SYS.3.1 Laptops
A laptop (also called a notebook) is a PC that can be used mobile. It has a compact form factor, integrates peripheral devices such as a keyboard and screen, is temporarily independent...
Description
Introduction
A laptop (also called a notebook) is a PC that can be used mobile. It has a compact form factor, integrates peripheral devices such as a keyboard and screen, is temporarily independent of an external power supply via batteries, and often consists of hardware components specifically designed for mobile use. Laptops are common in most institutions and frequently replace the classic desktop PC.
Laptops are typically operated with common desktop operating systems such as Microsoft Windows, Apple macOS, or Linux. The boundaries with tablets and similar devices are fluid today. There are tablets with desktop operating systems such as Windows 10, but also keyboard accessories for mobile devices such as iPads with iPadOS, which can thus be used as laptops.
Because laptops are often used mobile, they are frequently not permanently connected to the institution’s LAN. Instead, they can typically connect via Virtual Private Network (VPN), e.g., over the Internet, to the institution’s network. The infrastructure of a typical office environment, which offers controllable environmental conditions, a stable power supply, or access-controlled areas, cannot be assumed when laptops are used mobile.
Objective
The objective of this building block is to enable institutions to use laptops securely and to raise awareness of the specific threats to this device class.
Scope and Modeling
The building block SYS.3.1 Laptops must be applied to all laptops used mobile or stationary.
As with all IT systems, the operating system and software components must be carefully selected and installed for laptops. The requirements to be met here depend on the laptop’s operating system and are therefore described in the client-specific building blocks, for example SYS.2.2.3 Clients under Windows, SYS 2.3 Clients under Linux and Unix, or SYS.2.4 Clients under macOS. Similarly, requirements that apply to all types of clients are not part of this building block. These can be found in the building block SYS.2.1 General Client.
This building block also does not address how the respective data transmission is to be set up, such as WLAN configuration (see NET.2.2 WLAN Usage) or a VPN connection (see NET.3.3 VPN).
Because laptops are often deployed outside an institution for extended periods, they must receive particular consideration in data backup. Further requirements for this can be found in the building block CON.3 Data Backup Concept.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to represent the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block SYS.3.1 Laptops.
Impairment Through Changing Deployment Environments
Laptops are used in very different environments and are thus exposed to many threats. These include, for example, harmful environmental influences such as excessively high or low temperatures, as well as dust or moisture. There is also always a risk of transport damage with laptops. Furthermore, laptops — especially while traveling — often communicate with unknown IT systems or networks, which always carries a threat potential for the device itself. For example, malicious programs may be transferred or sensitive information copied.
Theft and Loss of Laptops
Employees often use their laptops outside the institution. Devices are transported in private vehicles or on public transport, left behind in unfamiliar offices during breaks, or left unattended in hotel rooms. Laptops are therefore exposed to a higher risk of theft and can also be easily forgotten or lost. If a laptop goes missing, costs and effort arise for replacement. Unsaved data is also lost. Unauthorized parties could also access sensitive data, which can lead to further damage. In many cases this far outweighs the purely material loss of the laptop.
Disorderly Handover of Laptops
When employees only occasionally need mobile IT systems — for example for infrequent business trips — it is often more practical to maintain only a few laptops centrally. These can then be passed between employees. However, if the laptop is simply handed over to the next employee, there is a risk that sensitive data still on the device is passed on. It is also possible that the laptop is infected with malware. Without appropriate rules, it can be difficult to track who used the laptop when or who is currently using it.
Requirements
The following are the specific requirements of the building block SYS.3.1 Laptops. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Users, Procurement Office |
Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many people should fill these roles.
Basic Requirements
The following requirements MUST be met with priority for this building block.
SYS.3.1.A1 Policies for Mobile Use of Laptops (B)
It MUST be clearly defined what employees must take into account when using laptops mobile. In particular, it MUST be determined which laptops may be used mobile, who is permitted to take them, and what basic security measures must be followed. Users MUST be informed of the policies.
SYS.3.1.A2 DISCONTINUED (B)
This requirement has been discontinued.
