__________________________________________________________________________________________
2005
Foreword
The new and revised version of the IT-Grundschutz Manual is the
result of complete restructuring and a new international
orientation.
What can you expect? The answer is - a great deal! With the new ISO
27001 standard it is now also possible to certify information
security management systems. In response to this international
standard, the BSI has revised the IT-Grundschutz Methodology, the
certification scheme and the IT- Grundschutz Catalogues to ensure
that the IT-Grundschutz Certificate meets all its requirements.
Overall risk management is also more closely focused on.
Information security is therefore implemented on the basis of
business processes.
Although a number of new features have been included, the
track-proven elements remain unchanged: Standard security
safeguards and instructions on the implementation of IT-Grundschutz
in an organisation are still included. Individual modules assist in
improving the security level of IT environments and simplifying the
elaboration of IT security concepts. The safeguards are based
on
protection requirements, which are adequate for most IT
application environments. They are based on the IT-Grundschutz
Methodology, which is now available in a separate document. A
number of additional resources such as the GSTOOL round out
the IT-Grundschutz Methodology and the IT- Grundschutz
Catalogues.
With this revised version of the IT-Grundschutz Catalogues the BSI
has succeeded in making yet another important contribution to
improving the security standards of IT applications. As a result,
involved analyses are no longer necessary to determine security
deficits and define appropriate safeguards, but only a comparison
of the actual and target conditions. The IT-Grundschutz Catalogues
will also continue to be updated annually to keep pace with the
speed of development in the IT sector in the future. I would
like to thank you for the many suggestions for improvement - both
those you have already submitted and those you will contribute in
the future!
Bonn, November 2005
__________________________________________________________________________________________
2005
Note:
2005
Acknowledgments
The IT-Grundschutz Catalogues will be developed further to meet the
requirements expressed by registered users during the annual
assessment. Thanks are due to the following persons who assisted in
the further development of IT-Grundschutz and gave their committed
support to continuation of the 7th Supplement to the IT-Grundschutz
Catalogues:
- Overall co-ordination Ms. Isabel Münch, BSI
- Editorial work and hotline Ms Elke Cäsar, BSI Ms Gabriele
Scheer-Gumm, BSI Ms Petra Simons-Felwor, BSI
- Module B 1.13 IT Security Awareness and Training
Ms Isabel Münch, BSI Dr Lydia Tsintsifa, BSI
- Module B 3.209 Windows XP client Mr Albert Vetter, Eurosec Mr
Thomas Caspers, BSI Dr Lydia Tsintsifa, BSI
- Module B 2.10 Mobile Workstation Ms Isabel Münch, BSI Mr Frank
Weber, BSI
- Module B 2.11 Meeting, Event and Training Rooms
Ms Isabel Münch, BSI Mr Frank Weber, BSI
- Revision of module B 1.0 IT Security Management
Ms Isabel Münch, BSI Ms Angelika Jaschob, BSI Dr Harald Niggemann,
BSI Dr Lydia Tsintsifa, BSI Ms Steffi Botzelmann, BSI
- Revision of module B 1.1, Organisation Ms Gabriele Scheer-Gumm,
BSI
- Revision of module B 1.2, Personnel Ms Gabriele Scheer-Gumm,
BSI
- Revision of module B 3.101 General Server Mr Thomas Häberlen, BSI
Mr Holger Schildt, BSI Dr Lydia Tsintsifa, BSI
- Revision of module B 3.201 General Client Mr Thomas Häberlen, BSI
Mr Holger Schildt, BSI Dr Lydia Tsintsifa, BSI
- Revision of module B 3.203, Laptop Computer Mr Gerhard Weck,
INFODAS Ms Isabel Münch, BSI
- Quality assurance Mr Gerhard Weck, INFODAS Mr Marcel Birkner,
BSI
2005
Many thanks are also due to those who have contributed to improving
the IT-Grundschutz and the IT- Grundschutz Catalogues with their
constructive criticism and practical suggestions for
improvement.
The persons and organisations listed below were involved in
updating and the further development of previous
versions of the IT-Grundschutz Manual. Their contributions are
hereby also acknowledged with thanks:
- Atos Origin Mr Herbert Blaauw, Mr Matthias Mönter Mr Götz,
Mr Jaster, Mr Pohl
- ConSecur GmbH Mr Nedon, Mr Eckardt
- Daimler-Benz AG Mr Heinle, Mr Schlette
- European Commission Information Society Directorate-General Mr
Achim Klabunde
- EUROSEC GmbH Mr Fünfrocken Dr Zieschang
- The Protestant Church of Westphalia, The State Church
Administrative Office Mr Huget
- Flughafen Düsseldorf GmbH Mr Andreas Peters
- GUIDE SHARE EUROPE "Data Protection and Data Security" Study
Group
- Henkel KGaA Mr Rhefus
- INFODAS Dr Weck
- Mink Consulting Engineers
- Ministry of the Interior of the state of Schleswig-Holstein
Mr Kuhr
- State Commissioner for Data Protection in Saarland Mr Simon
- Novell
- Oracle
- Röhm GmbH chemical factory Data Protection Officer Mr
Güldemeister
- T-Systems International GmbH Mr Stephan Hüttinger, Mr Torsten
Kullich, Mr Klaus Müller, Mr Stefan Morkovsky, Mr Axel
Nennker
- GH University of Essen, Faculty of Information Management
Professor Dr Vossbein
- University Hospital of Dresden Technical University Orthopaedics
Clinic Mr Frank Heyne
- Verband der Chemischen Industrie e. V.
- VZM GmbH Mr Bruno Hecht, Mr Werner Metterhausen, Mr Rainer
von zur Mühlen
- Central Data Processing Centre for Saarland Mr Miller
The following authors have written modules for the IT-Grundschutz
Catalogues, thereby contributing their expertise to its
compilation. They deserve special thanks, as the creation and
development of the IT-Grundschutz Catalogues was only possible with
their commitment.
Federal Ministry of the Interior: Mr Jörg-Udo Aden, Mr André
Reisen, Mr Manfred Kramer
Ministry for Education, Science and Further Education: Mr Frank
Stefan Stumm
2005
2005
0 General information
Foreword by the President Acknowledgments Contents What’s new in
the 2005 version of the IT-Grundschutz-Catalogues
1 IT-Grundschutz - the basis for IT security
1.1 Why is IT security important? 1.2 IT-Grundschutz: Aims, concept
and design 1.3 Structure of the IT-Grundschutz-Catalogues 1.4 Using
the IT-Grundschutz-Catalogues
2 Layer model and modelling
2.1 Modelling in accordance with IT-Grundschutz 2.2 Assignment on
the basis of a layer model
3 Roles
4 Glossary
Module catalogues
Layer 1 Generic aspects
2005
Layer 2 Infrastructure
B 2.1 Buildings B 2.2 Cabling B 2.3 Office B 2.4 Server room B 2.5
Data media archives B 2.6 Room for technical infrastructure B 2.7
Protective cabinets B 2.8 Workind place at home B 2.9 Computer
centre B 2.10 Mobile working place B 2.11 Meeting, event and
training rooms
Layer 3 IT systems
B 3.101 General server B 3.102 Unix server B 3.103
Windows NT server B 3.104 Novell Netware 3.x server B
3.105 Novell Netware version 4.x server B 3.106 Windows 2000
server B 3.107 S/390 and zSeries mainframes
B 3.201 General client B 3.202 General standalone IT system B 3.203
Laptop computer B 3.204 Unix client B 3.205 Windows NT client
B 3.206 Windows 95 client B 3.207 Windows 2000 client B 3.208
Internet PC B 3.209 Windows XP client
B 3.301 Security gateway (Firewall) B 3.302 Routers and
switches
B 3.401 PBX (private branch exchange) B 3.402 Fax machine B 3.403
Answering machine B 3.404 Mobile phone B 3.405 PDA
Layer 4 Networks
2005
Layer 5 IT applications
B 5.1 Peer-to-peer services B 5.2 Exchange of data media B 5.3
E-mail B 5.4 Web server B 5.5 Lotus Notes B 5.6 Fax
server B 5.7 Databases B 5.8 Telecommuting B 5.9 Novell
eDirectory B 5.10 Internet information server B 5.11 Apache
Web server B 5.12 Exchange 2000 / Outlook 2000
Threat catalogues
G 1 Force majeure G 2 Organisational shortcomings G 3 Human
error G 4 Technical failure G 5 Deliberate acts
Safeguard Catalogues
2005
What’s new in the 2005 version of the IT-Grundschutz
Catalogues
Restructuring of the IT-Grundschutz Manual
In this issue of the IT-Grundschutz Manual various sections have
been restructured. The most obvious difference is that the
description of the Grundschutz Methodology and the IT-Grundschutz
Catalogues have been separated. In addition, a large number of
minor and more major modifications have been made in response to
the users at home and abroad. Numerous individual threats and
safeguards have, for example, been updated to reflect new technical
developments, new threat scenarios and new developments in IT
security.
