|
|
Initiation responsibility: Agency/company management; IT Security Management Team
Implementation responsibility: IT Security Management Team
The IT security concept is the "central" document in the IT security process of a company/agency. Every security measure implemented must in the final analysis be derived from this.
First of all an IT security concept contains a description of the current status of the IT assets and the information to be handled on them. "IT assets" refers here to all of the technical components which are used in connection with the performance of tasks. This includes the IT systems and the IT applications. The current status of the IT assets covers not only a description of the technical components, the IT applications operated and the information to be handled using these applications but also a list of any existing vulnerabilities, possible threats and measures already implemented.
Depending on the protection requirements of the existing IT assets (which must be determined in advance, with rationale) and the information to be handled, the amount of effort involved in proceeding will be different. The BSI's recommendation here is to implement the safeguards contained in this manual on every IT system and in parallel to perform a supplementary IT security analysis for any components which have a high or very high protection requirement.
All staff who come into contact with the IT assets to be examined and the information handled on them should be involved in the preparation of an IT security concept in a manner which reflects their usage of the assets. Similarly, creation of an organisation-wide IT security concept presupposes that there are records of all the existing IT systems (see S 2.194 Drawing up a schedule of existing IT systems).
When drawing up an IT security concept, the approach described below is recommended. (A detailed description of the recommended procedure for drawing up an IT security concept which provides IT baseline protection is provided in Chapter 2 of this manual.)
| 1. | When determining the protection requirements, the question of how great the maximum damage would be if the availability, integrity and confidentiality of the IT systems to be examined and the information handled on them were to be impaired must be answered. To answer this question, the following steps must be carried out: |
| 1.1 | This step requires by its nature that all the IT systems to be examined and information handled on them are recorded and described with reference to the technical task involved. This description should be supplemented to include a statement as to whether these IT systems and this information are very important, important or less important to task performance. |
| 1.2 | Assessment of the captured IT systems and the information to be handled This stage involves determining the maximum damage which could be sustained in the event of loss of the three basic parameters of availability, integrity and confidentiality by every IT system and by the information handled thereon. The potential damage can be classified into various damage scenarios. - impairment of informational self-determination, - physical injury, - impaired performance of duties, - negative consequences for the image and - financial consequences Based on the amount of potential damage and the consequences of this, a distinction is made between two protection requirements categories: - basic to moderate - high to very high |
| 2. | Capture of information relating to the current security situation To determine the current security situation it is necessary to examine the IT systems in-depth. This should entail collecting information both about existing security measures and also about security shortcomings (comparison between planned and actual situation). |
| 3. | Selection of IT baseline protection safeguards For all the IT systems and information under investigation, irrespective of the protection requirements category to which they have been assigned, the recommended safeguards contained in the present manual should now be implemented. |
| 4. | Supplementary security analysis There are a number of reasons for carrying out an IT security analysis. For example, this can be appropriate where the protection requirement for an IT system and the information to be handled on it is "high" or "very high", or where the IT systems concerned have not yet been covered in the IT Baseline Protection Manual so that no IT baseline protection safeguards yet exist for them. In addition to penetration testing and vulnerability analysis for selected areas, risk analysis is another possible procedure for such an IT security analysis. The BSI IT Security Manual describes how to perform a risk analysis. It can be performed as follows |
| 4.1 | The aim of the analysis of vulnerabilities and threats is to identify as many as possible of the existing vulnerabilities and all "significant" threats. |
| 4.2 | Assessment of the risks identified This step entails assessing current risks posed by threats in terms of the damage these could cause and the frequency of such damage. |
| 4.3 | Determination of appropriate security measures Additional measures must be selected for any risks identified in the previous analysis as being intolerable, taking into account the current security situation and the vulnerabilities and threats identified. |
| 5. | Consolidation of all measures For the IT security measures identified in steps 3 and 4 as being necessary, a check must be made as to whether these are complementary or have negative effects on each other. If appropriate, IT baseline protection safeguards can be replaced by more stringent measures. During the consolidation process, these overlaps are removed. |
| 6. | Consideration of cost-benefit trade-off, overall cost The safeguards contained in the IT Baseline Protection Manual are standard security measures. In other words, they constitute a set of requirements to be implemented so as to afford a state of the art protection to the IT systems under consideration. These safeguards may thus be generally considered to be reasonable. Most of them do not require any financial investment. However, some of them, especially safeguards presented as optional, do require financial resources. It is important to prepare a cost plan. This will give the person responsible a good idea of the costs that will be incurred. Approval should be sought from Management for the necessary labour and financial resources. |
| 7. | Consideration of residual risk If the personnel and financial resources provided for IT security are not sufficient to implement all the missing IT security measures, those which have priority should be implemented. However, if some of the safeguards are not implemented, some security loopholes may remain for the time being. The resulting residual risk, defined in terms of the amount of possible damage and an assessment of the quantitative or qualitative likelihood of occurrence, should be presented to Management for approval. If necessary, additional residual risks can be reduced if the budget is increased. |
The security concept is a document which in practice is often used to check out the implementation of specific security measures or to review their currency. It should therefore be structured so that
To this end it is recommended that a security concept is structured by responsibility or by subject-matter. Thus, a security concept based on IT baseline protection should mirror the structure of the organisation or network under examination.
A security concept can contain information which should not be passed on freely, for example information about vulnerabilities which have not yet been eliminated. This information must be kept confidential. This is achieved by only making it available on a need-to-know basis. This will be facilitated if the security concept is structured accordingly.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: October 2000 |