IT basic protection

The federal administration defines IT-Grundschutz as a procedure developed by the Federal Office for Information Security (BSI) to identify and implement security measures of the company's own information technology (IT) . The aim of basic protection is to achieve an average, appropriate and sufficient level of protection for IT systems. To achieve this goal, the IT-Grundschutz Catalogs recommend technical security measures and infrastructural, organizational and personal protective measures.

As in the Federal Data Protection Act, the terms security and protection are mixed up colorfully. IT-Grundschutz is a catchy title for a compilation of basic security measures and supplementary protection programs for authorities and companies. This means that technical measures for data protection are also implemented, but due to another subject of protection, namely the individual affected, IT-Grundschutz cannot meet the operational requirements of data protection. In methodological analogy to IT-Grundschutz, the standard data protection model (SDM) has been developed, which is also the basis for a developed data protection management.

Companies and authorities can demonstrate their systematic approach to safeguarding their IT systems ( information security management system (ISMS) ) against threats to IT security with the help of the ISO / IEC 27001 certificate based on IT-Grundschutz .

BSI standards and IT basic protection catalogs

As a result of the restructuring and expansion of the IT Baseline Protection Manual in 2006 by the Federal Office for Information Security (BSI), the methodology and the IT Baseline Protection Catalogs were separated. Four BSI standards contain information on the structure of an information security management system (ISMS) ( 200-1 ), the procedure in accordance with IT-Grundschutz ( 200-2 ) and the creation of a risk analysis for high and very high protection requirements based on an IT basic protection survey that has been carried out ( 200 -3 ). In 2008, the BSI standard 100-4 "Emergency Management" was developed. It contains essential aspects for an appropriate Business Continuity Management (BCM) and combines elements from BS 25999 and ITIL Service Continuity Management with the relevant modules of the IT-Grundschutz Catalogs. With the implementation of this standard, certification according to BS 25999-2 is possible.

Since 2006, the BSI has been regularly aligning its standards with international norms such as ISO / IEC 27001 , which is why IT-Grundschutz is considered a practical derivation of methods with reduced workload.

The IT-Grundschutz Catalogs are a collection of documents that explain the step-by-step introduction and implementation of an ISMS. For this purpose, modules, hazards and measures are defined as examples.

concept

The basis of an IT baseline protection concept is the initial waiver of a detailed risk analysis. General hazards are assumed and no differentiated classification according to the amount of damage and probability of occurrence is made. Three protection requirement categories are created, with the help of which the protection requirement of the object of investigation is determined and, based on this, the appropriate personal, technical, organizational and infrastructural security measures are selected from the IT-Grundschutz catalogs .

Based on the IT basic protection catalogs of the German BSI, the BSI standard 100-2 (before 2006 IT basic protection manual ) offers a “recipe” for a normal level of protection. In addition to the probability of occurrence and the potential amount of damage, the implementation costs are also taken into account. By using the IT-Grundschutz Catalogs, there is no need for a time-consuming security analysis that requires expert knowledge, since generalized threats are initially used. It is possible, even as a relative layperson, to identify the measures to be taken and to implement them in cooperation with experts.

As confirmation of the successful implementation of the basic protection together with the establishment of an information security management system (ISMS) , the BSI issues an ISO / IEC 27001 certificate based on IT-Grundschutz . In levels 1 and 2 it is based on self-declarations, in level 3 a review is carried out by an independent auditor licensed by the BSI . This procedure is based on the new BSI security standards . This process takes account of a development that has been prevalent for some time. Companies that are certified according to the ISO / IEC 27001 standard are required to conduct a risk analysis . In order to make it more convenient, the protection requirements determination according to the IT-Grundschutz Catalogs is usually used . The advantage is the achievement of certification according to ISO / IEC 27001 , as well as conformity to the strict guidelines of the BSI. In addition, the BSI offers a number of tools such as sample guidelines. A GSTOOL was also offered earlier, but its sales and support have been discontinued.

There is also a module for data protection , which was developed by the Federal Commissioner for Data Protection and Freedom of Information in cooperation with the data protection authorities of the federal states and integrated into the IT-Grundschutz Catalogs . However, as a national version, this component is not taken into account in the certification process for an international standard.

IT baseline protection approach

According to the IT baseline protection procedure, the following steps are carried out:

Definition of the information network
Implementation of an IT structure analysis
Implementation of a protection requirement assessment
Modeling
Carrying out a basic security check
Implementation of a supplementary security analysis (possibly subsequent risk analysis)
Consolidation of measures
Implementation of the IT basic protection measures

IT structure analysis

An information network is to be understood as the entirety of infrastructural , organizational, personnel and technical components that serve to perform tasks in a specific application area of information processing . An information network can include the entire IT of an institution or also individual areas that are structured by organizational structures (e.g. department network) or common IT applications (e.g. personnel information system). For the creation of an IT security concept and especially for the application of the IT-Grundschutz Catalogs, it is necessary to analyze and document the structure of the information technology available. Due to the strong networking of IT systems that is common today, a network topology plan is a good starting point for the analysis. The following aspects must be taken into account:

the existing infrastructure ,
the organizational and personnel framework for the information network,
networked and non-networked IT systems used in the information network ,
the communication links between the IT systems and to the outside world,
IT applications operated in the information network.