The numbering of existing threats and safeguards has been retained
so that a security policy prepared on the basis of the
IT-Grundschutz Catalogues does not require revision.
International development
Not only the standards ISO 13335 and ISO 17799 have been
revised by the international standards organisation ISO, but it is
now possible to certify IT security management systems. To this
purpose the standard ISO 27001 was passed as the basis for
certification.
In 2002 the BSI established the certification of business processes
and IT assets on the basis of IT- Grundschutz. All IT-Grundschutz
users should still be given the option to have thorough
implementation of IT-Grundschutz confirmed with an IT-Grundschutz
certificate. However, to ensure that the IT-Grundschutz certificate
also meets the requirements of the international standard ISO
27001, the IT-Grundschutz methodology, the certification scheme and
the IT-Grundschutz Catalogues have been modified to meet these
requirements.
IT-Grundschutz certification (or now: ISO 27001 certification on
the basis of IT-Grundschutz) encompasses both inspection of IT
security management as well as the concrete IT security safeguards
on the basis of IT-Grundschutz. It also includes ISO certification
to ISO 27001, but is more informative than a purely ISO-based
certification due to the additional technical aspects which are
inspected. Licensing of IT-Grundschutz auditors has also been
amended, and auditors licensed by BSI meet all ISO requirements for
auditors for an information security management system.
BSI standards
The BSI has started establishing a series of documents with
standards relating to various areas of information security.
These include the following BSI standards:
BSI-Standard 100-1: Information Security Management Systems
BSI-Standard 100-2: IT-Grundschutz Methodology
BSI-Standard 100-3: Risk Analysis Based on IT-Grundschutz
In addition the document "Certification conforming to ISO 27001
based on IT-Grundschutz" describes the examination and licensing
scheme for auditors.
Module B 1.0 IT security management of the
IT-Grundschutz Catalogues has also been amended to ensure improved
compatibility with other international standards.
New structure of the IT-Grundschutz Catalogues
2005
In addition the Grundschutz modules have been adapted to the layer
model of IT-Grundschutz, and the module descriptions have been
updated and co-ordinated to ensure a uniform structure.
The IT-Grundschutz modules are based on a layer model which serves
to
- facilitate mapping of modules of the IT-Grundschutz Catalogues on
complex IT assets, grouped according to specific topics and
- avoid redundancies by dealing with generic aspects and joint
infrastructural questions separately from the IT systems.
The various layers have been defined such that responsibilities for
the aspects under consideration are also grouped. Layer 1 is
concerned with fundamental issues relating to the use of IT, layer
2 with site technical services, layer 3 with matters concerning
administrators and IT users, layer 4 with matters concerning the
network and system administrators, and finally layer 5 with matters
concerning those responsible for the IT applications or their
operation.
Breaking down the security aspects into layers facilitates updating
and extension of individual subject areas within the ensuing IT
security concepts without having any significant effect on other
layers.
Each module is assigned to a layer. This assignment is now
reflected in the structure of the IT- Grundschutz Catalogues.
In each module an overview in the form of a "life cycle" is given
for the respective topic before a list of the specified safeguards.
This describes which safeguards are to be executed in which
processing
phase. Planning and design, procurement (when appropriate),
implementation, operation, decommissioning and disposal (if
required) and also contingency planning are defined as life
cycle
phases.
__________________________________________________________________________________________
1.1
security
1.1 Why is IT security important?
In the modern world hardly any company or public agency is able to
exist without a functioning information technology system (IT).
These IT systems must also be run securely. The IT-Grundschutz
Catalogues are a recognised standard reference work containing
recommendations for secure handling of information and IT in a wide
range of IT environments.
Today almost all business processes and specialist assignments are
electronically controlled. Large quantities of information are
digitally saved, electronically processed and communicated in both
local and global networks as well as in private and
public ones. In the meantime it is almost impossible to
handle many tasks or projects in both the private and public
sectors without IT, or in the most favourable circumstances they
can only be dealt with to a limited degree. Consequently, many
public or private sector organisations are totally dependent on the
correct functioning of their IT assets. The respective objectives
of the public agency or company can only be achieved if the IT
systems are used correctly and securely.
As organisations become more dependent on IT, the potential social
damage which could be caused by the failure of IT resources
increases. As IT resources themselves are not without their
vulnerabilities, there is a justifiably great interest in
protecting the data and information processed by IT assets, and
also in planning, implementing and monitoring the security of these
assets.
The potential damage which could result from malfunction or failure
of IT assets can be assigned to several categories. The most
obvious of these is loss of availability. If an IT system is down,
it is not
possible to transfer money, online orders are impossible and
production processes grind to a halt. Another issue which is
frequently discussed is the loss of confidentiality of data. All
citizens are aware of the necessity of maintaining the
confidentiality of personal data, and every company knows that
confidential data concerning sales, marketing, research and
development would be of interest to competitors. The loss of
integrity (the corruption or falsification of data) is another
issue which can have major consequences. Forged or corrupt data
result in incorrect accounting entries, production
processes stop if the wrong or faulty materials are
delivered, while errors in development and planning data lead to
faulty products. For some years the loss of authenticity has also
been gaining in importance as an element of integrity ¿ data are
assigned to the wrong person. For example, payment instructions or
orders could be processed such that they are charged to a third
party, digital declarations of intent that have not been properly
protected could be attributed to the wrong persons, "digital
identities" are falsified.
In the process, this dependency on IT will continue to increase in
the future. Developments worthy of particular mention
include the following:
- Increasing degree of networking: IT systems today no longer
function in isolation but are becoming increasingly
networked. Networking makes it possible to access shared data
resources and to work closely with people in other parts of the
world. This, in turn, leads not only to dependence on the
individual IT systems but also on the data networks to a great
degree. On the other hand, this means that security deficiencies in
an IT system can rapidly have global effects.
__________________________________________________________________________________________
1.1
There are now, for example, jackets with integrated PDAs, RFIDs for
controlling flows of pedestrians or goods, IT-supported
sensor systems in cars which enable automatic reaction to changes
in surroundings. Communication of the various IT components among
one another is now increasingly wireless.
- Disappearance of network borders: Until recently it was
possible to draw clear borders between the IT systems and the
communication routes between them. It was also possible to
ascertain at which sites and in which organisation these were
located. As the result of globalisation and the growing use of
wireless and spontaneous communication, these borders are
increasingly disappearing.
- Attacks occur more rapidly: The best protection against computer
viruses, worms or other attacks on IT systems is timely information
on security gaps and how to close them, for example with
patches and updates. In the meantime, however, the period of
time which elapses between the detection of a security gap and the
first selective mass attacks is decreasing, and it is therefore
increasingly important to have a well-established IT security
management and warning system.
In view of the potential threats outlined above and the increasing
dependence on IT resources, every - organisation, whether a company
or a public agency, must ask itself several key questions regarding
IT security:
- How secure are the IT assets of the organisation?
- Which IT security safeguards are necessary?
- How do these safeguards need to be implemented
specifically?
- How can an organisation maintain and/or improve the level of
security it has attained?
- How secure are the IT assets of other organisations with which
the organisation co-operates?
When seeking answers to these questions, it should be noted that IT
security is not simply a technical issue. Protection of an IT
system to the level of security that is needed requires not only
the implementation of technical safeguards, but also safeguards
covering organisational, personnel and
building infrastructural aspects. And it is also especially
important to establish an IT security management system which will
be responsible for designing, co-ordinating and monitoring the IT
security-related tasks.
