S 2 Safeguard Catalogue - Organisation

S 2.1 Specification of responsibilities and of requirements for the use of IT
S 2.2 Resource management
S 2.3 Data media control
S 2.4 Maintenance/repair regulations
S 2.5 Division of responsibilities and separation of functions
S 2.6 Granting of site access authorisations
S 2.7 Granting of (system/network) access privileges
S 2.8 Granting of (application/data) access permissions
S 2.9 Ban on using non-approved software
S 2.10 Survey of the software held
S 2.11 Provisions governing the use of passwords
S 2.12 Services and counselling for IT users
S 2.13 Correct disposal of resources requiring protection
S 2.14 Key management
S 2.15 Fire safety inspection
S 2.16 Supervising or escorting outside staff/visitors
S 2.17 Entry regulations and controls
S 2.18 Inspection rounds
S 2.19 Neutral documentation in distributors
S 2.20 Monitoring of existing connections
S 2.21 Ban on smoking
S 2.22 Escrow of passwords
S 2.23 Issue of PC Use Guidelines
S 2.24 Introduction of a PC Checklist Booklet
S 2.25 Documentation on the system configuration
S 2.26 Designation of an administrator and his deputy
S 2.27 Dispensing with remote maintenance of the PBX
S 2.28 Availability of external telecommunications advisory services
S 2.29 PBX operating instructions for users
S 2.30 Provisions governing the designation of users and of user groups
S 2.31 Documentation on authorised users and on rights profiles
S 2.32 Establishment of a restricted user environment
S 2.33 Division of administrator roles under Unix
S 2.34 Documentation on changes made to an existing IT system
S 2.35 Obtaining information on security weaknesses of the system
S 2.36 Orderly issue and retrieval of a portable (laptop) PC
S 2.37 Clean desk policy
S 2.38 Division of administrator roles in PC networks
S 2.39 Response to violations of security policies
S 2.40 Timely involvement of the staff/factory council
S 2.41 Employees' commitment to data backup
S 2.42 Determination of potential communications partners
S 2.43 Adequate labelling of data media for dispatch
S 2.44 Secure packaging of data media
S 2.45 Controlling the exchange of data media
S 2.46 Appropriate key management
S 2.47 Designating a person in charge of the fax system
S 2.48 Designating authorised fax operators
S 2.49 Procurement of suitable fax machines
S 2.50 Appropriate disposal of consumable fax accessories and spare parts
S 2.51 Producing copies of incoming fax messages
S 2.52 Supply and monitoring of consumable fax accessories
S 2.53 Deactivation of fax machines after office hours
S 2.54 Procurement/selection of suitable answering machines
S 2.55 Use of a security code
S 2.56 Avoidance of confidential information on answering machines
S 2.57 Regular playback and deletion of recorded messages
S 2.58 Limitation of message time
S 2.59 Procurement of a suitable modem
S 2.60 Secure administration of a modem
S 2.61 Requirements document for modem usage
S 2.62 Software acceptance and approval Procedure
S 2.63 Establishing Access Rights
S 2.64 Checking the log files
S 2.65 Checking the efficiency of User separation on an IT System
S 2.66 The importance of certification for procurement
S 2.67 Defining a security strategy for peer-to-peer networks
S 2.68 Implementation of security checks by the peer-to-peer network users
S 2.69 Establishing standard workstations
S 2.70 Developing a firewall concept
S 2.71 Establishing a security policy for a firewall
S 2.72 Requirements on a firewall
S 2.73 Selecting a suitable firewall
S 2.74 Selection of a suitable packet filter
S 2.75 Selection of a suitable application gateway
S 2.76 Selection and implementation of suitable filter rules
S 2.77 Secure configuration of other components
S 2.78 Secure operation of a Firewall
S 2.79 Determining responsibilities in the area of standard software
S 2.80 Drawing up a requirements catalogue for standard software
S 2.81 Preselection of a suitable standard software product
S 2.82 Developing a test plan for Standard Software
S 2.83 Testing Standard Software
S 2.84 Deciding on and developing the installation instructions for standard software
S 2.85 Approval of standard software
S 2.86 Guaranteeing the integrity of standard software
S 2.87 Installation and configuration of standard software
S 2.88 Licence management and version control of standard software
S 2.89 De-installation of standard software
S 2.90 Checking delivery
S 2.91 Determining a security strategy for the Windows NT client-server network
S 2.92 Performing security checks in the Windows NT client-server network
S 2.93 Planning of a Windows NT network
S 2.94 Sharing of directories under Windows NT
S 2.95 Obtaining suitable protective cabinets
S 2.96 Locking of protective cabinets
S 2.97 Correct procedure for code locks
S 2.98 Secure installation of Novell Netware servers
S 2.99 Secure set-up of Novell Netware servers
S 2.100 Secure operation of Novell Netware servers
S 2.101 Revision of Novell Netware servers
S 2.102 Relinquishing activation of the remote console
S 2.103 Setting up user profiles under Windows 95
S 2.104 System guidelines for restricting usage of Windows 95
S 2.105 Obtaining PBX-annexes
S 2.106 Purchase of suitable ISDN cards
S 2.107 Documentation of the configuration of ISDN cards
S 2.108 Relinquishment of remote maintenance of ISDN gateways
