2.3 IT Baseline Protection Modelling

Once the required information is available from the IT structure analysis and the assessment of protection requirements, the next major task is to model the IT assets under consideration with the aid of the existing modules of the IT Baseline Protection Manual. The outcome of this exercise is an IT baseline protection model of the IT assets which is made up from different modules of the manual, in some cases with the same modules being used several times over, and maps the security-relevant aspects of the IT assets onto specific modules and vice versa.

It makes no difference to the IT baseline protection model created whether the IT assets consist of IT systems already in service or whether the IT assets in question are still at the planning stage. However, the model may be used differently depending on whether the assets are already in use or not.

• The IT baseline protection model for IT assets already in service identifies the standard security safeguards that are relevant through the modules used. It can be used in the form of a test plan for carrying out a target versus actual comparison.

• By contrast, the IT baseline protection module for a planned set of IT assets constitutes a design concept. It specifies via the selected modules which standard security safeguards must be implemented on entry into service of the IT assets.

The diagram below clarifies the role of the modelling and its possible outcomes:

Figure: outcome of IT baseline protection modelling

Typically a set of IT assets currently in use will contain not only elements which have already been implemented but also elements which are still at the planning stage. The resulting IT baseline protection model then contains both a test plan and also elements of a design concept. The IT security concept will then be based on a combination of the IT security safeguards which are identified during the target versus actual comparison as being inadequate or missing and those identified for IT assets which are still at the planning stage.

To map a generally complex set of IT assets to the modules in the manual it is recommended that the IT security aspects are considered as groups arranged according to particular topics.

Figure: Tiers in the IT baseline protection model

The IT security aspects of a set of IT assets are assigned to the individual tiers as follows:

• Tier 1 covers all the general IT security aspects which apply equally to all or large numbers of the IT assets, particularly any universally applicable concepts and the procedures derived therefrom. Typical Tier 1 modules include "IT Security Management", "Organisation", "Data Backup Policy" and "Computer Virus Protection Concept".

• Tier 2 is concerned with architectural and structural factors, in which aspects of the infrastructural security are brought together. This concerns especially the modules "Buildings", "Rooms", "Protective Cabinets" and "Working Place at Home (Telecommuting)".

• Tier 3 concerns the individual IT systems in the set of IT assets which may be grouped together. The IT security aspects considered here relate not only to clients but also to servers and stand-alone systems. Thus, for example, the modules "UNIX System", "Laptop PC", "Windows NT Network" and "Telecommunications System (Private Branch Exchange)" fall within Tier 3.

• Tier 4 considers the networking aspects of the IT systems, which refer to the network connections and communications rather than to particular IT systems. The modules which are relevant here include, for example, "Heterogeneous Networks", "Network and System Management" and "Firewalls".

• Finally Tier 5 is concerned with the actual IT applications which are used on the IT assets. In this tier, the modules used for modelling purposes could include "E-Mail", "WWW Server", "Fax Servers" and "Databases".

Using this tier approach has the following advantages.

• The complexity of the IT security is reduced because the individual aspects are divided up in a meaningful manner.

• As higher order aspects and common infrastructural issues are considered separately from the IT systems, duplication of effort is avoided as those aspects only need to be dealt with once and not repeated for every IT system.

• The various tiers have been defined so that responsibilities for the aspects under consideration are grouped. Tier 1 is concerned with fundamental issues relating to the use of IT, Tier 2 with site technical services, Tier 3 with matters that concern administrators and IT users, Tier 4 with matters that concern the network and system administrators and finally Tier 5 with matters that concern those responsible for or who will run the IT applications.

• Breaking down the security aspects into tiers enables individual subject areas within the ensuing IT security concepts to be updated and expanded more easily, without having a significant effect on other tiers.

IT baseline protection modelling entails determining for the modules of a given tier whether and how they can be used to map the IT assets. Depending on the module considered, the objects which are mapped in this way may be of different kinds: individual components, groups of components, buildings, property, organisational units etc.

The IT baseline protection model, i.e. the assignment of modules to target objects, should be documented in the form of a table containing the following columns:

• Number and title of the module.

• Target object or target group. For example, this could be the identification number of a component or a group or the name of a building or organisational unit.