If the IT assets of all organisations are compared on the basis of
these questions, a special group of IT assets emerges. The IT
systems in this group can be characterised as follows:
- They are typical IT systems, i.e. these systems are not
individual solutions, but are in widespread use.
- The protection requirements of the IT systems with regard to
confidentiality, integrity and availability are within a normal
scope.
- The secure operation of the IT systems requires standard security
safeguards from the fields of infrastructure, organisation,
personnel, technology and contingency planning.
If it were possible to identify a common set of security measures
for this group of "typical" IT systems - a set of standard security
safeguards - then this would significantly facilitate finding
answers to the above questions for such "typical" IT systems. IT
systems which are outside this group, possibly
__________________________________________________________________________________________
1.1
The IT-Grundschutz Catalogues describe these standard security
safeguards in detail, and principally - all IT systems should
comply with these. These include the following:
- Standard security safeguards for typical IT systems with "normal"
protection requirements,
- A description of the threat scenario which is globally
assumed,
- Detailed descriptions of safeguards to assist with their
implementation,
- A description of the process involved in attaining and
maintaining an appropriate level of IT security and
- A simple methodology for ascertaining the level of IT security
attained by comparing the target with the actual system
status.
The response to this is very positive. On the BSI Website there is
an extract from the list of organisations which employ
IT-Grundschutz. This list provides a summary of the industries,
companies and public agencies in which IT-Grundschutz is
applied.
__________________________________________________________________________________________
1.2
1.2 IT-Grundschutz: Objective,
concept and design
Standardised security safeguards for typical IT systems are
recommended in the IT-Grundschutz Catalogues. The objective of
these IT-Grundschutz recommendations is to achieve a security level
for IT systems which is reasonable and adequate to satisfy normal
protection requirements and which can also serve as the basis for
IT systems and applications requiring a high degree of
protection. This is achieved by means of appropriate
application of standard organisational, personnel, infrastructural
and technical standard security safeguards.
To facilitate the preparation and structuring of the very
heterogeneous aspects of IT including system environments,
IT-Grundschutz follows a modular principle. The individual modules
reflect typical areas of IT use, such as client-server networks,
buildings, communication and application components. Each module
begins with a description of the typical threats which may be
expected in the given area together with their assumed probability
of occurrence. This "threat scenario" provides the basis for
generating a specific package of measures from the areas of
infrastructure, personnel, organisation, hardware, software,
communications and contingency planning.
The IT-Grundschutz Methodology is helpful for drawing up IT
security concepts simply and with minimum work input. With the
traditional risk analysis approach, the threats are initially
identified and their likelihood of occurrence is assessed, and the
results of this analysis are then used to select the appropriate IT
security safeguards, following which the residual risk can be
assessed. When risk assessment is performed in accordance
with IT-Grundschutz, only a target/actual comparison is
performed between the recommended measures and those already
implemented. This comparison reveals any missing safeguards or
those which have not yet been implemented, thereby pinpointing
security shortcomings which need to be remedied by implementation
of the recommended safeguards. An additional security analysis is
only necessary in the case of significantly higher security
requirements. However, it is generally sufficient to supplement the
recommended safeguards in the IT- Grundschutz Catalogues with the
relevant, individual, higher quality safeguards. A simple procedure
for this purpose is described in the BSI document entitled "Risk
Analysis Based on IT-Grundschutz".
Even if there are special components or application environments
that are not adequately discussed in the IT-Grundschutz Catalogues,
they are still a valuable working aid. The required supplementary
security analysis can concentrate on the specific threats and
security safeguards for these components or framework
conditions.
The safeguards listed in the IT-Grundschutz Catalogues are standard
safeguards, i.e. safeguards that are to be implemented for each
module according to the state of the art in order to achieve an
adequate
basic level of security. In this context the safeguards
required for IT-Grundschutz certification represent the minimum
reasonable safety precautions which are necessary in all cases. The
safeguards marked as "additional" have also proved their worth in
practice, but are aimed at applications with higher protection
requirements.
Security concepts based on IT-Grundschutz can be of compact design,
as it is only necessary to refer to the corresponding
safeguards in the IT-Grundschutz Catalogues in the concept.
__________________________________________________________________________________________
1.2
To facilitate implementation of the safeguards, the IT-Grundschutz
catalogues and most information on IT-Grundschutz are also
available in digital form. In addition, implementation of the
safeguards is also supported by additional resources and sample
solutions provided in part by BSI and in part by users of
IT-Grundschutz.
As information technology is a highly innovative field and
constantly subject to further development, the present Catalogues
are designed for simple updating and supplementation. The BSI
continuously updates and supplements the IT-Grundschutz Catalogues
to include new topics on the basis of user surveys.
__________________________________________________________________________________________
1.3
Catalogues
The IT-Grundschutz Catalogues can be divided into various fields
which are described below for better comprehension:
Introduction and methodology
This introductory section briefly describes the design of
IT-Grundschutz and the methodology for the creation of
security concepts on the basis of IT-Grundschutz. A detailed
description of the methodology of IT- Grundschutz is given in BSI
standard 100-2. In addition the structure of the IT-Grundschutz
Catalogues and their use is explained
IT security management
The planning and guidance work required to create a well-designed
and scheduled IT security process and ensure its continuous
implementation is referred to as IT security management.
Experience has shown that without a well-functioning IT management
system it is practically impossible to achieve a consistent and
adequate IT security level. For this reason the BSI standard 100-1
"Information Security Management Systems (ISMS)" describes how such
a management system should be created.
Using this as a basis, module B 1.0 of the IT-Grundschutz
Catalogues also describes the structure of an efficient IT
security management system and which organisational structures are
appropriate. In addition, a systematic path is shown for setting up
a functional IT security management system and how this can be
developed further in ongoing operations.
Modules
The modules of the IT-Grundschutz Catalogues each contain a brief
description of the reviewed - components, the methodology and IT
systems as well as an overview of threat scenarios and the
recommended safeguards. The modules are grouped in the following
catalogues in accordance with the IT-Grundschutz layer model:
B 1: Generic aspects of IT B 2: Security of the infrastructure B 3:
Security of the IT systems B 4: Security in the network B 5:
Security of applications
Threat catalogues
This section contains detailed descriptions of the threats included
in the threat scenarios for the individual modules. The threats are
grouped into five catalogues:
__________________________________________________________________________________________
1.3
Safeguard Catalogues
This section describes the IT security safeguards quoted in the
modules of the IT-Grundschutz Catalogues in detail. The safeguards
are grouped into six catalogues:
S 1: Infrastructure S 2: Organisation S 3: Personnel S 4: Hardware
and software S 5: Communication S 6: Contingency planning
Module structure
The modules, which all have the same structure in principle, are
the most important part of the IT- Grundschutz Catalogues. Each
module starts with a brief description of the components, the
methodology and the IT system under review.
The threat scenarios are then described. The threats are divided
into the previously mentioned categories of force majeure,
organisational shortcomings, human error, technical failure and
deliberate acts.
In order to ensure clear structuring of the modules and to prevent
redundancies, the threat texts are only referenced. An example is
provided of how a threat would be cited within a module:
- T 4.1 Disruption of power supply
In the code T x.y, the letter "T" stands for "threat". The number x
before the decimal point refers to the Threats Catalogue (in this
case T 4 = Technical failure), and the number y after the decimal
point is the serial number of the threat within the respective
catalogue. This is followed by the name of the threat. Users are
advised to read the text of the referenced threat for reasons of
comprehension and familiarisation with the safeguards, but this is
not absolutely essential for drawing up an IT security concept on
the basis of IT-Grundschutz.
The recommended safeguards, which are listed after the section on
the threat scenario, constitute the major part of a given module.
Brief information on the respective safeguard package is first
provided. Thus, these statements contain, for example, information
on the recommended sequence for implementation of the
necessary safeguards.
