IT basic protection catalogs

from Wikipedia, the free encyclopedia

The IT Baseline Protection Catalogs (before 2005: IT Baseline Protection Manual ) are a collection of documents from the German Federal Office for Information Security (BSI) that are used to identify and combat security-relevant weak points in IT environments ( IT network ). The collection includes an introduction and catalogs over 4,800 pages (15th supplement from 2016) and serves companies and authorities as a basis for obtaining certification according to IT-Grundschutz . With the certification, a company shows that it has taken suitable measures to protect its IT systems against IT security threats.

IT basic protection

"IT-Grundschutz includes standard security measures for typical IT systems with 'normal' (medium) protection requirements" .

The detection and evaluation of weak points in IT systems often takes place via a risk analysis , with a potential risk being estimated individually for each system or each group of similar systems and the costs of damage to the system being determined. This approach is very time-consuming and therefore expensive.

The IT-Grundschutz assumes a normal risk situation for the system, which applies in 80% of the cases and recommends adequate countermeasures for this. In this way, a level of security can be achieved that in most cases can be considered sufficient and therefore replaces the much more expensive risk analysis. In cases of greater security requirements, the IT baseline protection can be used as the basis for further measures.

The original IT-Grundschutz certification was completely replaced by a recognized ISO / IEC 27001 certification based on IT-Grundschutz .

In contrast to ISO 27001, IT-Grundschutz follows the bottom-up approach and is therefore very technology-intensive.

Protection goals

IT security is divided into three protection goals

  • confidentiality
    Confidential information must be protected from unauthorized disclosure
  • integrity
    Correctness, freedom from manipulation and integrity of IT systems, IT processes and information. Authenticity (i.e. the genuineness, accountability and credibility of information) must also be taken into account.
  • Availability
    Services, functions of an IT system or information are available at the required time

Structure of the IT-Grundschutz Catalogs

Structure of the IT-Grundschutz Catalogs

An introduction with explanations, approaches to IT-Grundschutz, definitions of terms and roles as well as a glossary familiarize the reader with the manual. This is followed by the module catalogs, the hazard catalogs and finally the catalogs of measures. The collection is supplemented by forms and cross-reference tables on the Internet platform of the Federal Office for Information Security (BSI). The IT-Grundschutz procedure itself is described in the BSI standards 100-1 to 100-4 and is the basis for the application of the IT-Grundschutz catalogs and the establishment of an information security management system . In addition, there are numerous tools for implementing IT-Grundschutz on the BSI website. The information security guide is an introductory document into the whole subject of information security and deals with the most important topics. Each catalog element is identified by an individual abbreviation, which is structured according to the following scheme. First, the catalog group is mentioned, B stands for module, M for measure and G for hazard. This is followed by the number of the layer that concerns this catalog element in its catalog, followed by the consecutive number within the layer.

The IT-Grundschutz Catalogs can be viewed and downloaded online free of charge from the BSI website, or a bound version can be ordered from the Federal Gazette for a fee. However, they are updated every year (as a so-called supplementary delivery).

Building block catalog

The module catalog is the central element and, like the other catalogs, follows a layer model. The following five layers are described: general aspects, infrastructure, IT systems, networks and applications.

Assignment of the individual modules to groups of people in the respective organization

The first layer deals with organizational issues relating to management , personnel or outsourcing . In the infrastructure layer, the focus is on structural aspects. The IT systems layer deals with the properties of IT systems, which in addition to clients and servers also include telephone systems and fax machines . In the network layer, aspects of networks are examined. The application layer deals with questions of security-relevant software such as database management systems , e-mail or web servers .

The division into shifts also allows the groups of people affected by the respective shift to be clearly delimited. The first shift addresses the management. House technicians are affected by the second. The third layer is covered by system administrators. The fourth layer is the responsibility of network administrators and the fifth layer is that of application administrators, developers and IT users.

Each individual building block follows the same structure. The block number is made up of the number of the layer in which the block is located and a number that is unique in this layer. After a brief description of the facts considered by the module, the respective risk situation is described. The individual sources of danger are then listed. These represent further information and do not necessarily have to be worked through in order to create a basic protection.