S 2.109 Assigning rights for remote access
S 2.110 Data privacy guidelines for logging procedures
S 2.111 Keeping manuals at hand
S 2.112 Regulation of the transport of files and data media between home workstations and institutions
S 2.113 Requirements documents concerning telecommuting
S 2.114 Flow of information between the telecommuter and the institution
S 2.115 Care and maintenance of workstations for telecommuting
S 2.116 Regulated use of communications facilities
S 2.117 Regulation of access by telecommuters
S 2.118 Determination of a security policy for the use of e-mail
S 2.119 Regulations concerning the use of e-mail services
S 2.120 Configuration of a mail centre
S 2.121 Regular deletion of e-mails
S 2.122 Standard e-mail addresses
S 2.123 Selection of a mail provider
S 2.124 Selection of suitable database software
S 2.125 Installation and configuration of a database
S 2.126 Creation of a database security concept
S 2.127 Inference prevention
S 2.128 Controlling access to a database system
S 2.129 Controlling access to database information
S 2.130 Ensuring the integrity of a database
S 2.131 Separation of administrative tasks for database systems
S 2.132 Provisions for configuring database users / user groups
S 2.133 Checking the log files of a database system
S 2.134 Guidelines for database queries
S 2.135 Save transfer of data to a database
S 2.136 Observance of rules concerning workstations and working environments
S 2.137 Procurement of a suitable data backup system
S 2.138 Structured data storage
S 2.139 Survey of the existing network environment
S 2.140 Analysis of the existing network environment
S 2.141 Development of a network concept
S 2.142 Development of a network realisation plan
S 2.143 Development of a network management concept
S 2.144 Selection of a suitable network management protocol
S 2.145 Requirements for a network management tool
S 2.146 Secure operation of a network management system
S 2.147 Secure migration of Novell Netware 3.x servers to Novell Netware 4.x networks
S 2.148 Secure configuration of Novell Netware 4.x networks
S 2.149 Secure operation of Novell Netware 4.x networks
S 2.150 Auditing of Novell Netware 4.x networks
S 2.151 Design of an NDS concept
S 2.152 Design of a time synchronisation concept
S 2.152 Design of a time synchronisation concept
S 2.153 Documentation of Novell Netware 4.x networks
S 2.154 Creation of a computer virus protection concept
S 2.155 Identification of IT systems potentially threatened by computer viruses
S 2.156 Selection of a suitable computer virus protection strategy
S 2.157 Selection of a suitable computer virus scanning program
S 2.158 Reporting computer virus infections
S 2.158 Updating the computer virus scanning programs used
S 2.160 Regulations on computer virus protection
S 2.161 Development of a cryptographic concept
S 2.162 Determining the need to use cryptographic procedures and products
S 2.163 Determining the factors influencing cryptographic procedures and products
S 2.164 Selection of a suitable cryptographic procedure
S 2.165 Selection of a suitable cryptographic product
S 2.166 Provisions governing the use of crypto modules
S 2.167 Secure deletion of data media
S 2.168 IT system analysis before the introduction of a system management system
S 2.169 Developing a system management strategy
S 2.170 Requirements to be met by a system management system
S 2.171 Selection of a suitable system management product
S 2.172 Developing a concept for using the WWW
S 2.173 Determining a WWW security strategy
S 2.174 Secure operation of a WWW server
S 2.175 Setting up a WWW server
S 2.176 Selection of a suitable Internet service provider
S 2.177 Security during relocation
S 2.178 Stipulating a set of security guidelines for the use of faxes
S 2.179 Procedures controlling the use of fax servers
S 2.180 Setting up a fax mail centre
S 2.181 Selection of a suitable fax server
S 2.182 Regular revision of IT security measures
S 2.183 Performing a RAS rgequirements analysis
S 2.184 Development of a RAS concept
S 2.185 Selection of a suitable RAS system architecture
S 2.186 Selection of a suitable RAS product
S 2.187 Definition of a set of RAS security guidelines
S 2.188 Security guidelines and rules for the use of mobile phones
S 2.189 Blocking of the mobile phone in the event of its loss
S 2.190 Setting up a mobile phone pool
S 2.191 Establishment of the IT security process
S 2.192 Drawing up an Information Security Policy
S 2.193 Establishment of a suitable organisational structure for IT security
S 2.194 Drawing up a schedule of existing IT systems
S 2.195 Drawing up an IT security concept
S 2.196 Implementation of the IT security concept in accordance with an implementation plan
S 2.197 Drawing up a training concept for IT security
S 2.198 Making staff aware of IT security issues
S 2.199 Maintenance of IT security
S 2.200 Preparation of management reports on IT security
S 2.201 Documentation of the IT security process
S 2.202 Preparation of an IT Security Organisational Manual
S 2.203 Establishment of a pool of information on IT security
S 2.204 Prevention of Insecure Network Access
S 2.205 Transmission and Retrieval of Person-related Data

© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update: October 2000