An overview is given in each module for the reviewed topic before
the safeguard list in the form of a "life cycle", describing which
safeguards should be implemented during which phase to which
__________________________________________________________________________________________
1.3
Planning and design - Definition of the intended purpose -
Stipulation of application scenarios - Assessment of potential
risks - Documentation of the application decision - Compilation of
the IT security concept - Determination of guidelines for use
Procurement (if necessary)
- Stipulation of the demands on the procured products (if possible
on the basis of the scenarios for use during the strategy
phase)
- Selection of suitable products
Implementation - Design and implementation of test operation -
Installation and configuration according to the security guideline
- Training and awareness raising of all personnel involved
Operation - Security safeguards for ongoing operation (e.g.
logging) - Continuous maintenance and further development - Change
management - Organisation and execution of maintenance work -
Audit
Disposal (if necessary) - Withdrawal of authorisation - Removal of
data and reference to these data - Safe disposal of data
media
Contingency planning - Design and organisation of data backups -
Use of redundancy to increase availability - Appropriate handling
of security incidents - Compilation of a contingency plan
Safeguards are not given for all phases of all modules. There is,
for example, no safeguard given in the procurement phase of
the IIS-server module, as this module is based on the
implementation of the Web server module, and in this case the
selection of a product has already been decided on.
As all business processes, IT systems and conditions for use are
subject to constant change and further development,
experience has shown that the phases must be run through
repeatedly. This must be ensured by IT security management.
In a manner analogous to that used for the threats, the safeguards
are grouped according to the headings in the Safeguards Catalogues,
i.e. in this case, under the headings Infrastructure, Organisation,
Personnel, Hardware & Software, Communication and Contingency
Planning. The same
procedure is followed as for handling threats, i.e. in each
case only a reference is provided to the relevant safeguard. An
example is provided below showing how a recommended safeguard would
be cited within a module:
- S 1.15 (A) Closed windows and doors
__________________________________________________________________________________________
1.3
With the letter in brackets - here (A) - each safeguard is assigned
a classification indicating whether it is required for Grundschutz
Qualification. The following classifications are provided:
A (Entry) These safeguards must be implemented for all three types
of qualification in accordance with IT-Grundschutz
(self-declaration entry level, self declaration continuation level
and IT-Grundschutz Certificate). These safeguards are essential
for security in the respective module. Implementation of
these safeguards should be given top priority.
B (Continuation level)
These measures must be implemented for the self-declaration
continuation level and for the IT-Grundschutz Certificate.
They are particularly important for establishing IT security which
can be monitored. They should be implemented speedily.
C (Certificate) These safeguards must be implemented for the
IT-Grundschutz Certificate. They are important for rounding off IT
security. If bottlenecks prevent immediate implementation, they can
be deferred until later.
Z (Additional) It is not mandatory for these measures to be
implemented either for a self-declaration or for the IT-Grundschutz
Certificate. They are supplements which can be required, especially
in the case of high security requirements.
In order to be able to draw up an IT security concept on the basis
of the IT-Grundschutz Safeguard Catalogues and perform the required
target/actual comparison, it is necessary to read the texts on the
safeguards in the modules identified in the relevant Safeguards
Catalogue carefully. An example is - given below with an excerpt
from one of the safeguards:
S 2.11 Provisions governing the use of passwords
Initiation responsibility: Head of IT Section, IT Security
Management
Implementation responsibility: IT Security Management, Users
[Text of the safeguard...]
Additional questions:
[...]
The safeguard texts must be implemented in the intended sense. They
are written in a manner such that they can be applied to as many
fields as possible. Before the safeguard recommendations are
implemented, whether they have to be adapted to the respective
organisation or IT environment must always be considered. All
changes should be documented so that the reasons are comprehensible
at a later date.
In addition to the actual recommendation as to how the various
safeguards should be implemented, various persons who should bear
responsibility are named as examples. Initiation
responsibility refers to the persons or roles who/which should
typically initiate the implementation of a safeguard.
Responsibility for implementation is given to the
person/roles who or which should implement the safeguard.
__________________________________________________________________________________________
1.3
The link between the threats assumed for IT-Grundschutz and the
recommended safeguards is shown in the Safeguard-Threat Tables.
These are shown on the Grundschutz pages of the BSI Website. There
is a Safeguard-Threat Table for each module.
Here is an example from the Safeguard-Threat Table for module B
2.10 Mobile workplace:
Priority/Seal T 1. 15
S 1.45 1 A X X X X X
S 1.46 1 Z X
S 1.61 1 A X X X X X
All tables have the same structure. The column headings show the
threats listed in the corresponding modules together with their
numbers. The column on the far left shows the numbers of the
safeguards. Column 2 shows the priority assigned to a given
safeguard in the respective module. Column 3 shows the
classification of the individual safeguard for the respective
module with regard to Grundschutz Qualification.
The other columns show the relationship between safeguards and
threats. An "X" in a cell means that the corresponding safeguard is
effective against the relevant threat. The effect of the safeguard
may be either of a preventative nature or aimed at mitigating the
loss or damage.
It must be taken into consideration that only the most important
threats against which a specific safeguard is effective are listed
in the Safeguard-Threat Tables. This means in particular that a
safeguard is not automatically superfluous if all threats assigned
in the table are not relevant for a certain application. It must
always be decided and documented separately for each individual
case whether a standard security safeguard is not necessary on the
basis of the overall security design and not only on the basis of
the Safeguard-Threat Table.
1.4
Catalogues
An entire series of actions must be performed to enable successful
establishment of a continuous and effective IT security process.
The IT-Grundschutz Methodology and the IT-Grundschutz Catalogues
provide information on the methods and practical implementation
resources. It also contains possible solutions for different tasks
relating to IT security, such as drawing up an IT security concept,
security audits and certification. Appropriate use of the
IT-Grundschutz Catalogues depends on the respective task at hand.
This section is intended to facilitate familiarisation with the
various procedures. To this purpose cross references are provided
to the relevant chapters of the IT-Grundschutz Manual.
IT security process and IT security management
In recent years both public and private sector organisations have
become significantly more dependent on correctly functioning
information technology systems. An increasing number of business
processes are either being automated or interact with information
technology systems. There is no sign of a change in this trend in
the foreseeable future. IT security must therefore be viewed as an
integral element of the primary task. The following action plan
contains all the essential steps which are necessary for a
continuous IT security process, and should therefore be viewed as a
scheduled and effective method of achieving and maintaining a
satisfactory level of IT security.
- Initiation of the IT security process:
- Acceptance of responsibility by management
- Designing and planning of the IT security process
- Establishment of an IT security organisation
- Provision of resources for IT security
- Elaboration of an IT security design
- Implementation of the IT security design
- Implementation of the IT security safeguards
- Integration of all employees in the IT security process
- Maintaining IT security and continuous improvement
1.4
Diagram: Initiation of the IT security process
This is described in detail in the document IT-Grundschutz
Methodology. In addition an overview of the IT security
process is shown in the module B 1.0 IT Security
Management , and a detailed explanation of the individual
actions is given in the form of recommended standard
safeguards.
A series of steps is necessary to create an IT security design on
the basis of IT-Grundschutz. A brief overview is given
below.
IT structure analysis
IT assets refers to all the infrastructural, organisational,
personnel and technical components which assist in the performance
of tasks in a particular area in which information processing is
performed. IT assets can refer to all the IT assets in an
organisation or to individual areas defined in terms of
organisational structures (e.g. departmental network) or shared
business processes or IT applications (e.g. personnel information
system).
To create an IT security concept and especially for use of
IT-Grundschutz, it is necessary to analyse and document the
structure of the existing IT assets. Given that IT systems today
are commonly linked together in networks, the use of a network
topology plan is recommended as the starting point for the
analysis. The following aspects must be considered:
1.4
The individual steps in the IT structure analysis are described in
detail in Section 4.1 of the IT- Grundschutz Methodology in the
form of actions to be taken.
Assessment of protection requirements
The aim of the assessment of protection requirements is to
ascertain which protection is adequate and reasonable for the
information and the IT assets used. The potential damage which
could occur as a result of loss of confidentiality, integrity or
availability is examined for each application and the information
processed. It is important to realistically assess potential
consequential damage. Classification into three protection
requirements categories - "normal", "high" and "very high" -
has
proven successful in the past. Explanations and practical
information on assessment of protection requirements are dealt with
in Chapter 4.2 of the IT-Grundschutz Methodology.
Modelling
During the next step, the modelling stage, the modules in the
IT-Grundschutz Catalogues must then be mapped onto the various
components which make up the IT assets.
