IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
In order that attainment of the aspired-to security level is not a one-off
occurrence but is maintained in the long-term, the IT security measures
implemented must also remain operable in ongoing operations. In perhaps no
other area does a security level once established become so rapidly outdated as
in the dynamic IT environment. In particular, lessons learned from securityrelevant
incidents, changes in the technical and/or organisational environment,
changes in security requirements and the advent of new threats require that
existing IT security measures are modified.
Safeguard S 2.199 Maintenance of IT security contains detailed
recommendations on how to ensure that these are properly updated.
Often modifications of the IT security process require a decision from the
uppermost echelons of management. To this end, Management must be
informed as to the level of IT security achieved and of any existing problems
and vulnerabilities. For this purpose an "IT Security" management report
should be prepared at regular intervals.
Safeguard S 2.200 Preparation of management reports on IT security contains
advice on how to prepare and present such reports.
To ensure the continuity and consistency of the entire IT security process, it is
essential that the IT security process is documented. Only in this way can
basic weaknesses in the process be reliably detected and any departures from
course be nipped in the bud.
Recommendations as to the content and scope of this documentation will be
found in safeguard S 2.201 Documentation of the IT security process.
Additional tools and aids regarding the IT security process are presented in
safeguards S 2.202 Preparation of an IT Security Organisational Manual and
M 2.203 Establishment of a pool of information on IT security.
Readers who wish to gain a deeper understanding of the "IT security process"
subject-matter are recommended to read Part 3 of ISO/IEC Standard 13335
"Guidelines on the Management of IT Security".
Additional controls:
- Has an adequate IT security process being established?
- Is Management sufficiently supportive of the IT security process?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Further literature