1.3 Using the IT Baseline Protection Manual

To successfully establish a continuous and effective IT security process, a whole series of actions must be performed. Here the IT Baseline Protection Manual offers advice on methodology and practical aids to implementation. It also contains possible solutions for different tasks relating to IT security, such as drawing up an IT security concept, security audits and certification. Depending on the task concerned, different ways of using the IT Baseline Protection Manual will be appropriate. This section is intended to facilitate getting up to speed with the various procedures. To this end it provides cross references to the relevant chapters of the IT Baseline Protection Manual.

IT security process and IT security management

In both the public and private sectors, organisations have become significantly more dependent over the last few years on the proper functioning of information technology. More and more business processes are either being automated or else redesigned in such a way that major components depend on information technology. There is no sign of this trend letting up in the foreseeable future. IT security must therefore be viewed as an integral element of the primary task. The following action plan contains all the essential steps which are necessary for a continuous IT security process, and should therefore be viewed as a reasoned approach as to how a reasonable level of IT security can be achieved and maintained. This should be systematically adopted.

• Develop an IT security policy

• Select and establish an appropriate organisational structure for IT security management

• Draw up an IT security concept

• Implement the IT security safeguards

• Arrange training and measures aimed at promoting security awareness

• Maintain IT security in ongoing operations

Chapter 3.0 presents an overview of the IT security process and provides a detailed explanation of the individual actions in the form of recommended standard safeguards.

IT structure analysis

"IT assets" refers to all the infrastructural, organisational, personnel and technical components which assist with the performance of tasks in a particular area in which information processing is performed. IT assets can refer to all the IT assets in an organisation or to individual areas defined in terms of organisational structures (e.g. departmental network) or shared IT applications (e.g. HR information system). To create an IT security concept and, in particular, to use the IT Baseline Protection Manual, it is necessary to analyse and document the structure of the existing IT assets. Given that IT systems today are commonly linked together in networks, it is recommended using a network topology plan as the starting point for the analysis. The following aspects must be considered:

• the existing infrastructure,

• the underlying organisational and personnel situation which forms a background to the use of the IT assets,

• the IT systems used, both networked and non-networked,

• the communication links between the IT systems and with the outside world,

• the IT applications run on the IT assets.

The various steps involved in the IT structure analysis are described in detail in Section 2.1 of this manual in the form of instructions on the actions to be taken.

Assessment of protection requirements

The aim of the assessment of protection requirements is to ascertain what protection is adequate and reasonable for the information and the IT assets used. For each application and the information processed within it the potential damage which could occur as a result of loss of confidentiality, integrity or availability is considered. A realistic assessment of the possible consequential damage is also important here. It has proved useful to distinguish three protection requirements categories, "basic to moderate", "high" and "very high". Explanations and practical advice on the assessment of protection requirements are to be found in Section 2.2.

Security concept

It is customary today in both the public and private sectors to network large numbers of IT assets. It is therefore generally expedient when performing an IT security analysis or drawing up an IT security concept to consider the IT assets as a whole rather than individual IT systems. To make this task manageable, it is useful to break down the IT assets into logically distinct parts and to consider each part separately. Before the IT Baseline Protection Manual can be applied to a set of IT assets, detailed documentation regarding its structure must be available. This can be obtained, for example, through performing the IT structure analysis mentioned above. The IT Baseline Protection Manual modules must then be mapped onto the various components which make up the IT assets in a modelling stage.

Section 2.3 of this manual describes how to model the IT assets using modules of the manual. Section 2.4 describes how to then gather information about existing IT protection using a basic security check.

Basic security check

The basic security check is an organisational tool which provides a rapid overview of the existing IT security level. Interviews are used to establish the status quo of an existing set of IT assets (assuming IT baseline protection) in relation to the extent to which the security safeguards contained in the IT Baseline Protection Manual have been implemented. The outcome of this check is a catalogue in which the implementation status of each of the relevant safeguards is classified "Unnecessary", "Yes", "Partially" or "No". By identifying safeguards which have not yet been implemented or have only been partially implemented it is possible to identify where there is scope for improving the security of the IT assets concerned. Section 2.4 describes an action plan for performing a basic security check. This takes into account both the organisational aspects and also the technical requirements during project implementation.

IT security audit

The security safeguards contained in the IT Baseline Protection Manual can also be used to carry out an audit of IT security. By way of example, checklists based on the modules

• 3.1 Organisation

• 3.2 Personnel

• 5.5 PC under Windows NT

• 5.6 PC with Windows 95

have been developed which are intended to support IT security management in reviewing the IT security implemented in the agency/company. Checklists are contained on the CD-ROM which comes with the IT Baseline Protection Manual (see Annex: Additional Aids). The current versions of the checklists should not be viewed as definitive; they merely serve as the basis for discussions and exchanges of experience with users of the IT Baseline Protection Manual. Comments and suggestions for improvement can be forwarded by e-mail to gshb@bsi.bund.de.

Supplementary security analysis

The standard security safeguards aimed at securing baseline protection will normally provide a reasonable and sufficient level of protection. However, if the protection requirement is high or very high it may be appropriate to check whether more stringent IT security safeguards are needed either in addition to or instead of the safeguards required to achieve IT baseline protection. To select a set of suitable IT security safeguards, a supplementary security analysis is performed. This can entail the use of a variety of methods, for example,

• risk analysis,

• penetration testing and

• differential security analysis.

An overview of these methods is presented in Section 2.5. The successful carrying out of the supplementary security analysis depends critically on the expertise of the project team. It may therefore be appropriate to employ the services of specialist external consultants.

Implementation of IT security concepts

A satisfactory level of IT security can only be established if existing weaknesses are ascertained in the security analysis, the status quo is determined in a security concept, the safeguards that are necessary are identified and, above all, these safeguards are also implemented systematically. Section 2.6 describes the factors which should be considered when planning the implementation of IT security safeguards.

IT Baseline Protection Certification

The IT Baseline Protection Manual is used today not only to assist in drawing up IT security concepts but also increasingly as a reference work in the sense of a security standard. By achieving IT Baseline Protection certification, an organisation can provide documentary evidence to the outside world that it has implemented IT baseline protection to the depth required. Section 2.7 introduces the idea of IT Baseline Protection Certification and defines the certification scheme that this entails. The certification level is assigned to one of three different classes which differ both in relation to quality (i.e. the degree of implementation of security safeguards that is necessary) and to assurance. The lowest level can be demonstrated by an employee of the agency/company, while the highest level requires testing by an independent third party.