Basis of issue and Security Requirements

The IT Security Label is issued on the basis of §9c BSI Act (Act on the Federal Office for Information Security).

Services in the category video conferencing services can receive the IT Security Label if the provider assures the conformity of the service with DIN SPEC 27008 and the supplementary document Video Conferencing Services - Technical Specification und Conformity Assessment. The manufacturer's declaration for the video conferencing services product category can be found here.

The following list provides a simplified overview of some of the declared security functionalities. Detailed descriptions of the necessary requirements can be found in the DIN SPEC and the supplementary document.

Information on the required service properties

1. Update

The provider declares that it will immediately provide security updates for the service if it becomes aware of certain security vulnerabilities and will demonstrably maintain a vulnerability management system that regulates the discovery, publication and closure of security vulnerabilities.

These include, among others:

• The provision of timely updates that adequately address the vulnerabilities.
• The provision of an automatic update function that quickly installs available security updates.
• The implementation of mechanisms to ensure that updates are only installed from trustworthy sources.

2. Transparency

The service provider undertakes to provide transparent information regarding the security of the video conferencing service. The use of the service should be transparent for the participants so that unauthorised persons cannot take part in conferences unnoticed.

Transparent information on the video conferencing service:

• Prior to updates, the provider shall provide corresponding information on the scope and content of the functionalities concerned that are to be updated or where security gaps are to be closed.
• Users must be able to see whether the client software for the video conferencing service is up to date or whether an update is available.
• The provider provides manuals, user instructions for secure use and information on the security-relevant features of the service on its website. This also includes information on how to protect oneself against attacks and what to do in the event of suspicion.

Transparency during use:

• All participants can see who is connected to the video conference in a list. This is intended to prevent unnoticed eavesdropping or unnoticed participation in conferences.
• When new people join a video conference, an acoustic or visual signal is emitted. This prevents someone from secretly joining a meeting.

3. Access authorisation

The provider shall ensure proven and suitable mechanisms that guarantee that only authorised persons can access the service. These access authorisations must also include the following:

• When setting up a user account for the first time, verification must take place via a different channel for security reasons. This means that users must confirm the creation of a user account in their name, for example by email. This prevents the creation of anonymous accounts that could be used to misuse the video service.
• Option of 2-factor authentication when logging into user accounts to prevent unauthorised access via third-party devices. 2-factor authentication means that each login attempt must be additionally confirmed, for example by text message code.
• Access control to video conference sessions, such as a virtual waiting room, so that only authorised participants can take part in a video conference.

• By default, "private mode" is set in all video sessions so that only invited participants can take part in the call.

  Appropriate requirements for passwords, i.e. insecure passwords are not permitted by the service.

• By default, "private mode" is set in all video sessions so that only invited participants can take part in the call.
• It is not possible for third parties to switch on the microphone or camera.

4. Data control

The provider guarantees that user data and the information shared by users is protected against unauthorised access or loss.

For consumers, the provider offers the following, among other things:

• Deletion of the user account including data deletion.
• Adequate protection of data against unauthorised access or loss if it is stored on a connected cloud solution.

• During the use of a video conference:

  • ...the organiser has the option of controlling and restricting security-relevant functions for the participants. This means, for example, that they can determine who can share files, chat with each other or share a screen.
  • ...the recording of conferences is indicated by a message or acoustic signal, so that anonymous recordings are not possible.
  • ...the switching on and off of sound, picture or screen transmission is displayed in the conference so that transmission by mistake is ruled out.

5. State of the art

The service provider guarantees to keep its service up to date with the latest technology. This includes, among other things:

• Secure data centre operation including access control.
• The use of modern encryption technologies for the transmission of data during a video conference. This applies to sound, images, messages and files that are exchanged. Ideally, it uses end-to-end encryption between the participants.
• Encryption of user data on the service provider's infrastructure to protect it in the event of a security incident.