IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection of Generic Components
_________________________________________________________________________________________
organisational processes or undermine other security measures. In such cases it could be necessary to
replace certain IT baseline protection safeguards by adequate alternative IT security safeguards.
In order subsequently to be able to trace the procedure followed in drawing up and refining the list of
specific measures, this should be suitably documented.
Examples:
- It was established during a supplementary security analysis that in addition to the IT baseline
protection safeguards it is also necessary to implement smart card-supported authentication and
local encryption of hard disks on NT clients used for processing HR data. These additional
measures would replace safeguard S 4.48 Password Protection under Windows NT.
- It has been established in the basic security check that safeguard S 1.24 Avoidance of Water Pipes
has not been implemented and due to structural considerations would not be cost-effective to
implement. As an alternative, metal sheets allowing water to be deflected are to be installed under
the water-bearing pipes, and these will also be monitored by a water alarming device. An alarm
will be sent to the porter so that in case of damage any leakage of water can be detected and
contained quickly.
Step 3: Prepare an estimate of the costs and effort required
As the budget for implementing IT security measures is in practice always limited, it is necessary for
every measure to be implemented to identify how much will need to be invested and how much labour
this will entail. A distinction should be made here between one-off and recurring investment/labour
costs. At this point it should be mentioned that experience shows that savings on technology often
result in high ongoing labour costs.
In this connection it is necessary to ascertain whether all the measures identified can be afforded. If
there are any safeguards which cannot be funded, consideration should be given as to what alternative
measures could be taken instead or whether the residual risk resulting from failure to implement a
given measure is acceptable. This decision must likewise be documented.
If the financial and staffing resources estimated as being necessary are available, then one can proceed
to the next step. However, in many cases it is necessary to take a further decision as to the extent of
the resources to be used to implement the IT security measures. It is recommended here that a
presentation on the results of the security study should be given to the person(s) responsible for
making such decisions (Management, IT Manager, IT Security Officer etc.). To make those
responsible aware of the security issues involved, the security weaknesses identified (i.e. missing or
only partially implemented IT security safeguards) should be presented by protection requirement. It is
also recommended that the cost and effort associated with implementing the missing priority 1, 2 and
3 safeguards should be presented. A decision regarding the budget should then be made following this
presentation.
If it proves to be not possible to make available a sufficient budget to cover implementation of all the
missing safeguards, then the residual risk resulting from failure to implement or delay in implementing
certain measures should be pointed out. To assist with this, the Safeguard-Threat Tables (see CD-
ROM: word20\tabellen) can be used to ascertain which threats are no longer adequately covered. The
residual risk relating to any chance or wilful threats should be described clearly and presented to
Management for decision. The remaining steps can only take place after Management has decided that
the residual risk is acceptable, as Management must bear the responsibility for the consequences.
_________________________________________________________________________________________
IT-Baseline Protection Manual: Otober 2000