IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
- Organisational/personnel costs (administration, key management, training,
etc.)
Expenditure on organisational matters and personnel is dependent on the
way the security policy is implemented and on the level of „convenience“
of the encryption components. General decision criteria for or against one
of the three solutions cannot be formulated with universal validity.
- Economic efficiency (procurement, training/administration costs, ...)
It is difficult to make any general statement about economic efficiency. If
only the procurement costs are taken into consideration, software solutions
will often be better value than hardware solutions. However, if the losses
that can arise as a result of inadequate protection in the longer term are
taken into account, investment in more secure and perhaps more expensive
solutions may be worthwhile in comparison. Economic disadvantages may
accrue in certain circumstances because of performance losses in the PC
system.
- Residual risks (operating system, compromising of the hard disk key, etc.)
Consideration of residual risk plays a significant part in the selection of a
suitable encryption component. The questions that arise include:
- What residual risks can be considered acceptable?
- What residual risks are or can be minimised by other measures (such
as physical or organisational measures)?
It is perfectly possible to obtain several different acceptable solution
options by combining various measures.
Example 2: E-mail encryption
The exchange of electronic mail (e-mail) via or within computer networks is
becoming ever more important. If this involves exchanging sensitive
information (for example company secrets) over unprotected networks,
mechanisms to safeguard the confidentiality and/or guarantee the authenticity
of messages are required. This is the purpose of e-mail encryption programs.
The most widespread of these are two program packages or standards of
American origin:
- PGP (Pretty Good Privacy) and
- S/MIME (Secure Multipurpose Internet Mail Extensions)
PGP is a software package that was originally available over the Internet as
freeware and has therefore entered widespread use. The S/MIME standard is
used in (among others) the secure e-mail applications from Microsoft,
Netscape and RSA Data Security Inc.
What does an e-mail encryption program of this type have to do?
The answer is of course dependent to a certain extent on the security measures
surrounding it. The requirements are no doubt at their highest when the
messages are to be sent via a large, open, insecure network such as the
Internet. In this case it may even be that people not known to each other
personally want to communicate with each other confidentially and with
authentication. What cryptographic services are required in order to be able to
do this?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000