Government employees play a key role in the IT security chain due to their public sector work. In order to fulfil their statutory mandate, it is essential that they store, process and, in certain cases, transmit sensitive data. Moreover, they are in close contact with internal and external partners via multiple communication channels on a daily basis. As a result, it is important to be vigilant about secure communication. Here are some tips and tools to help you:
Digital signature
The aim of a digitally signed email is to send information from the sender to the recipient in such a way that the sender can be clearly identified and nobody can manipulate the email unnoticed as it travels from the sender to the recipient. This is achieved with the help of asymmetric cryptography. The digital signature thus fulfils the need for authenticity and integrity.
N.B.: Do not confuse a digital signature with the email signature consisting of your name and web address, for example, which you can insert in an email.
Email encryption
While a digitally signed email ensures integrity, it does not ensure confidentiality; that requires email encryption. We make a distinction between transport level encryption and end-to-end encryption. With transport encryption, the data in transit between the parties is encrypted with Transport Layer Security (TLS), but the message itself is stored unencrypted. In the case of end-to-end encryption, the message itself is encrypted and is usually also stored in this way.
OpenPGP uses a decentralised trust model, while S/MIME uses certificates issued by a recognised certificate authority (CA) and is thus based on a centralised trust model (the CA is the trusted third party).
As a matter of principle, no confidential information or data should be transmitted through unencrypted channels. Confidential information should be consistently encrypted or sent by post to external parties. If there is no possibility of encrypted transmission using S/MIME or OpenPGP, a message can also be packed into an encrypted ZIP archive and a secure password added to it. It is important to ensure that Advanced Encryption Standard (AES) encryption is used and not the old ZIP 2.0 encryption. The password must then be provided through a secure channel (e.g. via Threema or Signal or over the phone).
Telephone
The NCSC recommends end-to-end encryption between the parties for confidential telephone conversations. End-to-end encryption means that the data is encrypted at the sender's end and is not decrypted again until it reaches the intended recipient. It may never be available in unencrypted format in between. This means that only the parties to the call can decrypt it.
Caution: Beware of eavesdroppers while you are on the phone.
Confidential meetings
Mobile phones and wearables should generally remain outside the room during confidential meetings. If a device has been infected with malware at an earlier stage, for example, or if a malicious app has been installed, criminals can potentially access the audio and video of the meeting via the built-in camera.
Working in public spaces
Nowadays, thanks to flexible working models, government employees can work while on public transport or in a restaurant or café. This has many advantages for employees, but also entails certain risks. To protect sensitive data from the prying eyes of fellow citizens, the NCSC recommends using a privacy filter for the screen in public (privacy mode alternative for HP devices: fn+F2 keys).
Last modification 07.11.2022