Chapter 4.3 of the IT-Grundschutz Methodology describes how
modelling of IT assets with modules from the IT-Grundschutz
Catalogues should be performed. Detailed notes on the use of the
layer model and modelling in accordance with IT-Grundschutz
are given in the "Modelling" chapter. Section 4.4 of the IT
Grundschutz Methodology describes how the subsequent target/actual
comparison is performed with a basic security check.
Basic security check
The basic security check is an organisational instrument which
provides a fast overview of the existing IT security level.
Interviews are used to establish the status quo of an existing set
of IT assets (modelled according to IT-Grundschutz) in relation to
the extent to which the security safeguards contained in the
IT-Grundschutz Catalogues have been implemented. The outcome of
this check is an overview in which the implementation status of
each of the relevant safeguards is classified as "Unnecessary",
"Yes", "Partially" or "No". By identifying safeguards which have
not yet been implemented or have only been partially implemented it
is possible to determine where there is scope for improving the
security of the IT assets concerned. Section 4.4 describes an
action plan for
performing a basic security check. This takes both the
organisational aspects and also the technical requirements during
project implementation into account.
IT security audit
The security safeguards contained in the IT-Grundschutz Catalogues
can also be used for carrying out an audit of IT security. To this
purpose the same procedure as for the basic security check is
recommended. Drawing up a customised checklist for each module
using the safeguard texts is helpful and reduces the workload. This
facilitates auditing and frequently improves the repeatability of
results.
Additional IT safeguards
The standard IT-Grundschutz Security Safeguards normally provide
appropriate, adequate protection. However, if the protection
requirement is high or very high, it may be necessary to check
whether more stringent IT security safeguards are needed
either in addition to or instead of the safeguards. Appropriate
safeguards for areas that have higher protection requirements
should be selected on the
basis of additional security analyses.
One method for this is described in the BSI-Standard 100-3 "Risk
analysis based on IT-Grundschutz".
Implementation of IT security concepts
1.4
with the implementation schedule. It is very important that all
necessary safeguards are strictly implemented. Chapter 4.6 of the
document on IT-Grundschutz Methodology describes the aspects which
must be taken into account when planning the implementation of IT
security safeguards.
IT-Grundschutz Certification
The IT-Grundschutz Methodology and the IT-Grundschutz Catalogues
are not only used for the IT security design, but also frequently
as a reference in terms of a security standard. By achieving IT-
Grundschutz Certification an organisation can provide documentary
evidence for internal and external use that it has implemented
IT-Grundschutz to the depth required.
__________________________________________________________________________________________
2.1
2.1 Modelling in accordance with IT-
Grundschutz
During the implementation of IT-Grundschutz the reviewed IT assets
must be mapped with the aid of the existing modules, i.e. the
relevant security safeguards collated from the IT-Grundschutz
Catalogues. The IT structure analysis and protection requirement
assessment results are required to this purpose. On this basis an
IT- Grundschutz model for the IT assets is compiled which comprises
various modules, some of which are used more than once, and which
includes a diagram of the modules and the security-related aspects
of the IT assets.
It is irrelevant for the created IT-Grundschutz model whether the
IT assets consist of IT systems which are already in use or whether
the IT assets in question are still at the planning stage. The
model can, however, be used in different ways.
- The IT-Grundschutz model of existing IT assets identifies the
relevant standard security safeguards with the modules employed. It
can be used in the form of a test plan for carrying out a
target/actual comparison.
- In contrast the IT-Grundschutz model for a planned set of IT
assets constitutes a development
concept. Using the selected modules, it specifies which standard
security safeguards must be implemented when the IT assets are
taken into operation.
The diagram below shows the role of modelling and its possible
outcomes:
Diagram: Result of IT-Grundschutz modelling
__________________________________________________________________________________________
2.1
In order to depict IT assets, which are often complex, with the aid
of IT-Grundschutz modules, it is - advisable to view the IT
security aspects grouped according to specific topics.
Diagram: Layers of the IT-Grundschutz model
The IT security aspects of IT assets are assigned to the individual
layers as follows:
- Layer 1 covers the generic IT security aspects which apply
equally to all or most of the IT assets. This applies in particular
to generic concepts and the resulting regulations. Typical Layer 1
modules include "IT security management", "Organisation", "Data
backup concept" and "Computer virus protection
concept".
- Layer 2 covers all the constructional, physical issues. Aspects
of infrastructural security are combined in this layer. This
affects, for example, the building, server room, protective
cabinet, and home-based workstation modules.
- Layer 3 deals with the individual IT systems in the IT assets
that have been grouped together as required. The IT security issues
of clients, servers and standalone systems are dealt with here.
This layer covers, for example, the PBX (private branch exchange),
laptop computer and Windows 2000 client modules.
- Layer 4 examines the networking aspects which mainly concern the
network connections and communication, and not specific IT systems.
These include, for example, the heterogeneous networks, modem and
remote access modules.
- Layer 5 then deals with the actual IT applications used by the IT
assets. This layer can also include, for example, the modules for
e-mail, web server, fax server and databases for modelling.
IT-Grundschutz modelling entails determination of the modules of a
given layer whether and how they can be used to map the IT assets.
Depending on the respective module the objects which are mapped in
this way can vary: Individual business processes or components,
groups of components, buildings,
properties, organisational units, etc.
The procedure for modelling a set of IT assets is described in
detail below. Particular importance is attached in this case to any
constraints which apply, when a given module should be used and to
which target objects it should be applied.
__________________________________________________________________________________________
2.2
model
When modelling a set of IT assets it is recommended that the
modules be assigned in accordance with the layer model. This
is then followed by a check to ensure completeness.
Layer 1: Generic IT security aspects
In this layer all aspects of the IT assets which apply to each
individual component are modelled. The primary elements under
consideration here are concepts and regulations derived from these
concepts. These aspects should be controlled uniformly for the
entire set of IT assets so that in most cases the relevant modules
only then have to be applied once to the entire set of IT assets.
IT security management, organisation of IT operations, training and
promotion of staff awareness are particularly important in this
case. Implementation of the relevant safeguards is of fundamental
importance for the secure use of information and
communications technology. The relevant modules must always
therefore be applied, irrespective of the technical components
used.
- Module B 1.0 IT Security Management should be applied
once for all IT assets. Correctly functioning IT security
management is an essential basis for achieving an appropriate level
of security. In the case of outsourcing special rules apply
for the use of this module, which are described in detail in the
BSI document "IT-Grundschutz Certification of outsourced
components".
- Module B 1.1 Organisation must be applied at least once for each
set of IT assets. If some of the IT assets under consideration are
assigned to a different -organisation or organisational unit and
are therefore subject to different framework conditions, the module
should be applied -separately to each organisation or
organisational unit. In the case of outsourcing special rules apply
for the use of this module, which are described in detail in
the BSI document "IT-Grundschutz certification of outsourced
components".
- Module B 1.2 Personnel must be applied at least once
for each set of IT assets. If some of the IT assets under
consideration are assigned to a different -organisation or
organisational unit and are therefore subject to different
framework conditions, the module should be applied -separately to
each organisation or organisational unit. In the case of
outsourcing special rules apply for the use of this module,
which are described in detail in the BSI document "IT-Grundschutz
certification of outsourced components".
- Module B 1.3 Contingency Planning must at least be used if
any components have been identified during the protection
requirements assessment as requiring high or very high protection
regarding availability, or if relatively large IT systems and/or
extensive networks are in use. Particular attention should be
given to these components when working through the module. In the
case of outsourcing special rules apply for the use of this
module, which are described in detail in the BSI document
"IT-Grundschutz certification of outsourced components".
- Module B 1.4 Data Backup Policy must be used once for the
entire set of IT assets.
- Module B 1.6 Concept of computer virus protection must be applied
once for the entire set of IT assets.
__________________________________________________________________________________________
2.2
- Module B 1.8 Handling of security incidents should at least
be used if any components have been identified in the protection
requirements assessment as having high or very high protection
requirements regarding one of the three fundamental values, or
where failure of the entire set of IT assets would result in damage
in the categories "high" or "very high". In the case of outsourcing
special rules apply for the use of this module, which are described
in detail in the BSI document "IT-Grundschutz certification of
outsourced components".
