M.5) Define basic rules (security guidelines for employees)

Category:        Corporate Security, Initial

Responsible:   CSR

Effort:              2 hours

Based on:      BSI IT Grundschutz  M2.1 / M 2.220 / M 2.235 / M 2.304 / M 2.309 / M 2.338 / M 2.430 / M 2.432

The CSR should define basic rules which apply to all employees. Those are behavioural rules which every employee should know and comply with. A good source of information for these tasks is the “IT Sicherheitshandbuch für Mitarbeiter” from the WKO since this handbook is easy to read and especially written for non-security experts (unfortunately only available in German at the moment).

The following examples should show how the security guidelines for employees can look like:

  • Do not upload private keys to the source code repository
  • Password rules
    • Use strong passwords with the following characteristics:
      • more than 10 characters
      • not part of a dictionary
      • no names
      • cannot be related to you or your environment (e.g. your daughter’s name and birthday)
      • contains letters, numbers and special characters
    • Enforce strong passwords in our products
    • Do not use the same passwords you use for private identities and accounts
    • Do not use the same passwords or the same schema twice
    • Do not let the browser store passwords
    • Don’t share passwords
    • Do not write down passwords or store them unencrypted
    • Use password managers whenever possible (e.g. Lastpass)
  • Do not share accounts. Two or more employees must not have access to a service by sharing the same credentials.
  • Do not install software on company’s devices without consulting the CSR
  • Do not open email attachments unless you are expecting this email and attachment
  • In case of any security doubts immediately contact the CSR or PSR
  • Etc.



The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.