S 2.199 Maintenance of IT security

Initiation responsibility: IT Security Management Team

Implementation responsibility: IT Security Officer

In the IT security process what is important is not simply to achieve the aspired-to level of IT security, but to ensure that it is maintained in the long term. To maintain and continuously improve the existing level of IT security, all IT security measures should be regularly reviewed.

These reviews should be performed at predetermined times (at least every two years) and, if warranted by particular events, they can also be held in the interim. In particular, information gained from security-relevant incidents, changes in the technical or organisational environment, changes in security requirements or threats require that existing IT security measures are adapted. The outcomes of individual reviews should be documented and the question of how to proceed with the results of the review must be determined. It should be stressed here that reviews can only maintain IT security effectively if the results of these reviews are also translated into the necessary corrective actions.

It should be determined in advance in the agency/company how the activities relating to these reviews are to be co-ordinated. Which IT security measures are to be reviewed, when and by whom must be determined. This will avoid duplication of effort and also ensure that all parts of the organisation are covered.

A review can establish firstly whether the IT security measures are working properly at all levels on a day-to-day basis. At the same time, the extent to which the IT security measures are suited to the security requirements and are effective at protecting the organisation from threats can also be established from a review. Two types of review should be distinguished here, the IT security audit and the update check.

The purpose of an IT security audit is to establish

• whether the IT security measures implemented agree with those documented and

• whether the IT security measures function in the manner intended.

This comparison of the actual versus planned situation might reveal, for example, that some IT security measures have not been implemented or that they are not producing the results intended in practice. In both cases the reasons for the discrepancy should be established. Depending on the cause, possible corrective actions could include:

• adapting organisational measures,

• taking staff-related measures, e.g. further training or measures aimed at promoting IT security awareness, or instituting disciplinary measures,

• infrastructure measures, e.g. initiating structural changes in the building,

• taking technical measures, e.g. changes to the hardware and software or communications links and networks,

• seeking decisions from the responsible line manager (up to Management level).

In every case of a discrepancy between actual practice and what was planned a corrective action should be suggested. The person who will be responsible for implementing the control measure and the date by which it is to be implemented should also be established.

The IT security audit also includes a check as to whether log files and filter settings have been evaluated and monitored where necessary.

The purpose of an update check is to establish

• whether the IT security measures are still adequate to achieve the IT security objectives,

• whether the IT security measures are still sufficient to reduce the risk,

• whether the IT security objectives are still relevant.

It could transpire as a result of this update check, for example, that so many changes have taken place that the IT security measures no longer provide protection against current risks, the IT security process does not run in an optimal fashion or mistakes are being made in IT security management. In all three cases the reasons for the security loopholes should be established. Depending on the cause, possible corrective actions could include:

• changes in IT security management,

• adaptation of the IT security process

• identification of new threats,

• use of new technology (IT systems and applications),

• use of new IT security technologies,

• changes in the IT security measures

• action in response to new laws and statutory instruments or amendments to these, and

• action in response to changes in the latest version of the IT Baseline Protection Manual.

A corrective action should be suggested for every instance of a security weakness. Moreover, the person responsible for directing and monitoring the corrective measures should be established or, if appropriate, the additional risk could be considered to be acceptable.

The update check also includes examining whether changes of every kind have - where necessary - met with an adequate response

The points listed below regarding performance of the review apply to both types of review, both the IT security audit and the update check.

The scope and depth of the review should be determined with reference to the purpose of the review. The IT security concept and the existing documentation of the IT security process serve as the basis for the review. The review, which can be performed either in-house or by external consultants, must be planned carefully. During the review all relevant information captured should be documented and evaluated.

The results should be documented in an IT security report. This should contain a technical description of the corrective actions proposed. The IT security report, which may contain confidential information and therefore need to be protected, should be presented to the IT Security Officer (assuming that he did not perform the review himself) and be notified to the manager of the division or department reviewed as well as to the IT Security Management Team. Where serious problems exist, Management should be involved so that any far-reaching decisions can be made promptly. For this purpose, a management report on IT security should be prepared, as described in S 2.200 Preparation of management reports on IT security.

On the basis of the results of the review, decisions must be made as to where to proceed from here; in particular all the corrective actions which are necessary must be determined and specified in the form of an implementation plan. Responsibilities for implementation of the corrective actions, which are carried out in a similar fashion to the procedure described in S 2.196 Implementation of the IT security concept in accordance with an implementation plan, must be assigned and the persons concerned provided with the necessary resources.

In summary, it may be said that a given level of IT security can only be maintained if

• maintenance of IT security in ongoing operations is facilitated by appropriate organisational rules;

• responsibility for maintenance of IT security has been clearly assigned;

• measures are implemented in their entirety as described;

• measures are checked regularly to see if they are functioning as intended;

• measures are properly applied and adhered to and are accepted;

• measures are adapted if any new vulnerabilities come to light;

• measures are adjusted in line with changes in personnel, organisation, hardware or software.

• changes in tasks or the importance of tasks to the organisation are taken into account;

• changes to buildings, e.g. after moving premises, are taken into account;

• modifications are implemented in response to changes in threats and/or vulnerabilities.

All these changes have a significant effect on the security risks. New security risks should be identified at the earliest possible opportunity in order to permit a timely response. Should it transpire that the actual risk differs from the actual risk accepted in the IT security concept, resources should be made available to change this situation.

Additional controls:

• Are IT security audits performed regularly?

• When will the next update check be performed?

• If appropriate, are IT security audits also performed by an audit department (if one exists)?