Elements of the life cycle of the building blocks

The necessary measures are presented with brief explanations in a text. The text follows the life cycle of the respective issue and includes planning and conception, procurement (if necessary), implementation, operation, disposal (if necessary) and contingency planning. After the detailed description, the individual measures are summarized again in a list, which, however, is now sorted according to the structure of the catalog of measures and no longer according to the life cycle. The measures are classified into categories A, B, C, Z and W. Category A measures form the introduction to the topic, B measures extend this and category C is then necessary for certification of the basic protection. Category Z measures represent additional measures that have proven themselves in practice. Category W measures are measures that provide background knowledge on the respective topic and contribute to an additional basic understanding of the respective topic.

Tree structure of the catalogs

In order to keep the respective component as compact as possible, global aspects are often summarized in one component, while more specific information is collected in a second. An example is the Apache web server: Both the general module B 5.4 web server, in which the measures and threats for each web server are described, and module B 5.11, which specifically deals with the Apache web server, apply to it. In order to ensure the security of the system, both components must be implemented successfully. The respective measures or hazards presented in the block can also be relevant for other, sometimes completely different, blocks. This creates a network of the individual components of the IT-Grundschutz Catalogs.

Hazard catalogs

Following the module catalogs, the hazard catalogs go into more detail on the possible threats to IT systems. These hazard catalogs follow the general structure according to layers. A distinction is made between the layers of elementary hazards , force majeure , organizational deficiencies , human errors , technical failure and deliberate actions . According to the BSI, the knowledge compiled in these catalogs is not absolutely necessary to create the basic protection, but it does promote understanding of the measure and the vigilance of those responsible. The individual source of danger is described in a short text and then examples of damage cases that can be triggered by this source of danger are given.

Action catalogs

The measures necessary to implement the basic protection are summarized in catalogs of measures. Measures that are appropriate for several system components are only described once centrally. Layers are also used to structure the individual groups of measures. The following layers are formed: "Infrastructure", "Organization", "Personnel", "Hardware / software", "Communication" and "Emergency preparedness".

In the description of the respective measures, those responsible for initiating and implementing the measure are initially named. A detailed description of the measure follows. Finally, control questions are given for correct implementation. When implementing the measures, it should first be checked whether they need to be adapted to the respective company. Precise documentation of such adjustments is useful for later traceability. At the end of the measures there have been so-called test questions since the 10th supplementary delivery, which take up the essential aspects of a measure again and thus represent a kind of checklist as to whether these have also been implemented.

Further material

In addition to the information summarized in the IT-Grundschutz Catalogs, the Federal Office for Information Security makes further material available on the Internet. The forms provided here are used to determine the protection requirements for certain components of the IT system. A table summarizes the measures to be implemented for the individual modules. Each measure is named and the degree of implementation recorded. A distinction is made between the implementation levels “dispensable”, “yes”, “partially” and “no”. The implementation is then scheduled and a person responsible is named. If the implementation of the measure is not possible, the reasons for this should be entered in the subsequent field so that it can be traced later. The conclusion is a cost estimate.

In addition to the forms, the cross reference tables are another helpful addition. They summarize the measures and the most important hazards for the individual module. Both measures and hazards are named with the abbreviation. The measures are given a priority and their classification is given. The table shows which measures counteract which hazards. It should be noted, however, that the cross-reference tables only list the most important hazards. If the specified threats to a measure do not apply to the individual IT system, this will not become superfluous. The basic protection can only be guaranteed if all measures have been implemented.

Modernization of the IT-Grundschutz

Since 2005, the BSI has fundamentally renewed both the approach to establishing an information security management system (ISMS) and the procedure for updating the content.


With the GSTOOL (November 2011: current version 4.5, with service pack 2 installed, the software is given version number 4.7), the BSI itself has also provided "since 1998 a regularly updated, innovative and ergonomically manageable software that helps users create, manage and update of security concepts according to the IT-Grundschutz [should] efficiently support. "

According to its own information, the BSI stopped the further development in September 2013. One of the reasons given was that there are already corresponding products on the market.

According to the press release, the BSI wants to restrict itself to testing these products and only making recommendations; Ultimately, however, the BSI can only provide a list of software without further evaluation (as of November 2014).

Additional tools for creating security concepts based on IT-Grundschutz

Individual evidence

  1. IT-Grundschutz Catalogs, chap. 1.1
  2. BSI - Aids IT-Grundschutz - Home. In: Retrieved January 14, 2016 .
  3. BSI publications
  5. BSI: BSI discontinues development of GSTOOL 5.0. Retrieved November 13, 2014 .
  6. BSI: GSTOOL - Other tools for IT-Grundschutz. (No longer available online.) Archived from the original on September 25, 2014 ; Retrieved on November 13, 2014 : "" Is it a mere listing "" Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot /


Web links