• Contact person. This column serves initially only as a place holder. The contact person is not determined at the modelling stage, but only at the point when the target versus actual comparison in the basic security check is being planned.

• NB incidental information and the reasoning behind the modelling can be documented in this column.

The procedure for modelling a set of IT assets is described in detail in Section 2.3.1 below. Particular importance here is attached to any constraints which apply, when it is appropriate to use a given module and to which target objects it should be applied. Section 2.3.2 presents a shortened modelling procedure for the special case of a single IT system or a single group.

2.3.1 Modelling a Set of IT Assets

When modelling a set of IT assets it is recommended that the modules are assigned using the 5-tier model. This is then followed by the completeness check.

Tier 1: Higher order aspects of IT security

In this tier the generic aspects of the IT assets, which apply to each individual component, are modelled. The primary elements under consideration here are policies and procedures derived from those policies. These aspects should be controlled uniformly for the entire set of IT assets so that in most cases the corresponding modules then only have to be applied once to the entire set of IT assets.

• Module 3.0 Security Management must be applied once to the entire set of IT assets.

• Module 3.1 Organisation must be used at least once for every set of IT assets. If some of the IT assets under consideration are assigned to another organisational unit and are therefore subject to different framework conditions, the module should be applied separately to each organisational unit. If some of the IT assets are outsourced, this should be viewed as an important special case.

• Module 3.2 Personnel must be used at least once for every set of IT assets. If some of the IT assets under consideration are assigned to a different organisation or organisational unit and are therefore subject to different framework conditions, the module should be applied separately to each organisation or organisational unit. If some of the IT assets are outsourced, this should be viewed as an important special case.

• Module 3.3 Contingency Planning Concept must as a minimum be used where any components have been identified during the protection requirements assessment as having a high or very high protection requirement as regards availability or where relatively large IT systems and/or extensive networks are operated. When working through the module, particular attention should be given to these components.

• Module 3.4 Data Backup Policy should be applied once to the entire set of IT assets.

• Module 3.6 Computer Virus Protection Concept should be applied once to the entire set of IT assets if this includes any systems which could fall prey to computer viruses.

• Module 3.7 Crypto concept should as a minimum be used where any components have been identified in the protection requirements assessment as having a high or very high protection requirement as regards confidentiality or integrity or where cryptographic procedures are already in use.

• Module 3.8 Handling of security incidents should as a minimum be used where any components have been identified in the protection requirements assessment as having a high or very high protection requirements as regards one of three basic parameters, or where failure of the entire set of IT assets would result in damage in the categories "high" or "very high".

• Module 3.9 Hardware and Software Management must be used at least once for every set of IT assets. If some of the IT assets under consideration are assigned to another organisational unit and are therefore subject to different framework conditions, the module should be applied separately to each organisational unit. If some of the IT assets are outsourced, this should be viewed as an important special case.

• Module 9.1 Standard Software should be applied at least once to the entire set of IT assets. If there are any sub-areas within the IT assets which have different requirements or procedures as regards the use of standard software, then module 9.1 should be applied to each of these sub-areas separately.

Tier 2: Security of the infrastructure

The structural conditions relevant to the existing IT assets are modelled with the aid of the modules contained in Chapter 4 "Infrastructure". This entails assignment of the relevant module from the IT Baseline Protection Manual to every building, room or protective cabinet (or group of these components).

• Module 4.1 Buildings must be used once for every building or group of buildings.

• Module 4.2 Cabling must generally be applied once per building or group of buildings (in addition to module 4.1). However, it may be that certain areas, for example the server room or control room, have special cabling requirements, in which case it may be advisable to apply module 4.2 to those parts of the building separately.

• Module 4.3.1 Office must be applied to all rooms or groups of rooms in which information technology is used but to which none of modules 4.3.2, 4.3.3 or 4.3.4 is being applied.

• Module 4.3.2 Server Room must be applied to every room or group of rooms in which servers or PBXs are operated. Servers are IT systems which make services available on the network.

• Module 4.3.3 Data Media Archives must be applied to every room or group of rooms in which data media are stored or archived.

• Module 4.3.4 Technical Infrastructure Room must be applied to every room or group of rooms in which technical devices which require little or no human intervention to run are operated (e.g. distribution cabinet or standby power supply system).

