IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection of Generic Components
_________________________________________________________________________________________
Introduction
IT Baseline Protection - the Basis for IT Security
In our modern information and communication society,
administrative tasks, both public and in industry, are
increasingly routinely supported by the use of information
technology (IT). Numerous work processes are electronically
controlled and large amounts of information are stored in
digital form, electronically processed and transferred on local
and public networks. Many tasks performed within both the
public and private sectors are simply not possible without IT, while others can only be partially
performed without IT. Consequently many public or private sector organisations are totally reliant on
the correct functioning of their IT assets. An organisation can only achieve its objectives if IT assets
are used in a proper and secure manner.
There are many ways in which organisations depend on the correct functioning of IT resources. The
financial success and competitiveness of companies is dependent on IT, so that ultimately jobs
themselves depend directly on the functioning of IT assets. Whole industrial sectors such as banking
and insurance, the car industry and logistics depend critically on IT today. At the same time, the wellbeing
of every citizen also depends on IT, whether it is a matter of his job, satisfaction of his daily
consumer needs or his digital identity in payment transactions, in communications and increasingly in
e-commerce. As society becomes more dependent on IT, so the potential social damage which could
be caused by the failure of IT resources increases. As IT resources of themselves are not without their
weaknesses, there is justifiably great interest in protecting the data and information processed by IT
assets and in planning, implementing and monitoring the security of these assets.
The potential damage which could result from malfunction or failure of IT assets can be assigned to
several categories. The most obvious of these is loss of availability: if an IT system is out of service,
no money transactions can be carried out, online orders are impossible and production processes grind
to a halt. Another issue frequently discussed is loss of confidentiality of data: every citizen is aware of
the necessity of maintaining the confidentiality of his person-related data, every company knows that
company-confidential data about its sales, marketing, research and development would be of interest
to competitors. Loss of integrity (the corruption or falsification of data) is another issue which can
have major consequences: forged or corrupt data results in incorrect accounting entries, production
processes stop if the wrong or faulty input materials are delivered, while errors in development and
planning data lead to faulty products. For some years now, loss of authenticity, i.e. the attribution of
data to the wrong person, has come to be regarded as another major aspect of the general concern
regarding data integrity. For example, payment instructions or orders could be processed so that they
are charged to a third party, digital declarations of intent that have not been properly protected could
be attributed to the wrong persons, as "digital identities" are falsified or become corrupt.
This dependency on IT will only increase further in the future. Developments worthy of particular
mention include the following:
- IT penetration. More and more areas are coming to be supported by information technology. For
example, a shift in consumer behaviour towards e-commerce is taking place, car and traffic routing
technology is being perfected with IT support, intelligent domestic appliances are looming on the
horizon, and even waste disposal containers fitted with microprocessors are now in use.
- Increasing degree of networking. IT systems today no longer function in isolation but are
becoming more and more heavily networked. Networking makes it possible to access shared data
resources and to work closely with people in other parts of the world. This in turn leads not only to
_________________________________________________________________________________________
IT-Baseline Protection Manual: Otober 2000