When modelling a set of IT assets it is recommended that the modules are assigned using the 5-tier model. This is then followed by the completeness check.

Tier 1: Higher order aspects of IT security

In this tier the generic aspects of the IT assets, which apply to each individual component, are modelled. The primary elements under consideration here are policies and procedures derived from those policies. These aspects should be controlled uniformly for the entire set of IT assets so that in most cases the corresponding modules then only have to be applied once to the entire set of IT assets.

• Module 3.0 Security Management must be applied once to the entire set of IT assets.

• Module 3.1 Organisation must be used at least once for every set of IT assets. If some of the IT assets under consideration are assigned to another organisational unit and are therefore subject to different framework conditions, the module should be applied separately to each organisational unit. If some of the IT assets are outsourced, this should be viewed as an important special case.

• Module 3.2 Personnel must be used at least once for every set of IT assets. If some of the IT assets under consideration are assigned to a different organisation or organisational unit and are therefore subject to different framework conditions, the module should be applied separately to each organisation or organisational unit. If some of the IT assets are outsourced, this should be viewed as an important special case.

• Module 3.3 Contingency Planning Concept must as a minimum be used where any components have been identified during the protection requirements assessment as having a high or very high protection requirement as regards availability or where relatively large IT systems and/or extensive networks are operated. When working through the module, particular attention should be given to these components.

• Module 3.4 Data Backup Policy should be applied once to the entire set of IT assets.

• Module 3.6 Computer Virus Protection Concept should be applied once to the entire set of IT assets if this includes any systems which could fall prey to computer viruses.

• Module 3.7 Crypto concept should as a minimum be used where any components have been identified in the protection requirements assessment as having a high or very high protection requirement as regards confidentiality or integrity or where cryptographic procedures are already in use.

• Module 3.8 Handling of security incidents should as a minimum be used where any components have been identified in the protection requirements assessment as having a high or very high protection requirements as regards one of three basic parameters, or where failure of the entire set of IT assets would result in damage in the categories "high" or "very high".

• Module 3.9 Hardware and Software Management must be used at least once for every set of IT assets. If some of the IT assets under consideration are assigned to another organisational unit and are therefore subject to different framework conditions, the module should be applied separately to each organisational unit. If some of the IT assets are outsourced, this should be viewed as an important special case.

• Module 9.1 Standard Software should be applied at least once to the entire set of IT assets. If there are any sub-areas within the IT assets which have different requirements or procedures as regards the use of standard software, then module 9.1 should be applied to each of these sub-areas separately.

Tier 2: Security of the infrastructure

The structural conditions relevant to the existing IT assets are modelled with the aid of the modules contained in Chapter 4 "Infrastructure". This entails assignment of the relevant module from the IT Baseline Protection Manual to every building, room or protective cabinet (or group of these components).

• Module 4.1 Buildings must be used once for every building or group of buildings.

• Module 4.2 Cabling must generally be applied once per building or group of buildings (in addition to module 4.1). However, it may be that certain areas, for example the server room or control room, have special cabling requirements, in which case it may be advisable to apply module 4.2 to those parts of the building separately.

• Module 4.3.1 Office must be applied to all rooms or groups of rooms in which information technology is used but to which none of modules 4.3.2, 4.3.3 or 4.3.4 is being applied.

• Module 4.3.2 Server Room must be applied to every room or group of rooms in which servers or PBXs are operated. Servers are IT systems which make services available on the network.

• Module 4.3.3 Data Media Archives must be applied to every room or group of rooms in which data media are stored or archived.

• Module 4.3.4 Technical Infrastructure Room must be applied to every room or group of rooms in which technical devices which require little or no human intervention to run are operated (e.g. distribution cabinet or standby power supply system).

• Module 4.4 must be applied to every protective cabinet or group of protective cabinets once. Protective cabinets can serve as an alternative to a dedicated server room.

• Module 4.5 must be applied once to every working place at home or group of the same (if corresponding groups have been defined).

• Module 4.6 must be applied to every computer centre. A computer centre comprises the facilities and premises necessary to operate a large data processing system installed centrally for a number of offices.

Tier 3: Security of the IT systems

This tier is concerned with security aspects relating to IT systems, i.e. to server and client computers, hosts, terminals etc. Tier 3 is covered by modules from Chapters 5 to 9 of the IT Baseline Protection Manual.

By analogy with the area "Security of the infrastructure", the modules relating to the area of "Security of the IT systems" may be applied either to individual IT systems or to groups of such IT systems. This is assumed below although no further specific reference to it is made.

• Module 5.1 DOS-PC (single user)must be applied to every stand-alone computer or client on which the DOS operating system is installed.

• Module 5.2 UNIX System must be applied to every stand-alone computer or client which runs under the UNIX operating system.

• Module 5.3 Laptop PC must be applied to every mobile computer (laptop).

• Module 5.4 PCs with a Non-Constant User Population must be applied to every stand-alone computer or client on which different users work at different times.

NB it may not be necessary to apply module 5.4 to IT systems which are being modelled using modules 5.5, 5.6 or 5.99. These modules specifically address security aspects of situations where IT assets are used at different times by different users.

• Module 5.5 PC under Windows NT must be applied to every stand-alone computer or client which runs under Windows NT.

• Module 5.6 PC with Windows 95must be applied to every stand-alone computer or client which runs under Windows 95.

• Module 5.99 Stand-alone IT systems must be applied to every IT system for which there is no operating system-specific module in the IT Baseline Protection Manual.

• Module 6.1 Server-supported Network must be applied to every IT system which offers services (e.g. file or print services) as a server in the network.

• Module 6.2 UNIX Server must be applied to every server which runs under the UNIX operating system.

