IT Baseline Protection Catalogs

The IT Baseline Protection Catalogs ( before 2005: IT Baseline Protection Manual ) are a collection of documents of the German Federal Office for Information Security (BSI), which serve to detect and combat security-related vulnerabilities in IT environments ( IT network ). The collection covers with an introduction and catalogs over 4,400 pages ( 13th supplement delivery from September 2013) and serves businesses and government agencies as a basis for obtaining a certification for IT baseline protection. The certification is a company that it has taken appropriate measures to ensure its IT systems against IT security threats.

IT Baseline Protection

" IT Baseline Protection includes standard security measures for typical IT systems, normal ' need for protection ."

The detection and assessment of vulnerabilities in IT systems is often carried out on a risk analysis, estimated for each system or group of similar systems individually a potential hazard and the cost of damage is detected in the system. This approach is very time consuming and therefore expensive.

The IT Baseline Protection is based on a standard for the system threat level, which is true in 80 % of cases, and recommends using adequate countermeasures. Thus, a security level can be achieved, which can be considered in most cases to be sufficient, and therefore replaces the much more expensive risk analysis. In cases of higher security needs of the IT Baseline Protection can be used as a basis for further measures.

The original certification for IT baseline protection has been completely superseded by a recognized ISO / IEC 27001 certification on the basis of IT baseline protection.

Core Values

The IT security is divided into three basic values

Confidentiality Confidential information must be protected from unauthorized disclosure

Integrity ( information security ) Correctness, freedom from manipulation and integrity of IT systems, IT processes, and information. Here, the authenticity (ie the authenticity, accountability and credibility of information) to be considered.

Availability Services, functions of an IT system, or information are at the required time available

Structure of the IT Baseline Protection Catalogs

An introduction with explanations, approaches to IT baseline protection concept and role definitions and a glossary make the reader first be familiar with the manual. This is followed by the block catalogs, the risk catalogs and finally the action plans. Supplemented the collection is through forms and cross- reference tables on the Internet platform of the Federal Office for Information Security (BSI). The IT baseline protection approach itself is described in the BSI Standards 100-1 through 100-3 and is the basis for the implementation of IT baseline protection catalogs and the establishment of an information security management system. In addition, there are on the BSI website numerous tools to implementation of IT baseline protection. The Guide Information security is an entry-level document in the whole issue of information security and addresses the key issues. Each catalog item is characterized by an individual symbol, which builds up after the following scheme. First, the catalog group is called, B stands for module M and G measure for risk. Followed by the number of the layer, this relates to the catalog item in its catalog, and then the sequential number within the layer.

Block catalog

The module catalog is the central element and follows, as well as the other catalogs, a layered model. It describes the following five layers: general aspects, infrastructure, IT systems, networks and IT applications.

The first layer deals with organizational issues concerning the management, staff or outsourcing. In the layer infrastructure, emphasis is placed on structural aspects. The layer IT systems is concerned which in addition to clients and servers and telephone systems or fax machines are counted with the characteristics of IT systems. In the network - layer aspects of networks are highlighted. The application layer is concerned with questions of safety-related software, such as database management systems, e-mail or Web servers.

By the division into layers is also affected by the respective layer groups help to narrow clear. The first layer speaks to management. Company technicians are affected by the second. The third layer is covered by system administrators. The fourth layer falls within the remit of the network administrators and the fifth in the application administrators and IT users.

Each individual module follows the same format. The block number is composed of the number of the layer in which the block is a unique and in this layer number. After a brief description of the observed facts by the block each risk situation is described. Subsequently, the list of the individual sources of danger follows. These represent a further information and are not necessarily work through the creation of a basic protection.

The necessary measures will be presented with brief explanations in text. The text follows here the life cycle of the facts and includes planning and design, procurement (if required), implementation, operation, singling out (if necessary) and emergency preparedness. After the detailed description of the individual measures are again summarized in a list, but this is now sorted according to the structure of the plans of action and not after the life cycle. Here, a classification of the measures in categories A, B, C, Z and W is made. Measures of category A are the introduction to the topic, B- measures extend, and the category C is then necessary for a certification of basic protection. Measures of category Z are additional measures that have proven successful in practice. Type measures W are measures providing background knowledge on each topic and contribute to an additional basic understanding of each topic.

In order to keep the particular block as compact as possible are often global aspects together in a block, while more specific information is collected in a second. As an example of this is the Apache web server. For him, both the general block B 5.4 Web server where the measures and hazards for each Web server are described, as well as the block B 5.11 of the specifically deals with the Apache web server is valid. To ensure the security of the system, both modules must be successfully implemented. The respective measures or hazards that are presented in the block that may be relevant for other, completely different to the sub-elements. The result is a networking of the individual components of the IT Baseline Protection Catalogs.

Hazard catalogs

Following the component catalogs the threat catalogs 'll talk more about potential impacts on IT systems. This danger catalogs follow the general form layers. There are layers "Force Majeure ", " Organisational Shortcomings ", " Human Failure ", " Technical failure " and " Intentional acts" distinguished. To create the basic protection of the compiled in These Catalogs knowledge is predicted by the BSI is not absolutely necessary, but it encourages the understanding of the action, and the vigilance of those responsible. The single source of danger is described in a short text and then are examples of incidents that can trigger through this source of danger, given.

Action plans

Measures necessary for the implementation of the basic protection measures are summarized in a catalog of measures. Thus, measures that are appropriate for several system components, described only once centrally. This also layers for structuring the individual measures groups are used. The following layers are formed: "Infrastructure ", " organization ", " staff ", " hardware / software ", " communication " and " emergency preparedness ".

The specific measures Description Responsible persons are initially called for the initiation and implementation of the measure. The following is a detailed description of the action. Finally, control questions are called for proper implementation. In implementing the measures should first be checked whether an adjustment to that on the respective operation is necessary. A detailed documentation of such adjustments is for later traceability sense. At the end of the measures has been around since the 10th Ergänzungslieferung so-called test questions that address the essential elements of an action again and thus constitute a kind of checklist, whether they are implemented.

Software

"With the GSTOOL [ (November 2011: Current version 4.5 with Service Pack 2 is replaced software version number 4.7) ] represents the BSI since 1998, regularly updated, innovative and ergonomic handle software ready, which the user in creating, managing and updating of security concepts according to the IT Baseline Protection efficiently support [ s to ]. "

More tools to create security policies based IT Baseline Protection

Verinice, SerNet GmbH
HiScout GRC Suite, HiScout GmbH
SIDOC ( SECONET basic protection tool), 2net Carsten Lang
INDART Professional, CONTECHNET
DHC Vision Information Security Manager, DHC Dr. Herterich & Consultants GmbH
DocSetMinder, GRC Partner GmbH
Opus i - Information Security, Kronsoft e.K.
SecuMax also Kronsoft e.K.
Audit Tool 2009, Secure IT Consult
I -doit, synetics

ISO/IEC 27001:2005 Client (computing)

420667

IT Baseline Protection Catalogs