IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
analysis. The BSI IT Security Manual describes how to perform a risk
analysis. It can be performed as follows:
4.1 Analysis of vulnerabilities and threats
The aim of the analysis of vulnerabilities and threats is to identify as
many as possible of the existing vulnerabilities and all "significant"
threats.
4.2 Assessment of the risks identified
This step entails assessing current risks posed by threats in terms of
the damage these could cause and the frequency of such damage.
4.3 Determination of appropriate security measures
Additional measures must be selected for any risks identified in the
previous analysis as being intolerable, taking into account the
current security situation and the vulnerabilities and threats
identified.
5. Consolidation of all measures
For the IT security measures identified in steps 3 and 4 as being
necessary, a check must be made as to whether these are complementary
or have negative effects on each other. If appropriate, IT baseline
protection safeguards can be replaced by more stringent measures. During
the consolidation process, these overlaps are removed.
6. Consideration of cost-benefit trade-off, overall cost
The safeguards contained in the IT Baseline Protection Manual are
standard security measures. In other words, they constitute a set of
requirements to be implemented so as to afford a state of the art protection
to the IT systems under consideration. These safeguards may thus be
generally considered to be reasonable. Most of them do not require any
financial investment. However, some of them, especially safeguards
presented as optional, do require financial resources.
It is important to prepare a cost plan. This will give the person responsible
a good idea of the costs that will be incurred. Approval should be sought
from Management for the necessary labour and financial resources.
7. Consideration of residual risk
If the personnel and financial resources provided for IT security are not
sufficient to implement all the missing IT security measures, those which
have priority should be implemented. However, if some of the safeguards
are not implemented, some security loopholes may remain for the time
being. The resulting residual risk, defined in terms of the amount of
possible damage and an assessment of the quantitative or qualitative
likelihood of occurrence, should be presented to Management for approval.
If necessary, additional residual risks can be reduced if the budget is
increased.
The security concept is a document which in practice is often used to check
out the implementation of specific security measures or to review their
currency. It should therefore be structured so that
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Structure