IT baseline protection

As an IT Baseline Protection refers to a procedure for identifying and implementing security measures the company's information technology (IT). The goal of basic protection is to achieve an average, reasonable and adequate level of protection for IT systems. To achieve the goal of basic protection recommends technical, infrastructural, organizational and personnel measures.

Companies and authorities ( Information Security Management System (ISMS ) ) demonstrate against threats to IT security using the ISO / IEC 27001 certificate's based on IT Baseline Protection her systematic approach to securing their IT systems.

BSI standards and IT Baseline Protection Catalogs

The restructuring and expansion of the IT Baseline Protection Manual in 2006 by the German Federal Office for Security in Information Technology ( BSI) the methodology and the IT Baseline Protection Catalogs were separated. Four BSI standards contain information on the structure of an information security Mangagement System (ISMS ) ( 100-1 ), the procedure of IT baseline protection ( 100-2 ) and the establishment of risk analysis for high and very high protection requirements based on a survey conducted IT Baseline Protection survey ( 100 -3). The BSI standard was developed 100-4 "Emergency Management" 2008. It contains essential aspects for an appropriate Business Continuity Management ( BCM) and combines elements from the BS 25999 and ITIL Service Continuity Management with the relevant components of the IT Baseline Protection Catalogs. With the implementation of this standard certification to BS 25999-2 is possible.

The BSI is similar since 2006 regularly to its standards with international standards such as ISO / IEC 27001.

The IT Baseline Protection Catalogs are a collection of documents which illustrate the gradual introduction and implementation of an ISMS. These building blocks, hazards and measures are exemplary defined.


Basis of an IT baseline protection concept is the initial absence of a detailed risk analysis. It is assumed flat-rate risks and sacrifice the differentiated classification of the damage and likelihood of occurrence. There shall be three categories of protection requirements that will help you realize the need for protection of the research subject and, based on selecting the appropriate human, technical, organizational and infrastructural security measures of IT baseline protection catalogs.

Based on the IT baseline protection catalogs of the German BSI offers the BSI Standard 100-2 ( IT Baseline Protection Manual prior to 2006) a "recipe " for a normal level of protection. In addition to probability of occurrence and the potential damage and the costs of implementation are considered. By using the IT Baseline Protection Catalogs eliminates an elaborate security analysis that requires expert knowledge, as initially worked with flat-rate risks. It is possible to identify the measures to be taken as a relative layman and implement, in cooperation with experts.

As a confirmation of the successful application of the basic protection along with the establish an information security management system (ISMS ) is awarded by BSI 27001 on the basis of IT baseline protection certificate ISO / IEC. In stages 1 and 2 are based on self- declarations, in stage 3, a check by an independent, licensed by BSI auditor. Based on this method, the new BSI safety standards. This method takes account of development into account that prevails for some time. Companies to be certified according to the ISO / IEC 27001 standard, are required for risk analysis. To make it more comfortably, is usually resorted to the protection requirements according to IT baseline protection catalogs. The advantage is both the achievement of ISO / IEC 27001, as well as conformity to the strict guidelines of BSI. In addition, the BSI provides several tools such as sample policies and GSTOOL.

There is also a building block for data protection, which was devised by the Federal Commissioner for Data Protection and Freedom of Information in collaboration with the data protection authorities of the countries and integrated into the IT Baseline Protection Catalogs. This block is but as a national expression in the certification process for an international standard not be considered.

Basic protection method

According to basic protection procedures following steps are carried out in structural analysis and protection needs analysis:

  • Definition of IT assets
  • Implementation of an IT structure analysis
  • Implementation of a protection requirements
  • Modeling
  • Implementation of a basic safety checks
  • Implementation of a supplementary security analysis
  • Consolidation of measures
  • Implementation of IT baseline protection measures

The preparation involves the following steps:

  • IT structure analysis ( inventory )
  • Evaluation of the protection requirement
  • Selection of measures
  • Continuous comparison of target and actual

IT structure analysis

Under an IT network, the set of infrastructural, organizational, human and technical components is to be understood that serve the fulfillment of tasks in a particular application of information processing. An IT network can as embodying the entire IT an institution or individual areas, the organizational structures (eg, department network) or shared IT applications (eg, Human Resources Information System ) divided include. For the creation of an IT security concept and in particular for the application of the IT Baseline Protection Manual, it is necessary to analyze the structure of the present information technology and documented. Due to the usual current strong interconnection of IT systems, a network topology map provides an ideal starting point for the analysis. The following aspects must be considered:

  • The existing infrastructure,
  • The organizational and staffing requirements for the IT network,
  • Used in the IT network networked and non - networked IT systems,
  • The communication links between the IT systems and outward
  • In IT network operated IT applications.

Protection requirements

Purpose of the protection requirements is to determine what protection is sufficient and appropriate for the information and the information technology used. To this end, consider the expected damage for each application and the processed information, which may arise from an impairment of confidentiality, integrity or availability. It is also important a realistic assessment of possible damages. Proven a classification has been divided into three categories of protection requirements " normal", " high" and "very high". When confidentiality is often "public", " internal" and "secret " is used.

The protection requirements for a server depends on the applications that run on it. It should be noted that several IT applications can run on an IT system, the application with the highest level of protection required, the requirement category of the IT system determines (using the maximum principle ).

It may be that multiple applications run on a server, which have a low need for protection - more or less unimportant applications. In their aggregate, these applications are, however, bear a higher level of protection ( cumulative effect).

Conversely, it is conceivable that an IT application with high protection requirements, this does not automatically transmit to the IT system, as it is redundant or because of this, only insignificant parts run ( distribution effect). This is the case, for example, in clusters.


The information technology in government agencies and businesses today is usually characterized by highly networked IT systems. In general, it is therefore convenient to consider the entire IT and not individual IT systems as part of an IT security analysis and IT security concept. To accomplish this task, it is useful to divide the whole IT logically separate parts and each, just to use some of a set of IT assets separately. Prerequisite for the application of the IT Baseline Protection Manual to a set of IT assets are detailed records of its structure. These can be obtained, for example of the IT -ray analysis as described above. Then the building blocks of the IT Baseline Protection Manual must be mapped into a modeling step to the components of this IT network.

Basic security check

The basic security check is an organizational tool, which provides a quick overview of the existing level of IT security. With the help of interviews with the status quo of an existing ( modeled after the IT Baseline Protection ) of IT assets is determined in relation to the degree of implementation of safety measures in the IT Baseline Protection Manual. As a result, there is a catalog before, where relevant, for each measure of the implementation status of " unnecessary ", " yes ", " partial" or "no" is detected. By identifying not yet or only partially implemented measures for improvement for the safety of the considered information technology are given.

The basic security check gives information about the missing measures (target / actual comparison ). Consequently, what remains to be done to gain a basic protection of safety.

Through the basic security check the basic protective measures are mapped. This level is sufficient only at low to medium protection requirements. After BSI estimates are the ~ 80 % of the IT systems. For systems with high / very high protection requirements are usually based on a risk analysis, information security concepts, as applied, for example according to ISO / IEC 27001.

Additional safety analysis

For part of the IT systems with a high / very high protection requirement a complementary risk analysis is carried out using the cross reference table of the BSI.

Consolidation of measures

Identification of any measures modeled twice.