SYS.3.1.A3 Use of Personal Firewalls (B)
A personal firewall MUST be active on laptops when they are used outside the institution’s networks. The firewall rules MUST be as restrictive as possible. The firewall rules MUST be regularly tested. The personal firewall MUST be configured so that users are not bothered by warning messages that they cannot interpret.
SYS.3.1.A4 DISCONTINUED (B)
This requirement has been discontinued.
SYS.3.1.A5 DISCONTINUED (B)
This requirement has been discontinued.
SYS.3.1.A9 Secure Remote Access with Laptops (B)
From publicly accessible networks, the institution’s internal network MUST ONLY be accessed via a secure communication channel.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be met.
SYS.3.1.A6 Security Policies for Laptops (S)
A security policy SHOULD be created for laptops that governs how the devices may be used. Users SHOULD be made aware of the protection needs of laptops and the data stored on them. They SHOULD also be made aware of the specific threats and corresponding usage requirements. They SHOULD also be informed of what type of information they are permitted to process on laptops.
SYS.3.1.A7 Regulated Handover and Return of a Laptop (S) [Users]
If laptops are used alternately by different people, it SHOULD be defined how they can be securely handed over. It SHOULD also be defined how they are to be securely returned. Before a laptop is passed on, any sensitive data present SHOULD be securely deleted. If the laptop is not reinstalled before handover, it SHOULD be ensured that the IT system and all connected storage media are free of malware. A reference card for the secure use of the device SHOULD be provided together with a laptop.
SYS.3.1.A8 Secure Connection of Laptops to Data Networks (S) [Users]
It SHOULD be defined how laptops are securely connected to own or external data networks and the Internet. Only authorized laptops SHOULD be able to log on to the institution’s internal network.
SYS.3.1.A10 Synchronization of Laptop Data (S) [Users]
It SHOULD be defined how data from laptops is incorporated into the institution’s information domain. If a synchronization tool is used, it SHOULD be ensured that synchronization conflicts can be resolved. The synchronization process SHOULD be logged. Furthermore, users SHOULD be instructed to check the synchronization logs.
SYS.3.1.A11 Ensuring Power Supply for Laptops (S) [Users]
All users SHOULD be informed about how they can best ensure the power supply of laptops during mobile use. Available spare batteries SHOULD be stored and transported in appropriate cases.
SYS.3.1.A12 Loss Reporting for Laptops (S) [Users]
Users SHOULD immediately report when a laptop has been lost or stolen. For this purpose, there SHOULD be clear reporting channels within the institution. If lost laptops reappear, it SHOULD be investigated whether they have possibly been tampered with. The software installed on them, including the operating system, SHOULD be completely reinstalled.
SYS.3.1.A13 Encryption of Laptops (S)
Storage media built into laptops such as hard drives or SSDs SHOULD be encrypted.
SYS.3.1.A14 Appropriate Storage of Laptops (S) [Users]
All users SHOULD be informed about how laptops are to be stored securely outside the institution. Depending on the protection needs of the data stored on them, laptops SHOULD also be secured against theft or stored under lock and key within the institution’s premises outside of use periods.
SYS.3.1.A15 Appropriate Selection of Laptops (S) [Procurement Office]
Before laptops are procured, a requirements analysis SHOULD be conducted. Based on the results, all candidate devices SHOULD be evaluated. The procurement decision SHOULD be coordinated with IT Operations.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered when there is a higher need for protection. The concrete definition is made in the context of an individual risk analysis.
SYS.3.1.A16 Central Administration and Management of Laptops (H)
A suitable policy SHOULD be defined for how laptops are to be centrally administered and managed. A tool for central laptop management SHOULD support as many of the operating systems in use as possible.
SYS.3.1.A17 Collective Storage of Laptops (H)
Unused laptops SHOULD be kept in an appropriately secured room. The room used for this SHOULD meet the requirements of the building block INF.5 Room and Cupboard for Technical Infrastructure.
SYS.3.1.A18 Use of Anti-Theft Protection (H)
It SHOULD be determined which anti-theft protection measures are to be used for laptops. For mechanical security measures, particular attention SHOULD be paid to a good lock.
Additional Information
Good to Know
No additional information is available for the building block SYS.3.1 Laptops.