IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
In networked IT infrastructures it is no longer sufficient to guarantee the
security of an individual domain. Instead, the security of all terminal
equipment and transmission systems forming part of the network must be
dovetailed to act in concert. Such harmonisation proves to be especially
difficult particularly in those cases where the equipment is not networked
within one organisational unit (such as a LAN environment) but rather where
there is a combination of IT installations with different areas of responsibility
and fields of application.
The use - but also the functionality and technological design - of an IT
security system is determined by numerous influencing factors, such as
localisation, the level of security, and the frequency and scope of application,
which represent important terms of reference and decision-making conditions
for IT security management. Furthermore the technical means of
implementing and designing an IT security system are also widely varied: for
example integrated in an application on a workstation, in a firewall or as a
special component for network components such as switches or routers. It is
only possible to achieve an affordable price level for a crypto product if it can
be used for a broad cross section of purposes. A standardised system link and
uniform operating conditions play an important role in this, for example. One
last point relates to the interaction of the security services on various protocol
layers. The security services on the higher protocol layers (according to the
OSI reference model) generally only provide sufficient protection if the lower
layers also provide protection (see S 4.90).
It is also important to define a cryptography policy specific to the
organisation. The following points must be clarified from the standpoint of the
management:
- What are the protection requirements or what security level is it considered
necessary to achieve?
- What budget and how many staff are available in order to set up the
planned security mechanisms and - very important - also to guarantee
operation?
- What system link is aimed for and what are the prevailing operating
conditions for security components?
- What scope of functions and performance is aimed for?
- Who takes responsibility in the final analysis?
The crypto concept must also include a description of the technical and
organisational use of the cryptographic products, i.e. the following points, for
example:
- Who is given which access rights?
- What services are offered remotely?
- How is the management of passwords and keys to be handled, with regard
to their period of validity, use of characters, length and allocation?
- Does the data have to be encrypted or signed, and if so, when and how?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000