- Module B 1.9 Hardware- and Software-Management must be
applied at least once for each set of IT assets. If some of
the IT assets under consideration are assigned to a different
organisation or organisational unit and are therefore subject
to different framework conditions, the module should
be applied separately to each organisation or organisational
unit. In the case of outsourcing special rules apply for the use of
this module, which are described in detail in the BSI document "IT-
Grundschutz certification of outsourced components".
- Module B 1.10 Standard software must be applied at least once for
the entire set of IT assets. If there are any sections of the
IT assets which have different requirements or procedures with
regard to the use of standard software, module B 1.10 should be
applied to each of these sections separately.
- Module B 1.11 Outsourcing should be used at least when the
following conditions all apply:
- IT systems, applications or business processes are outsourced to
an external service provider and
- A long-term contract has been made with the service provider
and
- The IT security of the customer is influenced by the service
and
- The service provider also regularly performs significant IT
security management tasks within the framework of the contracted
services.
If different components within the set of IT assets are outsourced
to different service providers, the module must be applied once to
each external service provider. When this module is used special
rules apply which are described in detail in the BSI document
"IT-Grundschutz certification of outsourced
components".
- Module B 1.12 Archiving is to be used on the IT
assets when internal or external regulations require long-term
archiving of electronic documents, or there is already a system for
long-term archiving of electronic documents.
- Module B 1.13 IT security awareness and training must
be used once for the entire set of IT assets.
Layer 2: Security of the infrastructure
The constructional conditions relevant for the respective IT assets
are modelled with the aid of the modules from layer 2 "Security of
the infrastructure". This entails assignment of the relevant module
from the IT-Grundschutz Catalogues to every building, room or
protective cabinet (or group of these components).
- Module B 2.1 Building must be used once for every
building or group of buildings.
__________________________________________________________________________________________
2.2
- Module B 2.3 Office must be applied to all rooms or groups of
rooms in which IT is used, for which, however, none of the
modules B 2.4, B 2.5, B 2.6, B 2.8, B 2.9, B 2.10 or B 2.11 are
applied.
- Module B 2.4 Server Room must be applied to every room or group
of rooms in which servers or PBXs are in operation. Servers
are IT systems which make services available on the network.
If module B 2.9 is used for a room, the additional use of
module B 2.4 is not necessary.
- Module B 2.5 Data Media Archives must be applied to each
room or group of rooms in which data media are stored or
archived.
- Module B 2.6 Technical Infrastructure Room must be applied to
every room or group of rooms in which technical devices requiring
little or no human intervention are in operation (e.g. distribution
cabinet or standby power supply system).
- Module B 2.7 Protective cabinets (room) must be applied to
every protective cabinet or group of protective
cabinets once. Protective cabinets also can serve as an alternative
to a dedicated server room.
- Module B 2.8 Working place at home must be applied once to every
home-based workstation at home or a group of the same (if
corresponding groups have been defined).
- Module B 2.9 Computer Centres must be applied once to every
computer centre. A computer centre comprises the facilities
and premises necessary to operate a large data processing system
installed centrally for a number of offices. If module B 2.9 is
used for a room, the additional use of module B 2.4 is not
necessary.
- Module B 2.10 Mobile Workplace must always be applied if
employees frequently not only work on the premises of the
organisation, but also at other locations outside the organisation.
Typical target objects for module B 2.10 are laptop
computers.
- Module B 2.11 Meeting, event and training rooms must be
applied once to each such room or group of rooms (if
corresponding groups have been defined).
Layer 3: Security of the IT systems
This layer covers security aspects which refer to the IT systems.
For reasons of clarity this layer is divided into servers, clients,
network components and miscellaneous.
The modules relating to the "Security of the IT systems" section
may be applied either to individual IT systems or to groups of such
IT systems as applicable for the section "Security of the
infrastructure". This is not explicitly referred to separately in
the following section.
Server
- Module B 3.101 General Server must be applied to every IT
system which offers services (e.g. file or print services) as a
server in the network.
- Module B 3.102 Servers under Unix must be applied to each server
which runs with this operating system.
__________________________________________________________________________________________
2.2
- Module B 3.106 Windows 2000 Server must be applied to every
server which runs with this operating system.
- Module B 3.107 S/390 and zSeries mainframes must be applied to
every mainframe computer of type S/390 or zSeries.
Note: In addition to the module applicable for the respective
operating system, module B 3.101 must also always be applied to
each server (and mainframe computer), as this module includes the
security aspects for servers which are not
platform-dependent.
Clients
- Module B 3.201 General client must be applied to every
client.
- Module B 3.202 General stand-alone IT systems must be applied to
each stand-alone system.
- Module B 3.203 Laptops must be applied to all mobile
computers (laptops).
- Module B 3.204 Unix client must be applied to every
stand-alone computer or client which runs with this operating
system.
- Module B 3.205 Windows NT client must be applied to every
stand-alone computer or client which runs with this operating
system.
- Module B 3.206 Windows 95 client must be applied to every
stand-alone computer or client which runs with this operating
system.
- Module B 3.207 Windows 2000 client must be applied to every
stand-alone computer or client which runs with this operating
system.
- Module B 3.208 Internet PCs must be applied to every
computer which is exclusively used for accessing Internet
services and is not connected to the internal network of the
organisation. In this specific scenario there is no need to
consider any other modules of the IT-Grundschutz Catalogues
for this computer (or group of computers).
- Module B 3.209 Windows XP Client must be applied to every
standalone computer or client which runs with this operating
system.
Note: In addition to the specific module for each operating
system, either module B 3.201 or B 3.202 must also be applied to
every client, as these modules include all security aspects for
clients which are not platform-dependent.
Network component
- Module B 3.301 Security gateway (firewall) must always be applied
if networks with different levels of trustworthiness are linked. A
typical application is the protection of an external link
(for example at the interface of an internal network with the
Internet, or links to networks of business
partners. However, the module should be applied when two
internal organisation networks with varying protection requirements
are linked, for example for separating the office communication
network from the network of the development department, if
particularly confidential data are
processed.
- Module B 3.302 Routers and switches must be applied in any
active network that is used in the IT assets.
Miscellaneous
- Module B 3.401 Telecommunications system must be applied to each
Telecommuncations system
or to each corresponding group.
__________________________________________________________________________________________
2.2
- The module B 3.402 Fax Machine must be applied to every fax
machine or to each corresponding group.
- The module B 3.403 Answering Machine must be applied to
each answering machine or each corresponding group.
- The module B 3.404 Mobile Telephones should be applied at
least once if the use of mobile phones is not principally forbidden
in the organisation or organisational unit under review.
If there are several different uses for mobile phones (for example
several mobile phone pools), module B 3.404 must be applied
separately to each.
- The module B 3.405 PDAs should be applied at least once if
the use of PDAs is not principally forbidden in the organisation or
organisational unit under review.
Layer 4: Security in the network
This layer is concerned with security aspects in the network which
do not only exclusively apply to specific IT systems (e.g.
servers). In this case the focus is on security aspects which
relate to the network connections and communication between the IT
systems.
To simplify matters, it may be necessary to review sections within
the overall network rather than the entire network at once. The
necessary division of the overall network into sub-networks should
be
based on the two criteria below:
- The assessment of protection requirements has identified
connections through which specific data should never be transported
under any circumstances. These connections should be viewed as
"interfaces" between sub-networks, i.e. the two endpoints of such a
connection should be in different sub-networks. In contrast,
connections which transport data with a high or very high
protection requirement should not pass over any sub-network
borders if possible. If this principle is followed, the protection
requirements of the resulting sub-networks will be as uniform as
possible.
- Components which are only inter-connected over a long-distance
connection should not be assigned to the same sub-network, i.e.
sub-networks should not extend over more than one location
or
property. This is recommended both for reasons of clarity and
also to ensure efficient project implementation.
If these two criteria are not suitable for dividing the overall
network (for example due to the fact that some of the resulting
sub-networks are either too large or too small), the main network
can alternatively be divided into sub-networks on the basis of
organisational criteria. In such cases the areas of responsibility
of the individual administrators or teams of administrators are
regarded as sub- networks.
It is not possible to make concrete recommendations for the best
method of dividing the overall network into sub-networks, as the
requirements stated above could be incompatible with the existing
IT assets. Therefore, each case should be regarded individually to
decide which division of the overall network is most practicable
with regard to the applicable modules of the IT-Grundschutz
Catalogues.
