IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.169 Developing a system management strategy
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Head of IT Section, Administrator
Administrators have to carry out regular administration work on the
components in a network. The duties to be performed range from setting up
new users to installing new software; the distributed nature of the software
requires the installation of part software on each individual computer
(workflow system, document management system, etc.). In large organisations
merely setting up a new user who is supposed to be able to log on at all
computers to which he or she has access means a great deal of administrative
work, because if the computers are run in stand-alone operation each one has
to be configured accordingly. Today’s network-capable operating systems
(such as Unix, Windows NT or Novell) therefore include mechanisms that are
intended to reduce the amount of administrative work (for example central
user administration). However, if the administration of all hardware and
software components in a local network is to be performed in a uniform
manner at all levels (in both technical and organisational terms), technical aids
in the form of management systems must be employed, but whether or not
they are used successfully is also dependent on the management strategy that
is to be drawn up. The specifications and rules imposed by the management
strategy are then put into practice by system administration with the aid of the
management software. Each management strategy must be adapted to the
needs of the respective company or agency on a case-by-case basis. This
entails working through the following steps.
Determining the objects to be administered by the management system
After the inventory has been taken (see S 2.168 IT system analysis before the
introduction of a system management system) it must be established which
areas of the IT system are to be administered by the management system that
is to be procured:
- Which computers and other hardware are to be incorporated in the
management system?
- Which software is to be included?
- Which users and/or user groups are to be included?
Determining the security guidelines to be applied in the management
system
In addition to these decisions, existing regulations and methods also have to
be incorporated into the system. For example, the established security policy
at the agency or company, the privacy protection guidelines and the guidelines
on the introduction of new software have to be brought into the management
concept because the regulations currently in force also have to be observed
and implemented when a management system is put in place. Rules also have
to be adopted on the use of the management system itself, or the validity of
existing rules has to be examined, and where necessary they must be adapted
before being applied. This applies in the following fields, in particular:
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000