CON.9 Information Exchange
Information is transmitted between senders and recipients via different communication channels, such as personal conversations, telephone calls, postal...
Description
Introduction
Information is transmitted between senders and recipients via different communication channels, such as personal conversations, telephone calls, postal mail, removable media or data networks. Rules for information exchange ensure that confidential information is only passed on to authorised persons. Such rules are particularly necessary when information is transmitted via external data networks.
Objective
The objective of this building block is to secure information exchange between different communication partners. Using this building block, a concept for secure information exchange can be created.
Scope and Modeling
The building block CON.9 Information Exchange is to be applied once to the entire information network when information is to be exchanged with communication partners who are not part of the information network.
The securing of network connections is addressed in other building blocks of the IT-Grundschutz Compendium; see the layer NET Networks and Communications. Requirements for removable media (see building block SYS.4.5 Removable Media) and further processing in IT systems outside the information network are likewise not covered in this building block.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block CON.9 Information Exchange.
Information Not Available on Time
Information exchange can be disrupted, delayed or interrupted.
Information arrives delayed or incomplete, or is processed too slowly, when the technology used generates transmission errors. In some circumstances, the exchange of information may end completely because interfaces or resources are not powerful enough or fail.
Business processes can be significantly impaired if required deadlines for the delivery of information are not met. In extreme cases, contractually agreed deadlines are breached because a data transmission fails due to technical or human error.
Unregulated Disclosure of Information
Sensitive information may fall into the hands of unauthorised persons.
It cannot be controlled who receives and uses information if, for example, a confidentiality agreement was not concluded before an information exchange. The risk of data misuse is also elevated if the confidentiality agreement is imprecisely or incompletely formulated.
Disclosure of Incorrect or Internal Information
Sensitive information may be sent to unauthorised recipients.
Sensitive information can accidentally fall into the wrong hands if personnel are not adequately made aware and trained. For example, storage media may be passed on containing residual information such as inadequately deleted legacy data. Other residual information includes undeleted internal comments that are accidentally transmitted in an electronic document, e.g. as an email attachment. In further cases, confidential documents may be accidentally sent to the wrong person because clear action guidelines for handling confidential documents are lacking.
Unauthorised Copying or Modification of Information
Information and data can be intercepted or influenced unnoticed through attacks.
In attacks, information can be deliberately stolen if it is not adequately protected. For example, in an attack, a storage medium may be intercepted in the post, or the content of unprotected emails may be read. Furthermore, in attacks, unprotected information can be modified while it is being transmitted, allowing malware to be introduced into files.
Inadequate Application of Encryption Methods
The protection of information during transmission using cryptographic methods can be circumvented by attacks.
If the cryptographic method is known during an attack, the encrypted data and the corresponding key can be intercepted if the encryption methods are not properly applied. Employees who have not been adequately trained could, for example, send the key together with the data on the same storage medium. Furthermore, keys that are too easy to guess are often used.
Requirements
The following are the specific requirements of the building block CON.9 Information Exchange. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and reviewed in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled to the extent that it is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | Information Security Officer (ISO) |
| Additional responsibilities | Subject Matter Experts, Users, Central Administration |
Exactly one role should bear Primary responsibility. There may also be Additional responsibilities. If one of these additional roles has primary responsibility for fulfilling a specific requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be met as a priority for this building block.
CON.9.A1 Defining Permitted Recipients (B) [Central Administration]
The central administration MUST ensure that the disclosure of information does not violate legal frameworks.
The central administration MUST define who may receive and pass on which information. It MUST be defined through which channels the respective information may be exchanged. All parties involved MUST ensure, before exchanging information, that the receiving party has the necessary authorisations to receive and further process the information.
CON.9.A2 Regulation of Information Exchange (B)
Before information is exchanged, the institution MUST determine how sensitive the information is. It MUST define how the information is to be protected during transmission.
If sensitive data is to be transmitted, the institution MUST inform recipients of how sensitive the information is. If the information is sensitive, the institution MUST advise recipients that they may only use the data for the purpose for which it was transmitted.
CON.9.A3 Briefing of Personnel on Information Exchange (B) [Subject Matter Experts]
Subject Matter Experts MUST inform employees of the framework conditions of each information exchange. Subject Matter Experts MUST ensure that employees know what information they may pass on, to whom, where and how.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be met.
CON.9.A4 Agreements on Information Exchange with External Parties (S) [Central Administration]
In the case of regular information exchange with other institutions, the institution SHOULD formally agree on the framework conditions for information exchange. The agreement for information exchange SHOULD contain specifications for the protection of all confidential information.
CON.9.A5 Removal of Residual Information before Disclosure (S) [Users]
In addition to general training measures, the institution SHOULD inform about the dangers of residual and additional information in documents and files. It SHOULD be communicated how residual and additional information in documents and files can be avoided.
The institution SHOULD provide guidance specifying how unwanted residual information is to be excluded from exchange.
Every file and every document SHOULD be checked for unwanted residual information before disclosure. Unwanted residual information SHOULD be removed from documents and files before disclosure.
CON.9.A6 Compatibility Check of Sending and Receiving Systems (S)
Before an information exchange, it SHOULD be checked whether the IT systems and products used are compatible.
CON.9.A7 Backup Copy of Transmitted Data (S)
The institution SHOULD make a backup copy of the transmitted information if the information cannot be restored from other sources.
CON.9.A8 Encryption and Digital Signature (S)
The institution SHOULD examine whether information can be cryptographically secured during exchange. If the information is cryptographically secured, sufficiently secure methods SHOULD be used for this purpose.
Requirements for High Protection Needs
The following are examples of proposed requirements for this building block that go beyond the level of protection corresponding to the state of the art. These proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.
CON.9.A9 Confidentiality Agreements (H) [Central Administration]
Before confidential information is passed on to other institutions, central administration SHOULD be informed. Central administration SHOULD conclude a confidentiality agreement with the receiving institution. The confidentiality agreement SHOULD regulate how the information may be stored by the receiving institution. The confidentiality agreement SHOULD specify who at the receiving institution may access which transmitted information.
Additional Information
Good to Know
The International Organization for Standardization (ISO) describes requirements for information exchange in its standard ISO/IEC 27001:2013, chapter 13.2.