IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.195 Drawing up an IT security concept
Initiation responsibility: Agency/company management; IT Security
Management Team
Implementation responsibility: IT Security Management Team
The IT security concept is the "central" document in the IT security process of
a company/agency. Every security measure implemented must in the final
analysis be derived from this.
First of all an IT security concept contains a description of the current status of
the IT assets and the information to be handled on them. "IT assets" refers
here to all of the technical components which are used in connection with the
performance of tasks. This includes the IT systems and the IT applications.
The current status of the IT assets covers not only a description of the
technical components, the IT applications operated and the information to be
handled using these applications but also a list of any existing vulnerabilities,
possible threats and measures already implemented.
Depending on the protection requirements of the existing IT assets (which
must be determined in advance, with rationale) and the information to be
handled, the amount of effort involved in proceeding will be different. The
BSI's recommendation here is to implement the safeguards contained in this
manual on every IT system and in parallel to perform a supplementary IT
security analysis for any components which have a high or very high
protection requirement.
All staff who come into contact with the IT assets to be examined and the
information handled on them should be involved in the preparation of an IT
security concept in a manner which reflects their usage of the assets.
Similarly, creation of an organisation-wide IT security concept presupposes
that there are records of all the existing IT systems (see S 2.194 Drawing up a
schedule of existing IT systems).
When drawing up an IT security concept, the approach described below is
recommended. (A detailed description of the recommended procedure for
drawing up an IT security concept which provides IT baseline protection is
provided in Chapter 2 of this manual.)
1. Determination of protection requirements
When determining the protection requirements, the question of how great
the maximum damage would be if the availability, integrity and
confidentiality of the IT systems to be examined and the information
handled on them were to be impaired must be answered. To answer this
question, the following steps must be carried out:
1.1 Definition and recording of all components of the area under
examination
This step requires by its nature that all the IT systems to be
examined and information handled on them are recorded and
described with reference to the technical task involved. This
description should be supplemented to include a statement as to
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Status description
Protection requirement
Co-operation