• Module 4.4 must be applied to every protective cabinet or group of protective cabinets once. Protective cabinets can serve as an alternative to a dedicated server room.

• Module 4.5 must be applied once to every working place at home or group of the same (if corresponding groups have been defined).

• Module 4.6 must be applied to every computer centre. A computer centre comprises the facilities and premises necessary to operate a large data processing system installed centrally for a number of offices.

Tier 3: Security of the IT systems

This tier is concerned with security aspects relating to IT systems, i.e. to server and client computers, hosts, terminals etc. Tier 3 is covered by modules from Chapters 5 to 9 of the IT Baseline Protection Manual.

By analogy with the area "Security of the infrastructure", the modules relating to the area of "Security of the IT systems" may be applied either to individual IT systems or to groups of such IT systems. This is assumed below although no further specific reference to it is made.

• Module 5.1 DOS-PC (single user)must be applied to every stand-alone computer or client on which the DOS operating system is installed.

• Module 5.2 UNIX System must be applied to every stand-alone computer or client which runs under the UNIX operating system.

• Module 5.3 Laptop PC must be applied to every mobile computer (laptop).

• Module 5.4 PCs with a Non-Constant User Population must be applied to every stand-alone computer or client on which different users work at different times.

NB it may not be necessary to apply module 5.4 to IT systems which are being modelled using modules 5.5, 5.6 or 5.99. These modules specifically address security aspects of situations where IT assets are used at different times by different users.

• Module 5.5 PC under Windows NT must be applied to every stand-alone computer or client which runs under Windows NT.

• Module 5.6 PC with Windows 95must be applied to every stand-alone computer or client which runs under Windows 95.

• Module 5.99 Stand-alone IT systems must be applied to every IT system for which there is no operating system-specific module in the IT Baseline Protection Manual.

• Module 6.1 Server-supported Network must be applied to every IT system which offers services (e.g. file or print services) as a server in the network.

• Module 6.2 UNIX Server must be applied to every server which runs under the UNIX operating system.

• Module 6.3 Peer-to-Peer Network must be applied to every client which offers peer-to-peer services (for example shared directories) in the network.

• Module 6.4 Windows NT Network must be applied to every server which runs under Windows NT.

• Module 6.5 Novell Netware 3.x must be applied to every server which runs under this operating system.

• Module 6.6 Novell Netware 4.x must be applied to every server which runs under this operating system.

NB in addition to the operating system-specific module, module 6.1 must be applied for every server as this module draws together all the platform-independent security aspects of servers.

• Module 8.1 must be applied to every private branch exchange or to every corresponding group.

• Module 8.2 must be applied to every fax machine or to every corresponding group.

• Module 8.3 must be applied to every answering machine or to every corresponding group.

• Module 8.6 Mobile Telephones should be applied at least once if the use of mobile phones is not forbidden in the organisation or organisational unit under consideration. If there are several different mobile phone operational areas (for example several mobile phone pools) then module 8.6 should be applied separately to each one.

• Module 9.3 Telecommuting must also be applied to every IT system which is used for telework.

Tier 4: Security in the network

This tier is concerned with security aspects in the network which cannot be isolated to particular IT systems (e.g. servers) in the network. Rather, the concern here is those security aspects which relate to the network connections and communications between the IT systems.

To simplify matters, it may be appropriate to consider sections within the complete network rather than the whole network at once. The division of the full network into subnets should be performed in accordance with these two criteria:

• The assessment of protection requirements will have identified connections over which certain data must under no circumstances be transported. These connections should be viewed as "interfaces" between subnets, i.e. the two endpoints of such a connection should be in different subnets. Conversely, connections which transport data that has a high or very high protection requirement should if possible not pass over any subnet boundaries. If this principle is followed, the protection requirements of the resulting subnets will be uniform as far as possible.

• Components which are only connected to each other over a long-distance connection should not be assigned to the same subnet i.e. subnets should not extend over more than one location or property. This is desirable both in order to retain an overview and for the efficient running of the project.

If these two criteria do not lend themselves to a suitable division of the full network (for example because some of the resulting subnets are too large or too small), as an alternative the division into subnets may proceed at the organisational level. Under this approach, the subnets are defined so that they correspond to discreet areas of responsibility of the different administrators or teams of administrators.

