INF.10 Meeting, Event, and Training Rooms

Description

Introduction

As a rule, every institution has one or more rooms in which meetings, training sessions, or other events can be held. Specially equipped rooms are often provided for this purpose. Meeting, event, and training rooms are characterized primarily by the fact that they are used by changing individuals or internal or external groups of persons, generally only for a limited period. IT systems brought along are often operated together with the institution’s own devices — for example, externally brought laptops connected to permanently installed projectors. These different usage scenarios give rise to a particular threat landscape that does not exist in this form in other rooms of the institution.

Objective

The objective of this building block is to protect information processed in meeting, event, and training rooms, as well as IT systems operated in these rooms. The recommended handling of external persons who use these rooms is also addressed.

Scope and Modeling

The building block INF.10 Meeting, Event, and Training Rooms is to be applied to every meeting, event, or training room.

This building block addresses all technical and non-technical security aspects relating to the use of meeting, event, and training rooms. Detailed recommendations on how IT systems in these rooms can be configured and secured are not covered in this building block. These can be found in SYS.2.1 General Client as well as in the operating system-specific building blocks. Further security aspects relevant to meeting rooms — such as those for WLANs or video conferencing systems — are addressed in the building blocks of the NET.2 Wireless Networks and NET.4 Telecommunications layers respectively. Cabling in these rooms is addressed separately in the building block INF.12 Cabling. Fire protection requirements are found in the building block INF.1 General Building. Requirements for supervising visitors and prohibiting mobile phones are found in the building block ORP.1 Organisation.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block INF.10 Meeting, Event, and Training Rooms.

Missing or Inadequate Regulations

If, for example, employees do not close windows and doors after leaving a meeting, event, or training room, or confidential information is not removed from a whiteboard or flipchart, this information can be viewed without authorization. In general, employees should therefore be provided with appropriate regulations so that corresponding security gaps cannot arise. Merely establishing regulations does not, however, ensure that they will be observed and that operations run smoothly. Many problems arise when regulations exist but are not known to employees. Employees often do not know, for example, that windows and doors must be locked after meetings, or how to handle the work materials in the meeting room (e.g., technology or a flipchart).

Incompatibility Between Third-Party and Own IT

IT systems are becoming increasingly mobile and are used in increasingly different environments. Persons often encounter scenarios in which their own IT systems cannot be used as planned because they are not compatible with the third-party IT systems present. For example, older devices may not have the same connectors and ports as newer devices. There are also devices that are not compatible with other devices without a suitable adapter. If, for example, a suitable adapter is not available, a laptop prepared with all important data for a meeting cannot be connected to a projector. Furthermore, attempts to connect the IT systems nonetheless can damage the devices or the stored data.

Trailing Cables

In meeting, event, and training rooms, both the persons using them and the way the rooms are used frequently change. As a result, the equipment and therefore the cabling in these rooms is permanently altered in some cases. Cables can thus be temporarily routed across the room, including across traffic routes, depending on the location of connection points in the room (power outlets and data network). Not only persons are endangered by these trip hazards; IT systems can also be damaged when persons drag the “trailing” cables with them.

Theft

If storage media, IT systems, accessories, software, or data that are partially permanently installed in a meeting, event, or training room are stolen, this incurs costs for replacement and for restoring a working state on the one hand. On the other hand, the meeting, event, or training room may subsequently only be usable to a limited extent due to the unavailability of equipment. This may create bottlenecks in room occupancy. Furthermore, confidential information can be stolen, misused, or passed on.

Along with expensive IT systems, mobile end devices that can be transported inconspicuously and easily are also frequently stolen. If meeting, event, or training rooms are not supervised or IT systems are not adequately secured, the technology can accordingly be removed quickly and inconspicuously. This is especially true when, for example, rooms are not locked during meeting breaks.

Loss of Confidentiality of Sensitive Information

Through technical failure, carelessness, lack of knowledge, and deliberate actions, confidential information can be disclosed. This information can exist in different locations — for example, on storage media within IT systems (such as hard drives), on removable storage media (such as USB sticks or optical media), in printed form on paper, or on whiteboards or flipcharts. If information is read or disclosed without authorization, this can have serious consequences for the institution — for example, violations of laws, competitive disadvantages, or financial impacts.