- Module B 4.1 Heterogeneous Networks must generally be
applied to each sub-network once. However, if the sub-networks are
small and several sub-networks fall within the responsibility
of the same team of administrators, it may be sufficient to
apply module 4.1 once to all of these sub- networks.
- Module B 4.2 Network and System Management must be
applied to each network or system management system used on the IT
assets under consideration.
__________________________________________________________________________________________
2.2
- Module B 4.4 Remote Access Service must be applied once
wherever remote access to the internal network is possible by a
route other than over a dedicated leased line (e.g. telecommuting,
linking of field staff via analogue dial-up lines, ISDN or mobile
phone).
- Module B 4.5 LAN connection of an IT system via
ISDN must be applied to all external connections which have
been realized with ISDN.
Layer 5: Security of applications
The lowest layer of the modelled IT assets includes mapping of the
applications. Modern applications are seldom restricted to an
individual IT system. Core applications used across an entire
organisation are generally implemented as client/server
applications. In many cases servers themselves access other
downstream servers, e.g. database systems. The security of the
applications must therefore be considered independently of the IT
systems and networks.
- Module B 5.1 Peer-to-peer services must be applied to each
client offering peer-to-peer services (for example shared
directories) in the network.
- Module B 5.2 Exchange of Data Media should be used once for
every application which serves as a source of data for an exchange
of data media or processes data received by this route.
- Module B 5.3 E-Mail must be applied to each e-mail
system (internal or external) of the IT assets under
consideration.
- Module B 5.4 Web server must be applied to each Web service
(e.g. Intranet or Internet) of the examined IT assets.
- Module B 5.5 Lotus Notes must be applied once to each
workgroup system based on Lotus Notes or to any corresponding group
in the IT assets.
- Module B 5.6 Fax servers must be applied to every fax server
or corresponding group.
- Module B 5.7 Databases should be applied once per database
system or group of database systems.
- Module B 5.8 Telecommuting must also be applied to each IT
system which is used for telecommuting.
- Module B 5.9 Novell eDirectory should be applied once to
every directory service that is implemented with Novell
eDirectory.
- Module B 5.10 Internet Information Server must be
applied - in addition to module 5.4 - to every Web service which is
run with this product.
- Module B 5.11 Apache Webserver must be applied - in
addition to module 5.4 - to each Web service which is run with this
product.
- Module B 5.12 Exchange 2000 / Outlook 2000 must be applied -
in addition to module B 5.3 - to each workgroup or E-mail system
which is based on Microsoft Exchange or Outlook.
Completeness check
Finally, a check should be performed to ensure that the entire
system has been seamlessly and completely modelled. It is
recommended to use the network plan or a similar overview of the IT
assets to this purpose and to check the individual components
systematically. Each component should either
be assigned to a group or modelled individually.
If the overall network has been divided into sub-networks in layer
4, it should be checked whether
- Each sub-network has been fully mapped and
__________________________________________________________________________________________
2.2
It is important that not only all hardware and software components
are modelled from a technical perspective, but that the
related organisational, personnel and infrastructural aspects are
also fully covered.
3
3 Roles
In addition to recommendations on the implementation of
individual safeguards, the IT-Grundschutz-Catalogues also give
examples of persons who are responsible for the initiation or
implementation of these safeguards. As the designations of the
persons or roles named here as responsible varies within
organisations, a brief role description is included to facilitate
assignment.
Responsible persons Role description
Application developer An application developer is an expert
entrusted with planning, developing, testing or maintaining
programmes.
Archiver The archiver is responsible for setting up, operating,
monitoring and - maintaining of an archive system on a specialist
level.
Auditor An auditor checks whether the planned safeguards and
measures have been satisfactorily implemented.
Construction company These are companies which perform construction
work of all types for the organisation operating the IT
system or their representative. These can be buildings in a general
sense, electrical structures or also the installation of hazard
alert systems (construction company).
Construction manager The function of the construction manager (from
overall planning through to site planning, etc. and individual
structures) can, for example,
be met by an architect or a planning office.
Construction supervisor A construction supervisor is responsible
for the implementation of construction projects.
Data backup officer The data backup officer is assigned the task of
compiling, maintenance, regular updating and implementation of a
data security concept.
Data protection officer A data protection officer is a person
appointed by managers of a public agency or a company who is
responsible for correct handling of personal data in accordance
with the law in companies or a public agency.
Emergency officer The emergency officer is authorised by the public
agency or company management to decide whether a certain situation
should be classed as an emergency, and if necessary to initiate
suitable emergency measures.
Employee An employee is a member of a specialist department, a
public agency or a company.
3
Fax sender This refers to a person sending a fax.
Fire protection officer A fire protection officer is responsible
for all matters related to fire protection. He is also
responsible for the compilation of fire risk analyses,
employee training and further training, sometimes also for
maintenance and servicing of the fire protection equipment.
Head of internal services section
This refers to the head of the internal services section or the
person - responsible for the provision of general services.
Head of IT section This refers to the head of the IT department or
management responsible for information technology.
Head of organisational section
This refers to the head of the organisational unit who is
responsible for the control and supervision of general
operations as well as for planning, organisation and all
administration services.
Head of personnel This refers to the head of the personnel
department or the organisational unit responsible for personnel
matters.
Head of purchasing department
This refers to the head of the purchasing department or the
organisational unit which is responsible for purchasing.
Head of site technical services
This refers to the person responsible for site technical
services.
Head of the specialist department
This refers to the head of a specialist department.
Internal services division The internal services division is an
organisational unit which co- ordinates all central services for
all employees, e.g. postal services,
photocopier, in-house driver and courier service, elimination
of technical faults, cleaning, provision of operating
resources, etc.
IT procedures officer An IT procedures officer is responsible for
the correct procedure of one or more special IT processes, e.g. for
electronic warehouse management, etc.
IT security management IT security management refers to the group
of persons responsible for the IT security process within an
organisation. The term IT security management is used synonymously
as a term for the IT security management team.
IT security management - team
The IT security management team deals with cross-department matters
related to IT security and compiles plans, requirements and
guidelines on this topic.
IT security officer An IT security officer is a person appointed by
a public agency or - company management who is charged by
management for the organisation and/or implementation of adequate
IT security in the company or the public agency.
IT support technician The assignments of an IT support technician
include dealing with questions submitted by users concerning
problems with the standard IT equipment.
3
uses IT systems for completing assignments.
Mail room The mail room is a collection office in a public agency
or a company for incoming and outgoing mail. Fax and e-mail
services can also be included in the scope of activities.
Network administrator A network administrator is responsible
for setting up, operating, controlling the use of and also
maintenance of a computer network or sub-networks. The
assignments of a network administrator include, for example,
the compilation of a network plan, setting up new services and the
evaluation of log files.
Network planner A network planner is responsible for planning
the structure of the IT networks and connection to external and
public networks.
PBX officer The PBX officer is responsible for operation of the
telecommunications systems and the corresponding rules and
procedures.
Person responsible for individual IT applications
The person responsible for individual IT applications is not only
charged with ensuring smooth operation of the IT application, but
also for the initiation and implementation of IT security
safeguards for this application.
Personnel department The personnel department is e.g. responsible
for the following tasks:
- Basic personnel-related questions
- Personnel deployment planning
- Hiring of personnel
- Deployment of personnel
- Personal employee-related matters
- General co-operation with staff representatives
Planner Introduction of the general term "planner" instead of the
terms "network planner" and "construction
manager".
Press office The press office is responsible for all incoming and
outgoing contacts with the press and media.
Procurer This refers to a member of the purchasing department who
is responsible for the procurement of operating resources or IT
systems.
Public agency/Company management
This refers to the management level of the institution or the
organisational unit under consideration.
Purchasing department The purchasing department initiates and
monitors orders. Public - agencies have defined processes for
handling orders.
3
Specialist department A specialist department is part of a public
agency or a company which is charged with one or more specialist
assignments. In the case of agencies on the federal or federal
state level, the department is a grouping of several
units.
Staff council / Works council
The staff council and the works council are responsible for
representing the interests of employees towards the public agency
or company management.
