IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection of Generic Components
_________________________________________________________________________________________
2.4.1 Organisational Preliminary Work
To ensure that the target versus actual comparison proceeds smoothly, a certain amount of preliminary
work is required. It is necessary first to inspect all the in-house documentation which controls IT
security-relevant processes, e.g. organisational instructions, work instructions, security instructions,
manuals and "informal" procedures. These documents can be helpful in ascertaining the degree of
implementation, especially for questions about existing organisational procedures. It is further
necessary to clarify who is currently responsible for their content, in order to be able subsequently to
determine the correct contact person.
It must then be established whether and to what extent any external parties need to be involved in
ascertaining the implementation status. For example, this might be necessary if there are any external
computer centres, external parent organisations, companies to which parts of the IT operations have
been outsourced or building authorities which are responsible for infrastructural measures.
Another step which needs to be performed before the target versus actual comparison can be carried
out is to ascertain who are the right people to interview. Here one should start by establishing a
primary point of contact for every individual module which has been used in modelling the existing IT
assets.
- For the modules in Tier 1 "Higher order aspects of IT security" a suitable contact person will
generally be found from the subject matter dealt with in the module. For example, for module 3.2
Personnel someone who works in the relevant Human Resources Department should be selected as
point of contact. For the design modules, e.g. module 3.4 Data Backup Policy, ideally the person
who is responsible for updating the relevant document should be made available. Otherwise the
person whose terms of reference include the updating of procedures in the area under consideration
should be interviewed.
- For Tier 2 " Infrastructure" the selection of suitable contact persons should be agreed with the
general services and/or site technical services sections. Depending on the size of the
agency/company being examined, different contact persons could be responsible, for example, for
the two infrastructural areas Cabling and Protective Cabinets. In small organisations the caretaker
will often be able to provide information. It should be noted that in the infrastructural area it may
be necessary to involve external parties. This applies especially to larger companies and agencies.
- In the modules of Tier 3 "IT systems" and Tier 4 "Networks" there is a heavy emphasis on
technical aspects in the security safeguards to be checked. This means that generally the main point
of contact will be the administrator for the component or group of components to which the module
in question has been assigned during modelling.
- For the modules in Tier 5 "IT applications" persons who support or are responsible for the
individual IT applications should be selected as the main points of contact.
In many cases the main point of contact will not be able to provide information on every aspect of the
relevant module. In such cases it is useful to include one or more additional persons in the interview.
Guidance as to which persons should be involved is provided in the entries "Initiation responsibility"
and "Implementation responsibility" which are to be found at the beginning of every safeguard
description.
A schedule, possibly including alternative dates, should be prepared to cover the interviews with the
system administrators, administrators and other contact persons. Special attention should be given here
to co-ordinating appointments with persons from other organisational units or other
agencies/companies.
_________________________________________________________________________________________
IT-Baseline Protection Manual: Otober 2000