IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection of Generic Components
_________________________________________________________________________________________
It is very important during this survey to make sure that the summary produced is complete. It only
takes one critical connection to be omitted for the overall security to be compromised. Thus, for
example, all the modems used must be recorded as potentially critical connections to the outside world
could run from them. Often, however, these modem external connections are viewed as objects
conferring prestige on their "owners" and their existence is denied in order to obtain personal
advantage, or modems are purchased and classified as consumables without those responsible for IT
being informed of the purpose for which they are to be used. However, if IT security is to be
maximised, such critical devices and connections must not be overlooked.
Assessment of protection requirements for IT rooms
When it comes to IT baseline protection modelling and planning of the target versus actual
comparison, it will be helpful if a summary has been drawn up of the rooms in which IT systems are
installed or which are used for IT operations. These include both rooms which are used solely for IT
operations (e.g. server rooms, data media archives) and rooms in which IT systems happen to be
operated (e.g. offices). Where an IT system is housed in a protective cabinet instead of in a special
technology room, the protective cabinet should be classified as a room.
Note: the installation locations should have already been recorded when information was being
gathered about the IT systems.
The protection requirements for each room should then be derived from the results of the assessment
of the protection requirements of the IT systems. This protection requirement is derived from the
protection requirements of the IT systems or the data media stored in the room according to the
maximum principle. During this assessment the possibility of a cumulative effect should be considered
where a relatively large number of IT systems are located in a single room, such as is frequently the
case in server rooms. In addition, the reasoning behind the assessed protection requirement should be
documented.
Once again, it is helpful to draw up a table containing the necessary information.
Bundesamt für Organisation und Verwaltung (Federal Agency for Organisation and
Administration, BOV) - Part 7
The table below shows an extract of the results obtained for the BOV:
Designation
_________________________________________________________________________________________
IT-Baseline Protection Manual: Otober 2000
Room IT assets Protection requirement
Type Location IT systems / data media Confidentiality
R U.02 Data media
archive
R B.02 Technology
room
Bonn building Backup data media
(weekly backups of
servers S1 to S5)
Bonn building Private Branch
Exchange
Integrity Availabilit
y
High High Modera
te
Modera
te
Modera
te
R 1.01 Server room Bonn building S1, N4 High High Modera
te
R 1.02 -
R 1.06
Offices Bonn building C1 High Modera
te
R 3.11 Protective
cabinet in room
R 3.11
Bonn building Backup data media
(daily backups of
servers S1 to S5)
High
Modera
te
High High Modera
te