Requirements

The following are the specific requirements of the building block INF.10 Meeting, Event, and Training Rooms. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.

Additional roles are defined in the IT-Grundschutz Compendium. They should be filled where meaningful and appropriate.

Exactly one role should be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a specific requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not imply anything about the number of persons filling these roles.

Basic Requirements

The following requirements MUST be met as a priority for this building block.

INF.10.A1 Secure Use of Meeting, Event, and Training Rooms (B) [Facility Management, IT Operations]

Equipment present in the rooms MUST be appropriately secured against theft. Furthermore, it MUST be specified who administers the IT and other systems permanently installed in the rooms. It MUST also be specified whether and under what conditions IT systems brought by external persons may be used. Furthermore, it MUST be specified whether and which network access points and telecommunications interfaces external persons may use.

INF.10.A2 DISCONTINUED (B)

This requirement has been discontinued.

INF.10.A3 Closed Windows and Doors (B) [Employees]

The windows and doors of meeting, event, and training rooms MUST be locked when leaving. In rooms containing IT systems or sensitive information, the doors MUST be locked when leaving. Additionally, it MUST be regularly checked whether windows and doors were locked after the rooms were vacated. It MUST also be ensured that fire and smoke protection doors are actually closed.

Standard Requirements

Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be met.

INF.10.A4 Planning of Meeting, Event, and Training Rooms (S)

When planning meeting, event, and training rooms, particular attention SHOULD be paid to the location of the rooms. In particular, rooms frequently used together with or exclusively by external persons SHOULD NOT be located in parts of the building where confidential information is regularly discussed and processed nearby. For each room, it SHOULD be specified how confidential the information discussed or processed therein may be.

INF.10.A5 Trailing Cables (S)

Power connections SHOULD be located where projectors, laptops, or other electronic devices are set up. Cables routed across the floor SHOULD be appropriately covered.

INF.10.A6 Establishing Secure Network Access (S) [IT Operations]

It SHOULD be ensured that IT systems brought along cannot be connected to internal IT systems of the institution via the data network. ONLY IT systems designated for this purpose SHOULD be able to access the institution’s LAN. A data network for external persons SHOULD be separated from the institution’s LAN. Network access points SHOULD be set up in such a way as to prevent third parties from intercepting internal data communication. Network connections in meeting, event, or training rooms SHOULD be secured. IT systems in meeting, event, and training rooms SHOULD be prevented from simultaneously establishing a connection to the intranet and the internet.

Furthermore, the power supply SHOULD be established from a sub-distribution panel separately from other rooms.

INF.10.A7 Secure Configuration of Training and Presentation Computers (S) [IT Operations]

Dedicated training and presentation computers SHOULD be provided with a minimal configuration. It SHOULD be specified which applications can be used on training and presentation computers in the respective event. Training and presentation computers SHOULD only be connected to a separate data network isolated from the institution’s LAN.

INF.10.A8 Creation of a Usage Record for Rooms (S)

Depending on the type of use of meeting, event, and training rooms, it SHOULD be apparent who used the rooms at what time. For rooms in which training sessions on IT systems or particularly confidential meetings are conducted, usage records SHOULD also be kept. It SHOULD be considered whether to introduce corresponding usage records for rooms accessible to all employees.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the level of protection representing the state of the art. The proposals SHOULD be considered when protection needs are elevated. The specific determination is made within an individual risk analysis.

INF.10.A9 Resetting Training and Presentation Computers (H) [IT Operations]

A procedure SHOULD be established for resetting training and presentation computers to a previously defined state after use. Changes made by users SHOULD be completely removed in this process.

INF.10.A10 DISCONTINUED (H)

This requirement has been discontinued.

Additional Information

Good to Know

The International Organization for Standardization (ISO) provides requirements for the physical security and environmental security of buildings and rooms in standard ISO/IEC 27001:2013, Annex A.11.

The Information Security Forum (ISF) provides requirements for the physical security and environmental security of buildings and rooms in its standard “The Standard of Good Practice for Information Security” in chapter CF19.

The German Institute for Standardization provides requirements for the physical security of buildings and rooms in its standard DIN EN 1627-1630:2021-11.