IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.182 Regular revision of IT security measures
Initiation responsibility: IT Security Management
Implementation responsibility: Head of IT Section, IT Security Management
In the IT Baseline Protection Manual a number of procedures are presented
which are necessary if the desired level of IT security is to be achieved.
However, it is not sufficient simply to make these procedures known, but it is
also necessary to monitor adherence to them on a regular basis. However, in
this context "regular" does not mean that revisions takes place at times which
are predictable, as pre-announced checks generally produce a distorted picture
of the object under investigation.
Revisions should be geared towards remedying defects. If revisions are to be
accepted, it is important that this is recognised by all those involved as the
objective of the revision and that staff do not feel they are being treated like
schoolchildren. It is therefore a good idea to discuss possible solutions to
problems with participants during a check and to pre-prepare appropriate
remedies.
When employees ignore or circumvent a procedure, this is generally a sign
that the procedure cannot be reconciled with work routines or that it is not
possible for staff to implement it. For example, an instruction not to leave
confidential material unattended on the printer is inappropriate if the only
resource available for printing is a network printer some distance away.
If shortcomings are identified during security revisions, the aim should be not
simply to remove the symptoms. It is far more important to determine the
causes of these problems and to identify solutions. These could, for example,
involve changes to existing procedures or taking additional technical
measures.
Revisions should help to remove the sources of errors. It is extremely
important if revisions are to be accepted by staff that it does not result in any
individuals being exposed or identified as "guilty". When employees live in
fear of being exposed in this way, there is a danger that they will not be frank
in reporting weaknesses and security shortcomings they are aware of but that
they will instead attempt to hush up existing problems.
Additional controls:
- Are all procedures and IT security measures reviewed to ensure that they
are implementable?
- How often are checks carried out to ensure that existing procedures and IT
security measures are adhered to?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Unannounced revisions
Tailor procedures to
work routines
Remove causes of
security shortcomings
Avoid assigning blame