S 2.222 Regular checking of technical IT security measures

Initiation responsibility: IT Security Management

Implementation responsibility: Head of IT Section, IT Security Management

In the IT Baseline Protection Manual a number of technical security measures and configuration instructions are presented which are necessary if the desired level of IT security is to be achieved. Regular checks must be made as to whether they are being adhered to.

Checks should be primarily geared towards remedying defects. If checks are to be accepted, it is important that this is recognised by all those involved as the objective of the checks and that staff do not feel they are being treated like schoolchildren. It is therefore a good idea to discuss possible solutions to problems with participants during a check and to pre-prepare appropriate remedies.

When employees ignore or circumvent a procedure, this is generally a sign that the procedure cannot be reconciled with work routines or that it is not possible for staff to implement it. For example, an instruction not to leave confidential material unattended on the printer is inappropriate if the only resource available for printing is a network printer some distance away.

If shortcomings are identified during security checks, the aim should be not simply to remove the symptoms. It is far more important to determine the causes of these problems and to identify solutions. These could, for example, involve changes to existing procedures or taking additional technical measures.

Checks should help to eliminate the sources of errors. It is extremely important if checks are to be accepted by staff that they do not result in any individuals being exposed or identified as "guilty". When employees live in fear of being exposed in this way, there is a danger that they will not be frank in reporting weaknesses and security shortcomings they are aware of but that they will instead attempt to hush up existing problems.

Checks should be carefully prepared so as to ensure that they can achieve their goals as efficiently as possible while at the same time causing as little disruption as possible to the work routine. The general implementation of checks should be co-ordinated in advance with Management or with those responsible for the areas concerned as well as with the staff council and works council.

Additional controls:

• Are all procedures and IT security measures reviewed to ensure that they are implementable?

• How often are checks carried out to ensure that existing procedures and IT security measures are being adhered to?