Superiors The term superior refers to the members of an
organisation who have authority invested in them on the basis of
their position within the organisation.
Technical manager The technical manager is responsible for the
content of one or more IT- processes (for example the head of
the sales organisational unit is the - technical manager for the
"automatic sales" application.
__________________________________________________________________________________________
4
This glossary explains several important terms related to
information security and IT-Grundschutz.
Administrator
An administrator manages and provides support for the computers and
computer networks. He installs operating systems and application
programs, creates new user IDs and allocates the rights required
for the respective assignments. The administrator himself generally
has far- reaching or even unrestricted access rights to the
computers or networks he manages.
Application level gateway (ALG)
An application level gateway is an IT system which filters the
information of the application layer (i.e. the actual content (the
user data) of a package or several corresponding packages) and can
permit or
prohibit various connections or commands on the basis of
special rules. An application level gateway is generally
implemented on an IT system which is used solely for this purpose
with a minimised set of commands.
Applied threat
An applied threat is a basic threat which has a direct effect on an
object as the result of a vulnerability. A basic threat therefore
only becomes an applied threat for an object when combined with a
vulnerability.
For example, are computer viruses a basic or applied threat to the
user who is surfing the Internet? According to the above definition
it can be ascertained that all users are principally exposed to a
basic threat by computer viruses on the Internet. The user who
downloads an infected file is exposed to an applied threat by the
computer virus if his computer is vulnerable to this type of
computer virus. Users with an effective anti-virus programme, a
configuration which prevents the function of the virus, or an
operating system which cannot execute the virus code is, however,
not exposed to an applied threat as a result of downloaded
malicious program.
Assessment of protection requirements
During assessment of protection requirements, the necessary degree
of protection of the business processes, the processed
information and the IT components is determined. The potential
damage which could occur as a result of loss of confidentiality,
integrity or availability is considered for each application and
the information processed within the application. It is also
important to realistically assess potential subsequent damage.
Experience has shown that classification in three protection
requirement categories - "normal", "high" and "very high" - is
effective.
Asset
Everything which is important for an organisation (financial
assets, knowledge, objects, health).
Auditing
Auditing is the systematic examination of the suitability of and
compliance with specified (security) guidelines. Auditing should be
independent and neutral.
Authentication
__________________________________________________________________________________________
4
Authentication process
When a person logs in on a system, the system runs a check to
verify the identity of the person in the scope of authentication
process. The term is also used when the identity of IT components
or applications is tested.
Authenticity
The term authenticity refers to the attribute which ensures that a
communication partner is actually the one he claims to be. If
information is authentic, this ensures that it was compiled by the
stated source. The term is not only used when the identity of
persons is checked, but also for IT components or
applications.
Authorisation
During authorisation whether a person, an IT component or an
application is authorised to perform a specific action is
checked..
Availability
The availability of services, functions of an IT system, IT
applications or IT networks or also information is given if these
are always made available to users as required.
Basic IT security parameters
The IT-Grundschutz defines three fundamental IT security values:
confidentiality, availability and integrity.
Each user is naturally free to include additional fundamental
values when assessing protection requirements if this is helpful in
individual cases. Other generic terms concerning IT security are,
for example:
- Authenticity
- Liability
- Reliability
Basic security check
In IT-Grundschutz this term refers to the investigation of whether
all safeguards recommended by IT- Grundschutz have already been
implemented in an organisation and which basic IT security
safeguards are still missing.
Basic threat
A basic threat in general terms is an event or condition which
involves the risk of damage. The damage is related to a concrete
value such as financial assets, knowledge, objects or health. In IT
terms a basic threat is a condition or an event which can
negatively affect the availability, integrity or the
confidentiality of information, which in turn results in damage to
the owner of the information. Basic threats can result from the
effects of force majeure, organisational shortcomings, human
errors, technical failure or deliberate acts.
Blackbox test
__________________________________________________________________________________________
4
Browser
A browser is software used to access the World Wide Web. The
program interprets the incoming data and displays these as text and
images on the screen.
Certificate
The term certificate is used in information security contexts in
different ways. The main definitions are as follows:
- IT-Grundschutz certificate: As the IT-Grundschutz Methodology in
combination with the IT Grundschutz Catalogues is a recognised set
of criteria for IT security, the BSI has created a certification
scheme for IT-Grundschutz. An IT-Grundschutz certificate can
therefore be issued to document the fact that all relevant security
safeguards from the IT Grundschutz Catalogues have
been implemented for the reviewed IT assets.
- Certificate (key certificate): A key certificate is an electronic
confirmation used to assign signature verification keys to a
person. With digital signatures a certificate is required as
confirmation by a trustworthy third party to prove that the
cryptographic key used to generate the digital signature really
belongs to the signee.
- Certificate (IT security certificate, CC certificate):
Internationally recognised IT security criteria are used as the
basis for certification, such as the Common Criteria (ISO/IEC
15408). This is used to evaluate a wide range of products and
systems. One main prerequisite is, however, that the security
properties confirmed in the certificate at the end of the procedure
are in keeping with the observance of confidentiality, availability
and integrity.
- Certificate of protection profiles (profile certificates):
Protection profiles enable Common Criteria user groups and
manufacturers to stipulate security requirements which are typical
for the product class and specific services. The inclusion of
protection profiles during the product development
phase facilitates their evaluation, and the resulting
products effectively meet the specific demands of the users.
Protection profiles can also be evaluated and certified.
Client
Client refers to software or hardware which is able to make use of
certain services provided by a server. Frequently, the term client
is used for a workstation computer which accesses data and
programs of a server in a network.
Computer virus
A computer virus is a non-independent, self-reproducing routine
which manipulates system areas, programs and their
environments in a manner which cannot be controlled by the user.
(In addition the virus can also be programmed with damaging
functions.)
Confidentiality
Confidentiality means protection against unauthorised release of
information. Confidential data and information may only be made
available to authorised persons in the permissible manner.
Cumulative effect
__________________________________________________________________________________________
4
Damaging function
Damaging function refers to a function which is unwanted by the
user, and which can endanger the availability of data, resources or
services and the confidentiality or integrity of data, either
unintentionally or deliberately.
Danger
"Danger" is often regarded as a generic term, whereas "threat" is
understood as a more closely defined danger (defined spatially and
in terms of time with regard to type, scope and direction).
Example: The danger is loss of data. Loss of data can occur, for
example, due to a defective hard disk or as the result of theft.
The threats are then "defective data media" and "theft of data
media". However, this differentiation is not made consistently in
the literature, and its significance is more of an academic nature,
so that both "danger" and "threat" can be regarded as meaning the
same.
Data backup
Data backup involves making copies of existing data to prevent
their loss.
Data backup includes all technical and organisational measures
required for ensuring the availability, integrity and consistency
of the systems, including the data, programs and procedures saved
on these systems for processing purposes.
Proper data backup means that the undertaken safeguards ¿ defined
on the basis of the data sensitivity ¿ enable immediate or
short-term restoration of the condition of the system, data,
programs or
procedures when it has been determined that the availability,
integrity or consistency has been negatively affected by a damaging
event. The minimum requirements of these safeguards stipulate
making copies of the data and testing of the restored copies of the
respective software, data and
procedures in defined cycles and generations.
Data protection
Data protection refers to the protection of person-related data
against any misuse by third parties (should not be confused with
data security).
Data security
Data security refers to the protection of data in connection with
stipulated requirements regarding their confidentiality,
availability and integrity. A modern term for this is "IT
security".
Demilitarised zone (DMZ)
A DMZ is an intermediate network which is located between the
Intranet and the Internet, but which is not included in either
network. It is a separate network which is not as well protected as
the Intranet.
On simple security gateways DMZ are normally created on a third
interface of the package filter (both other interfaces are
connected to the Intranet or the Internet). If the security gateway
comprises a
package filter-application level gateway-package filter
configuration, an additional interface of the application level
gateway (ALG) generally serves as a DMZ interface. If package
filters or ALG have more than three interfaces, additional DMZs can
be created.
Digital signature
__________________________________________________________________________________________
4
- That is possible to check, with authentication, whether the file
to which the digital signature was appended is identical to the
file which was actually signed.
Distribution effect
The distribution effect can have a qualifying influence on
protection requirements if an in