APP.1.1 Office Products

Description

Introduction

The group of office products primarily comprises applications used to create, edit, or view documents. These include the free application LibreOffice and the proprietary application Microsoft Office, which are used in many institutions. Office products are part of the essential IT equipment for most institutions. They include programs for word processing, spreadsheet calculations, and the creation of presentations, as well as drawing programs and simple database systems.

Objective

The objective of this building block is to protect the information processed and used by office products. To this end, specific requirements are placed on the functionality of the components of office products. The building block identifies requirements that SHOULD be met to protect office products against specific threats.

Scope and Modeling

The building block APP.1.1 Office Products is to be applied to every office product that is locally installed and used to view, edit, or create documents, with the exception of email applications.

This building block examines the use of office products from the perspective of IT Operations and provides guidance for Users on how office products SHOULD be used. In addition to the requirements of this building block, the requirements of the superordinate building block APP.6 General Software MUST be implemented. Email applications are not covered by this building block; the corresponding requirements are found in the building block APP.5.3 General Email Client and Server. When using integrated database systems such as Base in LibreOffice or Access in Microsoft Office, the building block APP.4.3 Relational Databases must be taken into account. Also excluded from this building block are pure cloud office applications such as Google Workspace with applications like Docs or Sheets. Requirements for cloud applications are set out in the building block OPS.2.2 Cloud Usage.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used as the basis for describing the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block APP.1.1 Office Products.

Insufficient Adaptation of Office Products to the Institution’s Needs

If office products are procured or adapted without considering the requirements for this software, operations can be significantly disrupted. For example, existing templates and documents may not be compatible, or the software may not be interoperable with applications used by business partners. If office products are not adapted to the institution’s needs, this can lead to performance losses, disruptions, or errors within business processes.

Malicious Content in Office Documents

Office documents can generally contain various so-called “active content” or macros, which are sometimes used for complex automations. However, active content can also contain malicious code that is executed when the document is opened. Such malicious functions in office documents can manipulate the affected documents themselves, as well as other data and programs. In addition, the malicious code can spread further. All affected business processes of the institution can have their functions disrupted or blocked. In the worst case, the manipulation goes undetected and leads to security vulnerabilities and the processing of falsified information.

Loss of Integrity of Office Documents

The integrity of office documents can be compromised if content is changed unintentionally or deliberately. Through careless handling of office products or through Users’ lack of knowledge in dealing with office documents, documents can be changed without being noticed. This is particularly problematic when it concerns documents used in production. If work continues with documents that have been unknowingly falsified, incorrect decisions may be made, or reputational damage may result for the institution.

Requirements

The following are the specific requirements of the building block APP.1.1 Office Products. The Information Security Officer (ISO) must always be involved in strategic decisions. The ISO is also responsible for ensuring that all requirements are met and verified in accordance with the established security concept.

Additional roles are defined in the IT-Grundschutz Compendium. These SHOULD be filled insofar as this is meaningful and appropriate.

Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many people SHOULD fill these roles.

Basic Requirements

The following requirements MUST be fulfilled as a priority for this building block.

APP.1.1.A1 DISCONTINUED (B)

This requirement has been discontinued.

APP.1.1.A2 Restricting Active Content (B)

The function that causes embedded active content to run automatically MUST be disabled. If it is nevertheless necessary to execute active content, care MUST be taken to ensure that active content is only executed if it comes from trustworthy sources. All Users MUST be instructed regarding the functions that restrict active content.

APP.1.1.A3 Secure Opening of Documents from External Sources (B) [Users]

All documents obtained from external sources MUST be checked for malicious software before they are opened. All file formats classified as problematic and all file formats not required within the institution MUST be prohibited. If possible, they SHOULD be blocked. Technical measures SHOULD be used to enforce that documents from external sources are checked.

APP.1.1.A4 DISCONTINUED (B)

This requirement has been discontinued.

APP.1.1.A17 Raising Awareness of Specific Office Properties (B)

All Users MUST be appropriately made aware of the threats posed by active content in office files. Users MUST be appropriately sensitized regarding the handling of documents from external sources.

Users SHOULD be informed about the possibilities and limitations of the security functions of the software in use and of the storage formats used. Users SHOULD be shown how they can use features to protect documents against subsequent modification and editing.

Users SHOULD be sensitized to the use of encryption functions in office products.

Standard Requirements

Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be met.

APP.1.1.A5 DISCONTINUED (S)

This requirement has been discontinued.

