IT Baseline Protection Manual - Chapter 5.99 Stand-alone IT systems

5.99 Stand-alone IT systems

Description

Here, an IT system is considered which is not linked with any other IT system. It can be based on any operating system, run on any platform, and consist of a PC with or without a hard disk, Unix workstation or Apple Macintosh. The IT system can possess floppy disks and CD drives, a hard disk, a mouse and other peripheral components. If a printer is required, it is connected directly to the system. A graphic user interface can also be employed here.

This chapter provides an overview of the threats and IT security measures typical of stand-alone IT systems. The overview applies, in general, to all operating systems. For more detailed information, refer to additional chapters of the IT Baseline Protection Manual (e.g. Chapter 5.2 Stand-alone Unix system).

Threat Scenario

The following typical threats are assumed as regards IT baseline protection of a stand-alone IT system:

Force Majeure:

T 1.1 Loss of personnel
T 1.2 Failure of the IT system
T 1.4 Fire
T 1.5 Water
T 1.8 Dust, soiling

Organisational Shortcomings:

T 2.1 Lack of, or insufficient, rules
T 2.7 Unauthorised use of rights
T 2.9 Poor adjustment to changes in the use of IT

Human Failure:

T 3.2 Negligent destroying of equipment or data
T 3.3 Non-compliance with IT security measures
T 3.6 Hazards posed by cleaning staff or outside staff
T 3.8 Improper use of the IT system
T 3.9 Improper IT system administration
T 3.16 Incorrect administration of site and data access rights

Technical Failure:

T 4.1 Disruption of power supply
T 4.7 Defective data media

Deliberate Acts:

T 5.1 Manipulation/destruction of IT equipment or accessories
T 5.2 Manipulation of data or software
T 5.4 Theft
T 5.9 Unauthorised use of IT systems
T 5.23 Computer viruses
T 5.43 Macro viruses

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.

The safeguard package for "Stand-alone IT systems" is described in the following. The safeguards can be subdivided as

Basic safeguards
Safeguards for multi-user operation

Depending on the operating system in use, this module might need to be supplemented with additional safeguards.

The following basic safeguards need to be implemented:

Infrastructure:

S 1.29 (3) Adequate siting of an IT system (optional)

Organisation:

S 2.3 (2) Data media control
S 2.4 (2) Maintenance/repair regulations
S 2.9 (3) Ban on using non-approved software
S 2.10 (2) Survey of the software held
S 2.13 (2) Correct disposal of resources requiring protection
S 2.22 (2) Escrow of passwords
S 2.23 (3) Issue of PC Use guidelines (optional)
S 2.24 (3) Introduction of a PC Checklist booklet (optional)

Personnel:

S 3.4 (1) Training before actual use of a program
S 3.5 (1) Education on IT security measures

Hardware/Software:

S 4.1 (1) Password protection for IT systems
S 4.2 (1) Screen lock
S 4.3 (2) Periodic runs of a virus detection program
S 4.4 (2) Locking of floppy-disk drive slots (optional)
S 4.30 (2) Utilisation of the security functions offered in application programs (optional)
S 4.44 (2) Checking of incoming data for macro viruses
S 4.84 (1) Use of BIOS security mechanisms

Contingency Planning:

S 6.20 (2) Appropriate storage of backup data media
S 6.21 (3) Backup copy of the software used
S 6.22 (2) Sporadic checks of the restorability of backups
S 6.23 (2) Procedure in case of computer virus infection
S 6.24 (3) PC emergency floppy disk
S 6.27 (3) Backup of the CMOS RAM (in the case of PCs)
S 6.32 (1) Regular data backup

If an IT system is to be used by several persons, then administration of the computer and distinction between users are absolutely necessary. In this case, the following safeguards and threats are to be considered additionally for multi-user operation: