IT Baseline Protection -
Standard Security Measures
OECD Workshop on IT Security Management
Paris 2001-04-19
Dr. Harald Niggemann
Federal IT Security Agency, Germany
Bundesamt für Sicherheit in der Informationstechnik

Summary of the IT security process
Planning
1. establish an IT security policy
2. build up an IT security concept
Implementation
3. implement IT security safeguards
4. train users and increase awareness
Maintenance
5. keep up IT security in daily work
Bundesamt für Sicherheit in der Informationstechnik

Summary of the IT security process balanced
IT security concept
Bundesamt für Sicherheit in der Informationstechnik

Summary of the IT security process
Traditional method
 Perform a risk analysis (RA) .
But

RA is an individual process  not reusable.

RA must be applied to each IT system in use.

RA can be highly complex.

RA is often not feasible.
Bundesamt für Sicherheit in der Informationstechnik

IT Baseline Protection
Main ideas

The whole system consists of typical components
(e.g. server and client computers, operating systems)

Threads and their probabilities are lumped together.

Suitable groups of Standard Security Safeguards are recommended.

Detailed pieces of advice for the implementation of these safeguards are included.
Bundesamt für Sicherheit in der Informationstechnik

IT Baseline Protection
Advantages

A simple target/performance comparison allows for economic application and procedures.

Resulting IT security concepts are compact due to references to standard source.

Practical, reliable, and effective safeguards are implemented.

The concept is expandable and continuously updated.
Bundesamt für Sicherheit in der Informationstechnik

IT Baseline Protection
The aim is to achieve a security level for IT installations by appropriate employment of organisational, personnel, infrastructural, and technical standard security measures which is adequate and sufficient for average protection requirements and may also serve as a basis for IT applications with higher protection requirements.
Bundesamt für Sicherheit in der Informationstechnik

Structure of the
IT Baseline Protection Manual
Bundesamt für Sicherheit in der Informationstechnik

Structure of the
IT Baseline Protection Manual
Modules (examples)

Personnel







Contingency Planning
Data Media Archives
Windows NT
Unix-Server
Lotus Notes
Remote Access
Mobile phone
About 50 modules on technical and non-technical aspects of IT security
Bundesamt für Sicherheit in der Informationstechnik

Structure of the
IT Baseline Protection Manual
Threads Catalogues

T 1 Force majeure

T 2 Organisational Shortcomings

T 3 Human Failure

T 4 Technical Failure

T 5 Deliberate Acts
Bundesamt für Sicherheit in der Informationstechnik

Structure of the
IT Baseline Protection Manual
Safeguards Catalogues

S 1 Infrastructure

S 2 Organisation

S 3 Personnel

S 4 Hardware/Software

S 5 Communications

S 6 Contingency planning
Bundesamt für Sicherheit in der Informationstechnik

How to apply the
IT Baseline Protection Manual
Network chart
Modelling
Interviews/Inspection
Evaluation register all components map modules to components not needed/yes/partly/no status quo and improvements
Bundesamt für Sicherheit in der Informationstechnik

Some facts about the
IT Baseline Protection Manual
 about 4500 voluntarily registers users worldwide
 has become one of the de-facto standard reference manuals for IT security in Germany
 available as a printed loose-leaf edition (German only)
 available on CD-ROM (English and German)
 available on the Internet (English and German) http://www.bsi.bund.de/gshb
 a certification scheme will be available soon
Bundesamt für Sicherheit in der Informationstechnik

Other reference works?




Bundesamt für Sicherheit in der Informationstechnik

Task Force Catalogue
distributed denial of service attacks
Bundesamt für Sicherheit in der Informationstechnik