IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection of Generic Components
_________________________________________________________________________________________
2.3 IT Baseline Protection Modelling
Once the required information is available from the IT
structure analysis and the assessment of protection
requirements, the next major task is to model the IT assets
under consideration with the aid of the existing modules of
the IT Baseline Protection Manual. The outcome of this
exercise is an IT baseline protection model of the IT assets
which is made up from different modules of the manual, in
some cases with the same modules being used several times
over, and maps the security-relevant aspects of the IT assets
onto specific modules and vice versa.
It makes no difference to the IT baseline protection model created whether the IT assets consist of IT
systems already in service or whether the IT assets in question are still at the planning stage. However,
the model may be used differently depending on whether the assets are already in use or not.
- The IT baseline protection model for IT assets already in service identifies the standard security
safeguards that are relevant through the modules used. It can be used in the form of a test plan for
carrying out a target versus actual comparison.
- By contrast, the IT baseline protection module for a planned set of IT assets constitutes a design
concept. It specifies via the selected modules which standard security safeguards must be
implemented on entry into service of the IT assets.
The diagram below clarifies the role of the modelling and its possible outcomes:
_________________________________________________________________________________________
IT-Baseline Protection Manual: Otober 2000
IT assets already in
use:
model = test plan
IT assets
IT structure analysis
Assessment of protection
requirements
Modelling
Figure: outcome of IT baseline protection modelling
Planned IT assets:
model =
development plan
Typically a set of IT assets currently in use will contain not only elements which have already been
implemented but also elements which are still at the planning stage. The resulting IT baseline
protection model then contains both a test plan and also elements of a design concept. The IT security
concept will then be based on a combination of the IT security safeguards which are identified during