IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.110 Secure installation of the RAS system
Initiation responsibility: Head of IT Section, IT Security Management
Team
Implementation responsibility: Administrators
After the hardware and software necessary for implementation has been
purchased as part of the organisational preliminary work, the individual
components must be installed and operated. Generally a RAS system can only
be securely operated if care has previously been taken over the installation. A
pre-requisite to secure installation is the selection of suitable hardware and
software for RAS access (quality, interoperability, compliance with existing
standards) through the previous decision process (see S 2.186 Selection of a
suitable RAS product). This goes to show once again how important it is for
the decision process to be thorough and systematic.
The physical components of a RAS system consist of conventional IT
systems: generally there are at least one server and several clients, network
switching elements, modems or other technical devices. The physical security
of these items must be assured as for all other components of a computer
network. Hence at the outset the general safeguards for each of these
components must be implemented, as described in Chapters 3 to 9.
The following additional points should be considered specifically with
reference to installation:
- It must not be possible either for users or external third parties to access
either the RAS system or any part of it during the installation phase. No
connections to the productive LAN or to the telecommunications systems
should be active.
- The installation must be performed by appropriately skilled personnel.
- The installation should follow the procedures specified during planning of
the RAS system.
- The installation and configuration must be documented. This can take the
form of either separate installation documentation or a confirmation that
the installation agrees with the planning premises.
- If during installation any departures from the planning premises (e.g.
different cable arrangement, additional equipment) occur, these must be
documented and a note should be entered in the planning documents
explaining why the change was made. This documentation is especially
important as a means of improving future planning.
- The correct functioning of each individual component must be established
(e.g. through function testing or self-test).
- For every security-relevant setting, a function test of the security
mechanisms must be carried out. For example, encryption of
communications should be tested using a network analyser.
- Once the installation work is complete, the correct functioning of the entire
system must be verified (acceptance and approval of installation).
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Meticulous
documentation of
installation
System test before
approval