Determination of protection requirements

The purpose of determining the protection requirements is to determine which protection is sufficient and appropriate for the information and the information technology used. For this purpose, the expected damage is considered for each application and the processed information, which can occur if confidentiality, integrity or availability are impaired. A realistic assessment of the possible consequential damage is also important. A division into the three protection requirement categories “normal”, “high” and “very high” has proven itself. When it comes to confidentiality, “public”, “internal” and “secret” are often used.

The protection requirement for a server depends on the applications that run on it. It should be noted here that several IT applications can run on one IT system, with the application with the highest protection requirement determining the protection requirement category of the IT system (so-called maximum principle ).

It may be that several applications are running on a server that have a low protection requirement - more or less unimportant applications. In total, however, these applications are to be provided with a higher level of protection ( accumulation effect ).

Conversely, it is conceivable that an IT application with a high protection requirement does not automatically transfer this to the IT system because it is designed redundantly or because only insignificant parts run on it ( distribution effect ). This is e.g. B. the case with clusters.

Modeling

Information technology in authorities and companies today is usually characterized by highly networked IT systems. It is therefore generally advisable to consider the entire IT and not individual IT systems as part of an IT security analysis or IT security concept. In order to be able to cope with this task, it makes sense to break down the entire IT into logically separated parts and to consider one part, i.e. an information network, separately. The prerequisite for the application of the IT-Grundschutz Catalogs to an information network is detailed documentation on its structure. These can be obtained, for example, using the IT structure analysis described above. The modules of the IT-Grundschutz Catalogs then have to be mapped onto the components of the existing information system in a modeling step.

Basic security check

The basic security check is an organizational instrument that provides a quick overview of the existing IT security level. With the help of interviews, the status quo of an existing information network (modeled according to IT-Grundschutz) is determined with regard to the degree of implementation of security measures in the IT-Grundschutz catalogs. The result is a catalog in which the implementation status “dispensable”, “yes”, “partially” or “no” is recorded for each relevant measure. By identifying measures that have not yet been implemented or have only been partially implemented, opportunities for improving the security of the information technology under consideration are shown.

The basic security check provides information about the measures that are still missing (target / actual comparison). From this follows what still needs to be done in order to achieve basic security.

The basic security measures are represented by the basic security check. This level is only sufficient for low to medium protection requirements. According to BSI estimates, this is around 80% of IT systems. For systems with high / very high protection requirements , information security concepts based on a risk analysis , such as ISO / IEC 27001, are usually used.

Supplementary security analysis

The supplementary security analysis decides whether a risk analysis should be carried out for IT systems with high / very high protection requirements using the BSI's cross-reference table. The risk analysis can be carried out using the BSI standard 100-3.

Consolidation of measures

Identification of any doubly modeled measures.

literature

Norbert Pohlmann , Hartmut F. Blumberg: The IT Security Guide. (The specification for the implementation of IT security standards in the company. Planning and implementation of IT security solutions. Designing IT security as a continuous business process. Mapping and adapting the ISO 13335 and BS 7799 standards). mitp, Bonn 2004, ISBN 3-8266-0940-9 .
Felix Freiling, Rüdiger Grimm, Karl-Erwin Großpietsch, Hubert B. Keller, Jürgen Mottok, Isabel Münch , Kai Rannenberg, Francesca Saglietti: Technical Security and Information Security - Differences and Similarities . In: Computer Science Spectrum . February 2014, Volume 37, Issue 1, pp. 14–24 doi : 10.1007 / s00287-013-0748-2
Isabel Münch : Basic IT protection for coping with IT risks in companies . In: Torsten Founder: IT Security Management Manual. Risks, Basel II, law Erich Schmidt Verlag , 2007, pp. 285-308 ISBN 978-3-503-10002-6

Web links

IT-Grundschutz - website at the Federal Office for Information Security
- Tools for IT-Grundschutz
Page check by Initiative-S of the Task Force "IT Security in Business" Service of the eco Association of the German Internet Industry, funded by the Federal Ministry of Economics and Technology (BMWi)

Individual evidence

↑ Olof Leps: Hybrid test environments in information security: Efficient security analyzes for industrial plants . In: Hybrid test environments for critical infrastructures . Springer Vieweg, Wiesbaden, 2018, ISBN 978-3-658-22613-8 , pp. 41–68 , doi : 10.1007 / 978-3-658-22614-5_4 ( springer.com [accessed December 30, 2018]).
↑ https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/ITGrundschutzstandards/BSI-Standard_1003.pdf?__blob=publicationFile

[1] Olof Leps: Hybrid test environments in information security: Efficient security analyzes for industrial plants . In: Hybrid test environments for critical infrastructures . Springer Vieweg, Wiesbaden, 2018, ISBN 978-3-658-22613-8 , pp. 41–68 , doi : 10.1007 / 978-3-658-22614-5_4 ( springer.com [accessed December 30, 2018]).

[2] ttps://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/ITGrundschutzstandards/BSI-Standard_1003.pdf?__blob=publicationFile