IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.199 Maintenance of IT security
Initiation responsibility: IT Security Management Team
Implementation responsibility: IT Security Officer
In the IT security process what is important is not simply to achieve the
aspired-to level of IT security, but to ensure that it is maintained in the long
term. To maintain and continuously improve the existing level of IT security,
all IT security measures should be regularly reviewed.
These reviews should be performed at predetermined times (at least every two
years) and, if warranted by particular events, they can also be held in the
interim. In particular, information gained from security-relevant incidents,
changes in the technical or organisational environment, changes in security
requirements or threats require that existing IT security measures are adapted.
The outcomes of individual reviews should be documented and the question of
how to proceed with the results of the review must be determined. It should be
stressed here that reviews can only maintain IT security effectively if the
results of these reviews are also translated into the necessary corrective
actions.
It should be determined in advance in the agency/company how the activities
relating to these reviews are to be co-ordinated. Which IT security measures
are to be reviewed, when and by whom must be determined. This will avoid
duplication of effort and also ensure that all parts of the organisation are
covered.
A review can establish firstly whether the IT security measures are working
properly at all levels on a day-to-day basis. At the same time, the extent to
which the IT security measures are suited to the security requirements and are
effective at protecting the organisation from threats can also be established
from a review. Two types of review should be distinguished here, the IT
security audit and the update check.
The purpose of an IT security audit is to establish
- whether the IT security measures implemented agree with those
documented and
- whether the IT security measures function in the manner intended.
This comparison of the actual versus planned situation might reveal, for
example, that some IT security measures have not been implemented or that
they are not producing the results intended in practice. In both cases the
reasons for the discrepancy should be established. Depending on the cause,
possible corrective actions could include:
- adapting organisational measures,
- taking staff-related measures, e.g. further training or measures aimed at
promoting IT security awareness, or instituting disciplinary measures,
- infrastructure measures, e.g. initiating structural changes in the building,
- taking technical measures, e.g. changes to the hardware and software or
communications links and networks,
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Regular and eventtriggered
checks
Co-ordinated approach
Audit and update