• Module 6.3 Peer-to-Peer Network must be applied to every client which offers peer-to-peer services (for example shared directories) in the network.

• Module 6.4 Windows NT Network must be applied to every server which runs under Windows NT.

• Module 6.5 Novell Netware 3.x must be applied to every server which runs under this operating system.

• Module 6.6 Novell Netware 4.x must be applied to every server which runs under this operating system.

NB in addition to the operating system-specific module, module 6.1 must be applied for every server as this module draws together all the platform-independent security aspects of servers.

• Module 8.1 must be applied to every private branch exchange or to every corresponding group.

• Module 8.2 must be applied to every fax machine or to every corresponding group.

• Module 8.3 must be applied to every answering machine or to every corresponding group.

• Module 8.6 Mobile Telephones should be applied at least once if the use of mobile phones is not forbidden in the organisation or organisational unit under consideration. If there are several different mobile phone operational areas (for example several mobile phone pools) then module 8.6 should be applied separately to each one.

• Module 9.3 Telecommuting must also be applied to every IT system which is used for telework.

Tier 4: Security in the network

This tier is concerned with security aspects in the network which cannot be isolated to particular IT systems (e.g. servers) in the network. Rather, the concern here is those security aspects which relate to the network connections and communications between the IT systems.

To simplify matters, it may be appropriate to consider sections within the complete network rather than the whole network at once. The division of the full network into subnets should be performed in accordance with these two criteria:

• The assessment of protection requirements will have identified connections over which certain data must under no circumstances be transported. These connections should be viewed as "interfaces" between subnets, i.e. the two endpoints of such a connection should be in different subnets. Conversely, connections which transport data that has a high or very high protection requirement should if possible not pass over any subnet boundaries. If this principle is followed, the protection requirements of the resulting subnets will be uniform as far as possible.

• Components which are only connected to each other over a long-distance connection should not be assigned to the same subnet i.e. subnets should not extend over more than one location or property. This is desirable both in order to retain an overview and for the efficient running of the project.

If these two criteria do not lend themselves to a suitable division of the full network (for example because some of the resulting subnets are too large or too small), as an alternative the division into subnets may proceed at the organisational level. Under this approach, the subnets are defined so that they correspond to discreet areas of responsibility of the different administrators or teams of administrators.

It is not possible to make a definite recommendation as to how best to subdivide the complete network into subnets, as the requirements stated above might be incompatible with the existing IT assets. Instead, a decision should be made in the individual case as to what is the most practical way of splitting up the complete network, bearing in mind the modules of the IT Baseline Protection Manual which are to be used.

• Module 6.7 Heterogeneous Networks must generally be applied to every subnet. However, if the subnets are small and several subnets fall within the responsibility of the same team of administrators, it may be sufficient to apply module 6.7 only once to all of these subnets.

• Module 6.8 Network and System Management must be applied to every network or system management system used on the IT assets under consideration.

• Module 7.2 Modem must be applied to every IT system equipped with a modem or to each group of such IT systems.

• Module 7.3 Firewall must be applied to every external connection to third party IT systems or networks where IT systems in the internal network which have a high protection requirement can be accessed over this external connection. This applies also if no firewall system is in use there yet. Examples here are Internet connections, remote access facilities and links to networks owned by business partners.

• Module 7.6 Remote Access must be applied once wherever remote access to the internal network is possible by a route other than over a dedicated leased line (e.g. telework, linking of staff working out in the field over analogue dial-up lines, ISDN or mobile phone).

• Module 8.4 LAN integration of an IT system via ISDN must be applied to all external connections which are implemented over ISDN.

Tier 5: Security in applications

The lowest tier entails modelling of the applications. Modern applications are seldom limited to a single IT system. In particular, core applications used across an entire organisation are generally implemented as client/server applications. In many cases servers themselves access other servers downstream, e.g. database systems. The security of the applications must therefore be considered independently of the IT systems and networks.

• Module 7.1 Exchange of Data Media should be used once for every application which serves as a source of data for an exchange of data media or processes data received by this route.

• Module 7.4 E-Mail must be applied to every e-mail system (internal or external) of the IT assets under consideration.

• Module 7.5 WWW Server must be applied to every WWW service (e.g. Intranet or Internet) of the IT assets under consideration.

• Module 7.7 must be applied to every workgroup system based on the Lotus Notes product or to every corresponding group of IT assets.

• Module 8.5 must be applied to every fax server or to every corresponding group.

• Module 9.2 Databases should be used once for every database system or group of database systems.

Completeness check

In the final step a check should be performed as to whether the entire system has been modelled without any gaps. It is recommended that the network plan or a similar overview of the IT assets is used here and that the individual components are checked systematically. Every component should either be assigned to a group or else be modelled separately. If the complete network has been divided into subnets in connection with Tier 4, a check should be performed as to whether

• every subnet has been completely represented and

• the sum of all the subnets completely describes the whole system.

It is important that not only all hardware and software components are modelled from a technical perspective, but that the related organisational, personnel and infrastructural aspects are fully covered also. This can be checked using the tables provided in Section 2.3.2, in which for a few typical components those modules of the IT Baseline Protection Manual which should be included in the modelling in every case are specified.

If, when performing these checks, any gaps are revealed in the modelling, the relevant missing components must be added. Otherwise there is a risk that important elements of the complete system or important security aspects will be overlooked when using the IT Baseline Protection Manual.

If it is not possible to perform all the modelling because some modules which are needed are missing from the IT Baseline Protection Manual, we would ask you to notify your requirements to the BSI's IT Baseline Protection Hotline.

Bundesamt für Organisation und Verwaltung (Federal Agency for Organisation and Administration, BOV) - Part 8

The table below is an excerpt from the modelling performed for the fictitious BOV Department.