IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.196 Implementation of the IT security concept in
accordance with an implementation plan
Initiation responsibility: IT Security Management Team
Implementation responsibility: Head of IT Section, IT Security Management
Team
Once the IT security concept has been prepared, it must be put into practice. A
distinction must be made here between a conceptual design phase and the
actual implementation.
During the conceptual design phase the basic suitability of every safeguard
recommended for use on existing IT assets must be checked and the
recommendations regarding safeguards must be fleshed out so that they can be
used to generate organisation-specific rules. The IT security concept must
therefore specify not only initiation responsibilities but also responsibilities
for the implementation of the safeguards.
Initiation responsibility covers performing the groundwork necessary for
effective implementation and also specification of objectives. This
presupposes that the responsible person has the necessary resources available
to him by right.
Initiation generally includes:
- specification of objectives together with a description of the expected
planned state or the expected behaviour,
- the allocation of resources (working time, financial resources) and
- a realistic time target.
Implementation responsibility may be broken down into the formulation of
rules, creation of aids, design of processes and the provision of information to
the staff concerned. Strictly speaking, implementation terminates when a
safeguard is applied in practice. Responsibility for implementation and
application can be divided between several people. Implementation includes:
- the design of technical or organisational sequences of operations at the
workplace,
- modification of task descriptions,
- the provision of instructions and information for security awareness
promotion measures and training courses, and
- the provision of aids and implementation of the safeguard at the workplace.
Depending on the range and type of safeguard (technical or organisational), it
may not always be possible to draw a clear-cut line between initiation and
implementation. The implementation of safeguards frequently requires cooperation
between several different positions. Thus, for example, persons with
system responsibility are needed to procure, install and maintain technical
facilities - for example, in the establishment of security interfaces - while on
the other hand persons with organisational responsibility are needed to create
and document the appropriate rules regarding their use.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Conceptual design
phase
Initiation
Implementation
Co-operation