IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.140 Analysis of the existing network environment
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
This analysis is based on the results of the examinations performed in
accordance with S 2.139 Survey of the existing network environment and
requires a specialised knowledge of network topology, network topography
and network-specific vulnerabilities. A further prerequisite here is experience
in the evaluation of the confidentiality, integrity and availability of the
individual IT applications employed. As this extremely complex subject not
only requires an in-depth knowledge of all the aspects mentioned, but is also
very time-consuming, it might be advisable to hire external consultants for an
analysis of the existing network situation. Within the scope of the federal
German administration, the BSI can provide assistance here.
An analysis of the existing network situation essentially involves a structural
analysis, a determination of protection requirements, and an examination of
vulnerabilities.
A structural analysis involves an evaluation of the documentation prepared
as part of S 2.139 Survey of the existing network environment. A structural
analysis must be performed by an analysis team capable of interpreting and
deducing all possible communications relations. As an outcome, the analysis
team must possess a full understanding of the operation of the network and be
informed about the principal possibilities of communication. The construction
vulnerabilities in a network can often be identified already during structural
analysis.
A successful structural analysis is a prerequisite for a subsequent, detailed
determination of the protection requirements and an analysis of vulnerabilities.
Detailed determination of the protection requirements
A structural analysis is followed by a determination of the protection
requirements exceeding the scope of the measures stipulated in Chapter 2.
Requirements concerning the confidentiality, availability and integrity of
individual subnetworks and network segments are also considered here. In this
context, it is necessary to determine the requirements generated by the various
IT procedures in use, and how they influence the existing segmentation of the
network. As an outcome, it must be possible to identify the network segments
in which special protection requirements need to be fulfilled.
Analysis of vulnerabilities in the network
An analysis of the vulnerabilities in the network is performed on the basis of
the results obtained so far. Given corresponding requirements of availability,
this includes, in particular, an identification of non-redundant network
components (single-points-of-failure). Furthermore, it is necessary to specify
the areas in which requirements concerning availability, confidentiality and
integrity cannot be fulfilled or require special attention. It is also necessary to
determine whether the selected segmentation is suitable in terms of bandwidth
and performance (based on the results of traffic flow analysis described in S
2.139 Survey of the existing network situation).
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000