Measures for setting up and configuring clients (for DP coordinators)

If the data of this unit is worth preserving or if data is stored locally at all, a backup must be set up. This can be done in various ways

What would be the consequences if the data from this device were to fall into someone else’s hands and what measures can I take to prevent this?

Such a “backup” is at best the making of a backup copy (at an undefined point in time in an undefined state!) – in particular there is no defined recovery, no versioning, no protection against catastrophic events

Backup to an own NAS via push backup (client initiates the backup): this backup level is also only gradually better, as a NAS drive typically also remains permanently connected as a network drive and can then also be attacked by viruses, ransomware etc. or the infected or forcibly encrypted files are then pushed into the backup. If the NAS is physically located in another room or building, this variant at least offers protection against theft, fire and water penetration.

Local backup solution (pull principle from the backup server): the operation of a local backup/restore solution (with whatever media, tape drives or similar) is a safe alternative, provided the backup is set up according to the state of the art (e.g. several versions, restore tests, …) but requires management of the backup media and also regulated external storage; in addition, this solution is comparatively expensive.

Use of the central backup according to item 3103 of the GITZ service catalogue: for institutes and facilities, the safest and most convenient solution of an orderly and available backup.

In all cases, care must be taken not only to ensure an orderly and regular backup, but also to repeatedly check and practice that a restore of the data also functions smoothly. The responsible DP coordinator is responsible for deciding which backup solution is appropriate for the individual case.

Of course, the end devices must be sufficiently protected against viruses and malware. The products and signature databases used must be updated regularly, signature databases daily (or more often if the provider provides more frequent updates).

It is recommended to store important data in encrypted form, in particular notebooks should be encrypted with Bitlocker, for example. Furthermore, if the use of personal devices such as smartphones is permitted for official purposes, official data should also be stored encrypted on these devices, if they are stored there at all. Of course, this also applies to official e-mails and their attachments. It is safer not to store any official data there and at best to use browser online access.

See the corresponding recommendations on encryption.

For end devices without special software, it is recommended to have the security updates offered by the operating system manufacturer installed fully automatically. In cases where this does not make sense (special software, server, no permanent network connection, …), the administrator must do this manually as soon as the updates appear.

Furthermore, it is strongly recommended that all other updates for the operating system and application software be installed as soon as possible, if necessary after checking the functionality. Technical attacks often exploit outdated functions and versions of various application software; the general risk is reduced by keeping the software as up-to-date as possible.

Even if it is more convenient for the user to simply have “everything” installed on the terminal, it is still recommended to initially install only a basic set of required programmes and to install further software only if required.

If it is possible to define a “standard computer”, the use of a “customised” installation (e.g. via installation image or also script, depending on the operating system) simplifies the installation and at the same time ensures a defined initial security level.

In addition, all services that are not required and can be reached from outside should be switched off. What is not accessible cannot be hacked.

From an IT security point of view, it is strongly recommended to only use the cloud services offered by the GITZ or, if applicable, those operated by the institute or institution itself, and under no circumstances to use “public” services such as Google Drive, OneDrive, DropBox, Amazon Cloud etc.

The GITZ offers items 3104 (Cloud Storage), 4201 (Groupware), 3102 (File Services), 4205 (Web Server), 4207 (Web Hosting) in its service catalogue.

Only those user accounts should be set up that are actually needed. Regular work with administrator or root rights should be avoided; this should only be done when necessary.

It should be ensured that a screen lock (with password or other protection) is set up. Depending on the intended use, it may be useful to have the screen lock automatically after a certain time.

For more information, see:

http://blogs.tu-braunschweig.de/it/empfehlung-zur-einrichtung-und-konfiguration-von-clients-fuer-dv-koordinierende/