IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
development team should include representatives of the IT users and the IT
operational team plus one or more additional employees who already
possess sufficient knowledge and experience in matters of IT security.
Ideally, a member of Management who is able to assess the importance of
IT to the agency/company should be called in from time to time.
Further information on this subject is provided in S 2.193 Establishment of
a suitable organisational structure for IT security.
3. Determination of the IT security objectives
An assessment should be made at the outset as to what information and
information processing systems contribute towards the accomplishment of
tasks and what value should be attributed to them. To do this, it is
important to classify the information, the technical infrastructure and the IT
applications of the agency/company. In the context of IT security what is
of primary relevance here is the significance of IT for the organisation and
its work. The strategic and operative importance of IT is particularly
critical here. It is therefore important to consider more than just the
material value of the IT itself and understand the extent to which the
accomplishment of work within the organisation depends on the use of IT
and its smooth functioning. To assist in assessing the extent of such
dependence, the following are some of the questions which need to be
considered:
- What critical tasks within the agency/company cannot be performed
at all without IT support or can only be partially performed or with
considerable additional effort?
- What essential decisions made within the agency/organisation rely
on the confidentiality, integrity and availability of information and
information processing systems?
- What are the consequences of deliberate or unintentional IT security
incidents?
- Are the IT assets used to process information which requires
particular protection due to its confidential nature?
- Do major decisions depend on information that is processed using IT
being correct and up-to-date?
The outcome of these deliberations can now be used to specify what degree
of IT security is sufficient and reasonable for this particular organisation.
Some example criteria for an assessment of this kind are listed below. The
importance of IT, the specific threat situation and the relevant statutory
requirements play a critical role here. The IT security level (low, moderate,
high or maximum) which applies will be the one whose defining
statements are the most relevant to the organisation.
Maximum:
- The protection of confidential information must be guaranteed and
comply with strict secrecy requirements in critical areas.
- It is critically important that the information is correct.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Classification of IT
applications