S 2.182 Regular revision of IT security measures

Initiation responsibility: IT Security Management

Implementation responsibility: Head of IT Section, IT Security Management

In the IT Baseline Protection Manual a number of procedures are presented which are necessary if the desired level of IT security is to be achieved. However, it is not sufficient simply to make these procedures known, but it is also necessary to monitor adherence to them on a regular basis. However, in this context "regular" does not mean that revisions takes place at times which are predictable, as pre-announced checks generally produce a distorted picture of the object under investigation.

Revisions should be geared towards remedying defects. If revisions are to be accepted, it is important that this is recognised by all those involved as the objective of the revision and that staff do not feel they are being treated like schoolchildren. It is therefore a good idea to discuss possible solutions to problems with participants during a check and to pre-prepare appropriate remedies.

When employees ignore or circumvent a procedure, this is generally a sign that the procedure cannot be reconciled with work routines or that it is not possible for staff to implement it. For example, an instruction not to leave confidential material unattended on the printer is inappropriate if the only resource available for printing is a network printer some distance away.

If shortcomings are identified during security revisions, the aim should be not simply to remove the symptoms. It is far more important to determine the causes of these problems and to identify solutions. These could, for example, involve changes to existing procedures or taking additional technical measures.

Revisions should help to remove the sources of errors. It is extremely important if revisions are to be accepted by staff that it does not result in any individuals being exposed or identified as "guilty". When employees live in fear of being exposed in this way, there is a danger that they will not be frank in reporting weaknesses and security shortcomings they are aware of but that they will instead attempt to hush up existing problems.

Additional controls:

• Are all procedures and IT security measures reviewed to ensure that they are implementable?

• How often are checks carried out to ensure that existing procedures and IT security measures are adhered to?