R&M Data Center Handbook
R&M Data Center Handbook
R&M Data Center Handbook
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
www.datacenter.rdm.com<br />
• IT Baseline Protection<br />
Since 1994, the Federal Office for Information Security (BSI) in Germany has been issuing the IT<br />
Baseline Protection Manual, which provides detailed descriptions of IT security measures and<br />
requirements for the IT security management.<br />
In 2006 the manual was adapted to international standards, rendering it fully compatible with ISO/IEC<br />
27001 while also incorporating the recommendations specified in ISO/IEC 27002.<br />
ISO/IEC 27001 certification based on IT baseline protection can be applied for with the BSI.<br />
Security Measures and Monitoring<br />
The following standards deal with enhancing IT network security. IT network security is not restricted to internal<br />
corporate networks, but also includes the security of external network access points. A selection of standards<br />
follows below.<br />
• ISO/IEC 18028 (soon 27033)<br />
The objective of this standard is to focus on IT network security by specifying detailed guidelines aimed<br />
at different target groups within an organization. It includes security aspects in the handling, maintenance<br />
and operation of IT networks plus their external connections.<br />
The standard comprises five parts:<br />
1. Guidelines for network security<br />
2. Guidelines for the design and implementation of network security<br />
3. Securing communications between networks using Security Gateways<br />
4. Remote access<br />
5. Securing communications between networks using Virtual Private Networks (VPN)<br />
• ISO/IEC 24762<br />
This standard provides guidelines on the provision of information and communications technology<br />
disaster recovery (ICT DR) services. It includes requirements and best practices for implementing<br />
disaster recovery services for information and communications technologies, for example emergency<br />
workstations and alternate processing sites.<br />
• BS 25777:2008<br />
The objective of this standard is to establish and maintain an IT Continuity Management system.<br />
Risk Management<br />
• ISO/IEC 27005<br />
This standard provides guidelines for a systematic, process-oriented risk management system that<br />
supports the requirements for a risk management in accordance with ISO/IEC 27001.<br />
• MaRisk / MaRisk VA<br />
The Minimum Requirements for Risk Management (MaRisk) for banks were first issued in 2005 by the<br />
German Federal Financial Supervisory Authority (BaFin). They include requirements for IT security and<br />
disaster recovery planning. In 2009 another edition was published, which was expanded to include<br />
insurance companies, leasing and factoring companies (MaRisk VA).<br />
Relevant Standards<br />
• COSO<br />
The COSO model was developed by the organization of the same name (Committee of Sponsoring<br />
Organizations of the Treadway Commission). It provides a framework for internal control systems and<br />
describes:<br />
o<br />
o<br />
o<br />
o<br />
o<br />
A method for introducing the primary components of an internal control system, e.g. the control<br />
environment in a company<br />
Risk evaluation procedures<br />
Specific control activities<br />
Information and communication measures in a company<br />
Measures required for the monitoring of the control system<br />
COSO is the basis of reference models like Cobit and facilitates their introduction.<br />
Page 30 of 156 © 08/2011 Reichle & De-Massari AG R&M <strong>Data</strong> <strong>Center</strong> <strong>Handbook</strong> V2.0