S 4.63 Security-related requirements for telecommuting computers

Initiation responsibility: Agency/company management; IT Security Management

Implementation responsibility: Head of IT Section, Administrator

The security-related requirements for telecommuting computers depend on the degree of protection needed for data at remote workstations and the nature of the data which telecommuters can access from the telecommuting computer of the institution. The higher the required degree of protection, the greater the number of security measures entailed. General security objectives for telecommuting computers include the following:

• Telecommuting computers must only be used by authorised persons.

This ensures that only authorised persons can use data and programs which are stored on the remote workstation or accessible via the communications computer at the institution. Authorised persons include administrators of telecommuting computers, telecommuters and their stand-ins.

• Telecommuting computers must only be used for authorised purposes.

This helps prevent telecommuters from using or modifying IT for unauthorised purposes, thus avoiding misuse and damage caused by improper handling.

• Damage caused by theft or malfunctioning of a telecommuting computer must remain within tolerable limits.

Telecommuting workstations are usually installed in an insecure environment, thus exposed to the danger of theft. In the event of a theft, the availability and, possibly, the confidentiality of the data stored on the stolen computer are impaired. The potential damage arising here should be minimised.

• Attempted or successful manipulation of remote workstations should be clearly recognisable for telecommuters.

This ensures that remote workstations remain in an integral state even if attempts at manipulation cannot be precluded.

The following functions are useful for remote workstations:

• Telecommuting workstations must have an identification and authentication mechanism. The following conditions must be met, in particular:

• Critical security-related parameters such as passwords, user IDs etc. are managed reliably. Passwords are never stored in unencrypted form on telecommuting workstations.

• Access mechanisms respond to incorrect entries in a defined manner. For example, if an incorrect attempt at authentication is made three times in a row, access to the remote workstation is denied, or the time intervals at which subsequent attempts at authentication are allowed become progressively longer.

• Certain minimum values can be specified for security-related parameters. For example, passwords should have a minimum length of six characters.

• After the mouse or keyboard has remained inactive for a certain period of time, a screen saver is activated automatically. This screen saver can only be deactivated following renewed identification and authentication.

• Telecommuting workstations must have an access control mechanism. The following conditions must be met, in particular:

• Telecommuting workstations can distinguish between different types of users. It is possible to configure at least two separate roles on a telecommuting workstation, namely, administrator and user.

• Access to files and programs can be regulated using differentiated allocation of rights (read, write, execute, ...).

• If a telecommuting computer is to be equipped with a logging mechanism, the following features might be advisable:

• It should be possible to parametrise the minimum logging scope of the telecommuting computer. For example, the following actions and errors should be included in logs:

• For authentication: User ID, date and time, success, ...

• Implementation of administrative activities

• Unauthorised persons must neither be able to deactivate the logging function, nor should they be able to read or edit the actual logs.

• Logs must be clear, complete and correct.

• If a telecommuting computer is to be equipped with a log evaluation function, the following features might be advisable:

• An evaluation function must be able to distinguish between the various data types contained in a log (e.g. "filtration of all unauthorised attempts at accessing any resource over a specified time period").

• Telecommuting computers should be equipped with data backup functions. At least the following requirements must be met by these functions:

• The data backup program is user-friendly and fast, allowing automatic execution.

• Specifications can be made as to which data should be backed up when.

• An option for loading any required data backup is available.

• It is possible to backup several generations.

• It is possible to backup instantaneous data at specified intervals while an application is being run.

• If the telecommuting computer is to be equipped with an encryption component, the required functionality must first be determined: Manual encryption of selected data (offline) or automatic encryption of the entire hard disk (online). A prerequisite here is that a suitable encryption algorithm is used and that data lost on the occurrence of a malfunction (power failure, encryption error) can be restored by the system. In addition, the following features are recommended:

• Encrypted algorithms used by government agencies should be approved by the BSI. Individual consultation by the BSI is recommended in this case. Outside government agencies, the DES is suitable for medium security requirements, while the triple DES is suitable for high security requirements.

• Key management must be harmonious with the functionality of the telecommuting computer. In particular, fundamental differences between algorithms must be considered here: Symmetric techniques use a confidential key for encrypting and decrypting; asymmetric techniques use a public key for encrypting and a private (confidential) key for decrypting.

• The telecommuting computer must safely manage critical security parameters such as keys. These keys (including ones which are no longer in use) must never be stored on the telecommuting computer in an unprotected - i.e. readable - form.

• If a telecommuting computer is to be equipped with an integrity checking mechanism, the following features are advisable:

• Integrity checking procedures should be used which can reliably detect intentional manipulation of IT and data on the telecommuting computer, as well as unauthorised installation of programs.

• Mechanisms should be used which can detect intentional manipulation of address fields and payload data during data transmission. Mere identification of the employed algorithms without the need for certain additional details should not suffice to perform secret manipulation of the above-mentioned data.

• Telecommuting computers should be equipped with a boot protection mechanism which prevents unauthorised booting from exchangeable data media such as floppy disks and CDs.

• It should be possible to restrict the user environment on a telecommuting computer. Administrators should be able to specify the programs and peripheral devices which telecommuters can use, as well as the modifications which telecommuters can perform on the system. In addition, telecommuters should be prevented firstly from making unauthorised changes to settings required for reliable operation, and secondly from installing unauthorised extraneous software.

• A virus scanning program must be installed on telecommuting workstations to perform regular checks for computer viruses. A virus check should be performed each time before data are copied from exchangeable data media, data media are transferred, or data are transmitted and received. As data exchange between telecommuting computers and external systems plays a significant role and individual checks prove very elaborate and time-consuming so that they are often skipped, all telecommuting computers should be equipped with a virus scanner, preferably resident in the memory.

• If a telecommuting computer is to be administered remotely, only authorised persons must be allowed to perform this remote administration. The process of remote administration must include authentication of the remote administration personnel, encryption of the transferred data, and logging of the administrative routines.

• The software on a telecommuting computer must be user-friendly. It should be simple to operate, comprehensible and easy to learn, as telecommuters require a greater degree of self-reliance than their colleagues. In particular, users should be provided with pertinent and intelligible documentation of the operating system and all the installed programs.

From the above-mentioned functions, those which fulfil the security requirements applicable in each case to telecommuting computers should be selected. A suitable operating system must then be chosen as a platform for these functions. If the operating system does not support all the functions, additional products need to be installed. If possible, all the telecommuting computers of an institution should be equipped identically in order to facilitate their care and maintenance. For security-related compatibility checks, refer to Chapter 9.1.

The whole system is to be configured by administrators such that a maximum level of security is achieved.

Additional controls:

• Does the operating system selected for the telecommuting computer provide the required functionality? Are additional security products needed?

• Which of the additionally recommended safeguards have been implemented?

• Do telecommuters accept the implemented security measures?