It is not possible to make a definite recommendation as to how best to subdivide the complete network into subnets, as the requirements stated above might be incompatible with the existing IT assets. Instead, a decision should be made in the individual case as to what is the most practical way of splitting up the complete network, bearing in mind the modules of the IT Baseline Protection Manual which are to be used.

• Module 6.7 Heterogeneous Networks must generally be applied to every subnet. However, if the subnets are small and several subnets fall within the responsibility of the same team of administrators, it may be sufficient to apply module 6.7 only once to all of these subnets.

• Module 6.8 Network and System Management must be applied to every network or system management system used on the IT assets under consideration.

• Module 7.2 Modem must be applied to every IT system equipped with a modem or to each group of such IT systems.

• Module 7.3 Firewall must be applied to every external connection to third party IT systems or networks where IT systems in the internal network which have a high protection requirement can be accessed over this external connection. This applies also if no firewall system is in use there yet. Examples here are Internet connections, remote access facilities and links to networks owned by business partners.

• Module 7.6 Remote Access must be applied once wherever remote access to the internal network is possible by a route other than over a dedicated leased line (e.g. telework, linking of staff working out in the field over analogue dial-up lines, ISDN or mobile phone).

• Module 8.4 LAN integration of an IT system via ISDN must be applied to all external connections which are implemented over ISDN.

Tier 5: Security in applications

The lowest tier entails modelling of the applications. Modern applications are seldom limited to a single IT system. In particular, core applications used across an entire organisation are generally implemented as client/server applications. In many cases servers themselves access other servers downstream, e.g. database systems. The security of the applications must therefore be considered independently of the IT systems and networks.

• Module 7.1 Exchange of Data Media should be used once for every application which serves as a source of data for an exchange of data media or processes data received by this route.

• Module 7.4 E-Mail must be applied to every e-mail system (internal or external) of the IT assets under consideration.

• Module 7.5 WWW Server must be applied to every WWW service (e.g. Intranet or Internet) of the IT assets under consideration.

• Module 7.7 must be applied to every workgroup system based on the Lotus Notes product or to every corresponding group of IT assets.

• Module 8.5 must be applied to every fax server or to every corresponding group.

• Module 9.2 Databases should be used once for every database system or group of database systems.

Completeness check

In the final step a check should be performed as to whether the entire system has been modelled without any gaps. It is recommended that the network plan or a similar overview of the IT assets is used here and that the individual components are checked systematically. Every component should either be assigned to a group or else be modelled separately. If the complete network has been divided into subnets in connection with Tier 4, a check should be performed as to whether

• every subnet has been completely represented and

• the sum of all the subnets completely describes the whole system.

It is important that not only all hardware and software components are modelled from a technical perspective, but that the related organisational, personnel and infrastructural aspects are fully covered also. This can be checked using the tables provided in Section 2.3.2, in which for a few typical components those modules of the IT Baseline Protection Manual which should be included in the modelling in every case are specified.

If, when performing these checks, any gaps are revealed in the modelling, the relevant missing components must be added. Otherwise there is a risk that important elements of the complete system or important security aspects will be overlooked when using the IT Baseline Protection Manual.

If it is not possible to perform all the modelling because some modules which are needed are missing from the IT Baseline Protection Manual, we would ask you to notify your requirements to the BSI's IT Baseline Protection Hotline.

Bundesamt für Organisation und Verwaltung (Federal Agency for Organisation and Administration, BOV) - Part 8

The table below is an excerpt from the modelling performed for the fictitious BOV Department.

2.3.2 Modelling of an Individual IT System

Depending on the object(s) under examination, the tables below serve different functions. If the IT assets under consideration consists only of a single IT system or a single group of IT systems which have the same configuration, same framework conditions and same applications, then as a minimum the modules required for modelling can be read directly out of these tables. Modules with no entry in the relevant column should be used as well if they are relevant to the individual IT system under consideration.

If on the other hand the IT assets are composed out of different components, then the tables provided below will help in checking whether modelling as described in Section 2.3.1 is complete. If, for example, the present IT assets contain Windows NT clients, then all the modules which have an "X" in the relevant table should be considered during modelling. Modules identified with "(X)" only need to be used when certain conditions apply. These conditions are listed in Section 2.3.1.

Key: