IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
Maximum
Financial outlay
[Aufwand]
Figure: Cost-benefit trade-off for IT security
After the overall security level for the agency/company has been specified
using the approach described above, the IT security objectives which go
with that security level must be defined.
Examples of possible IT security objectives are listed below:
- ensuring the high reliability of actions, particularly with regard to
deadlines (IT availability is required here), correctness (the integrity
of the IT) and confidentiality;
- ensuring the good reputation of the institution in the eyes of the
public;
- preserving the value of the investment in technology, information,
work processes and knowledge;
- protecting the high and possibly irretrievable value of information
processed;
- protecting the quality of information, e.g. where it serves as the basis
for major decisions;
- satisfying the requirements resulting from statutory provisions;
- reducing the costs arising in the event of damage (through both
avoidance and prevention of damage), and
- ensuring the continuity of the work processes within the
organisation.
The individual IT security objectives can be implemented in different
ways. In this connection general IT security strategies should be developed.
Some examples of possible IT security strategies are:
- rigorous data backups in all IT areas,
- strict encryption of all information leaving the organisation,
- use of strong authentication procedures for all accesses to IT
systems,
- isolation of particularly sensitive IT applications on stand-alone IT
systems.
These general IT security objectives and strategies apply to most
organisations working with IT support. In order to determine the specific
IT security objectives and IT security strategies of an organisation, it is
essential to express these objectives in relation to the work and projects
carried out in the organisation.
Example: Where person related data which falls within the ambit of the
Data Privacy Act is handled (e.g. in Human Resources), the requirements
regarding confidentiality and integrity specified in that Act must be
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
IT security objectives
IT security strategies
Specific requirements