APP.1.1.A6 Testing New Versions of Office Products (S)

New versions of office products SHOULD be checked for compatibility with established working tools such as macros, document templates, or forms of the institution before they are used in production (see also OPS.1.1.6 Software Tests and Approvals). It SHOULD be ensured that important working tools also function correctly with the new software version. When incompatibilities are discovered, suitable solutions SHOULD be found for the affected working tools.

APP.1.1.A7 DISCONTINUED (S)

This requirement has been discontinued.

APP.1.1.A8 DISCONTINUED (S)

This requirement has been discontinued.

APP.1.1.A9 DISCONTINUED (S)

This requirement has been discontinued.

APP.1.1.A10 Regulating Software Development by End Users (S)

Binding rules SHOULD be established for software development based on office applications, e.g., using macros (see also APP.1.1.A2 Restricting Active Content). First of all, each institution SHOULD make a fundamental decision as to whether such in-house developments are desired at all. The decision SHOULD be documented in the relevant security policies. If in-house developments are permitted, a procedure SHOULD be created for how end users SHOULD handle the corresponding functions of the office products. Responsibilities SHOULD be clearly defined. All necessary information about the applications created SHOULD be adequately documented. Current versions of the rules SHOULD be made accessible to all affected Users promptly and SHOULD be observed by them.

APP.1.1.A11 Regulated Use of Extensions for Office Products (S)

All extensions to office products, such as add-ons and extensions, SHOULD be tested before production use in the same way as new versions. Testing SHOULD be conducted exclusively on isolated test systems. The tests SHOULD check whether extensions have negative effects on the office products and the running IT systems. The tests of the extensions used SHOULD follow a defined test plan. This test plan SHOULD be designed so that third parties can understand the procedure.

APP.1.1.A12 Refraining from Cloud Storage (S) [Users]

The functions for cloud storage integrated in some office products SHOULD generally be disabled. All cloud drives SHOULD be disabled. All documents SHOULD be saved by Users on centrally managed file servers of the institution. To share documents with third parties, specialized applications SHOULD be used. These applications SHOULD have at a minimum encrypted data storage and transmission as well as a suitable system for account and rights management.

APP.1.1.A13 Using Viewer Functions (S) [Users]

Data from potentially insecure sources SHOULD automatically be opened in a protected mode. This function SHOULD NOT be disableable by Users. A list of trustworthy sources SHOULD be defined, from which content can be opened and edited directly.

In the protected mode, data SHOULD NOT be directly editable. Active content, such as macros and scripts, SHOULD NOT automatically run in protected mode. Only general navigation SHOULD be possible. If documents are only to be viewed, corresponding viewer applications SHOULD be used if these are available.

APP.1.1.A14 Protection Against Subsequent Modification of Documents (S) [Users]

Depending on the intended use of documents, documents SHOULD be appropriately protected against subsequent modification.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. These proposals SHOULD be considered when there is a high protection need. The specific determination takes place in the context of an individual risk analysis.

APP.1.1.A15 Use of Encryption and Digital Signatures (H)

Data with high protection needs SHOULD only be stored or transmitted in encrypted form. Before an encryption method integrated in an office product is used, it SHOULD be checked whether it provides adequate protection. In addition, a procedure SHOULD be used that allows macros and documents to be digitally signed.

APP.1.1.A16 Integrity Checking of Documents (H)

If data with a high protection need is stored or transmitted, suitable integrity-checking procedures SHOULD be used. If data is to be protected from manipulation, cryptographic procedures SHOULD also be used.

Additional Information

Good to Know

The BSI has published the following documents on the secure configuration of office products in its “BSI Publications on Cyber Security”:

• BSI-CS 135: Secure configuration of Microsoft Office 2013/2016/2019
• BSI-CS 136: Secure configuration of Microsoft Excel 2013/2016/2019
• BSI-CS 137: Secure configuration of Microsoft PowerPoint 2013/2016/2019
• BSI-CS 138: Secure configuration of Microsoft Word 2013/2016/2019
• BSI-CS 139: Secure configuration of Microsoft Outlook 2013/2016/2019
• BSI-CS 140: Secure configuration of Microsoft Access 2013/2016/2019
• BSI-CS 141: Secure configuration of Microsoft Visio 2013/2016/2019
• BSI-CS 146: Secure configuration of LibreOffice - Recommendations for companies with a managed environment
• BSI-CS 147: Secure configuration of LibreOffice - Recommendations for private users and small companies

The International Organization for Standardization (ISO) provides specifications in the standard ISO/IEC 27001:2013, Annex A, A.9.4 System and application access control & A.12.5 Control of operational Software, that apply to the operation of office products.