boot protection should make it impossible to be able to boot up the PC from floppy disk without authorisation.

Sensible minimum evaluation depth and minimum strength of mechanisms for certificates in accordance with ITSEC: E2, medium.

Additional requirements of the PC security product:

• User-friendly surface to increase acceptance.

• Informative and comprehensible documentation for administrator and user.

Desirable additional functionality of the PC security product:

• Role separation between administrator, reviser and user; only the administrator may assign or withdraw rights and only the reviser has access to the protocol data,

• Logging of administration activities,

• Support of protocol evaluation by means of configurable filter functions,

• Encryption of data stocks with an appropriate encryption algorithm and in such a manner that loss of data is prevented by the system in the event of malfunctions (power failure, termination of a procedure).

Implementation of this functionality may be effected in both hardware and software. Safeguard S 2.66 Consideration of the Contribution of Certification to Procurement should be taken into account when procuring a new product.

An encryption product may be utilised as a temporary solution if it is not possible to purchase or implement the use of such a PC security product at short notice. When work commences, every user must use this product to decrypt the data allocated to him and must encrypt it when work ends. This makes it possible to ensure that confidentiality of the data is maintained but does not prevent encrypted data from being manipulated. Manipulation of the data is generally identified on decrypting as the result is data which does not make sense.

For use on stationary and portable PCs, BSI can, under certain basic prerequisites, provide public agencies with an offline encryption program meeting medium-level protection requirements (see appendix auxiliary materials).