|
|
Initiation responsibility: Agency/company management
Implementation responsibility: Agency/company management
The enforcement and maintenance of a reasonable and adequate level of IT security for a complex set of IT assets requires planned and organised action on the part of all those involved. Strategic key statements must be prepared, design requirements worked out and the organisational framework established to enable the company or agency to function with proper and secure IT support. A controlled IT security process which will lay the groundwork for the thoughtful design and efficient implementation and success monitoring of IT security measures is initiated by Management.
As the highest echelons of Management are not only responsible generally for the systematic and proper functioning of an organisation but also for guaranteeing IT security, the IT security process must be initiated, directed and monitored from that level. Ideally, the following specific conditions should be satisfied:
If this framework does not exist in a given situation, as a first step an attempt should be made to implement the missing IT security measures at "shopfloor" level. In all cases, however, every attempt should be made to make Management aware of the importance of IT security to ensure that it takes its responsibility in this area seriously. Although many aspects of the IT security process can be initiated on the shopfloor and will result in an improvement in the security situation; there is no guarantee that such actions will lead to a permanent raising of the IT security level.
The establishment of a functional IT security process can be achieved through the following steps:
Step 1: Drawing up of an Information Security Policy
A set of IT security objectives that are derived from the overriding business objectives, marketing strategy and the general security objectives of the company or agency should be defined. The greater the dependence of the organisation on the use of IT and the operational capability provided through IT, the more important it is to consider the IT security objectives at all levels of the organisation.
The Information Security Policy should be based on the IT security objectives agreed at Management level. It should define the internal organisational structures, guidelines, rules and procedures which are necessary to achieve the IT security goals. Depending on the size of the organisation, it may be appropriate in addition to the enterprise-wide Information Security Policy to prepare one (or more) sets of departmental or site-specific information security policy documents derived therefrom.
The Information Security Policy must be made available to all the staff affected by it in a suitable form. By this means, Management can ensure that there is full visibility of the importance of IT security to the organisation.
Full details of this task are provided in S 2.192 Drawing up an Information Security Policy.
Step 2: Selection and establishment of an appropriate organisational structure for IT security
If a functioning IT security process is to be established, it is essential that an appropriate organisational framework is created and that the relevant responsibilities are delegated. The choice of such an organisational structure must reflect the size of the agency or company. This should entail establishment in a suitable manner of an IT Security Management Team and/or appointment of an IT Security Officer. In addition, responsibilities, tasks and authorities must be assigned in a systematic manner and notified.
This subject is described in more detail in S 2.193 Establishment of a suitable organisational structure for IT security.
Step 3: Preparing a schedule of existing IT systems
It is absolutely critical for the IT security concept, which is created in Step 4, that there is a complete schedule of the IT systems employed in the company or agency, the IT applications run on them and the data handled thereby. If such a schedule does not already exist, then it must be drawn up at this stage.
A list of the information that is absolutely essential to the creation of the IT security concept will be found in S 2.194 Drawing up a schedule of existing IT systems.
Step 4: Definition of the procedure for drawing up the IT security concept
To raise IT security to an appropriate level, it is necessary to identify existing vulnerabilities and to select and implement appropriate IT security measures. A number of possible procedures for ascertaining vulnerabilities and selecting appropriate measures are available. These include:
As well as deciding on the methodical approach, a decision must be made as to the sequence in which existing IT provision will be examined and to what extent.
In general it should be noted that standard security measures consistent with IT baseline protection are also essential to IT systems with a high protection requirement. A further consideration is that where high security systems are in use, any standard security measures employed are likely to need to be supplemented by more stringent measures. When selecting the approach, it should be noted that little prior knowledge is needed to implement the methodology used to establish baseline IT protection. On the other hand, a high level of specialist knowledge is needed for detailed risk analyses, and especially to identify vulnerabilities and safeguards that will protect against them.
The BSI therefore recommends that any baseline IT protection safeguards which are not already in place should be implemented for all IT systems and that, in parallel, a detailed security analysis should be performed for those elements which require a high level of protection. In this way, a comprehensive level of IT security can be achieved in a relatively short time, so that even during the transition period up to the point where the detailed security analyses have been completed any IT systems which have a high protection requirement will have a certain degree of protection.
The procedure to be followed in drawing up a security concept is described in detail in S 2.195 Drawing up an IT security concept.
Step 5: Implementation of IT security measures
The implementation of the IT security measures identified during the process of drawing up the IT security concept must be organised and specified in an implementation plan. This will serve as a planning tool when it comes to co-ordinating implementation of the measures and as a control instrument to be used during actual implementation. All the actions and responsibilities necessary to update or implement security measures should be specified in writing in this plan.
Once implementation is complete, it is necessary to establish in every case whether all the measures have been implemented in accordance with plan and "work" as intended. During testing of the effectiveness of these measures, it may be sufficient to perform spot checks in previously determined areas.
The procedure to be followed in preparing an implementation plan for IT security measures and their implementation is described in S 2.196 Implementation of the IT security concept in accordance with an implementation plan.
Step 6: IT security in ongoing operations
In order that an IT security concept can be effective in everyday operations, it is necessary that all employees of a company or agency correctly implement the measures which affect them, identify any remaining vulnerabilities and play an active role in eliminating these. This requires that all staff receive adequate training on IT security issues and that steps are taken to ensure that their awareness of the risks and of the possibilities for improvement during ongoing operations is built up and continually enhanced. These points are also essential to staff acceptance of the IT security measures.
Safeguards S 2.197 Drawing up a training concept for IT security and M 2.198 Making staff aware of IT security issues present principles and possible approaches for achieving this objective.
Step 7: Maintaining secure operations
In order that attainment of the aspired-to security level is not a one-off occurrence but is maintained in the long-term, the IT security measures implemented must also remain operable in ongoing operations. In perhaps no other area does a security level once established become so rapidly outdated as in the dynamic IT environment. In particular, lessons learned from security-relevant incidents, changes in the technical and/or organisational environment, changes in security requirements and the advent of new threats require that existing IT security measures are modified.
Safeguard S 2.199 Maintenance of IT security contains detailed recommendations on how to ensure that these are properly updated.
Often modifications of the IT security process require a decision from the uppermost echelons of management. To this end, Management must be informed as to the level of IT security achieved and of any existing problems and vulnerabilities. For this purpose an "IT Security" management report should be prepared at regular intervals.
Safeguard S 2.200 Preparation of management reports on IT security contains advice on how to prepare and present such reports.
To ensure the continuity and consistency of the entire IT security process, it is essential that the IT security process is documented. Only in this way can basic weaknesses in the process be reliably detected and any departures from course be nipped in the bud.
Recommendations as to the content and scope of this documentation will be found in safeguard S 2.201 Documentation of the IT security process.
Additional tools and aids regarding the IT security process are presented in safeguards S 2.202 Preparation of an IT Security Organisational Manual and M 2.203 Establishment of a pool of information on IT security.
Readers who wish to gain a deeper understanding of the "IT security process" subject-matter are recommended to read Part 3 of ISO/IEC Standard 13335 "Guidelines on the Management of IT Security".
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: October 2000 |