Minimum standards (BSI)

Minimum standards of the Federal Office for Security in Information Technology (BSI) are security standards for the information technology of the German federal administration. The minimum standards each set up security requirements for individual subject areas. Its aim is to establish a uniform minimum level for federal IT security. The BSI's IT-Grundschutz standards describe the procedure for taking higher requirements for IT systems into account.

The creation of the minimum standards is regulated in the law on the Federal Office for Information Security (BSIG), Section 8 (1). They apply to the federal administration. This includes all federal agencies as well as institutions where the legal entity is the Federal Republic of Germany.

background

The minimum standards of the BSI are drawn up on the basis of Section 8 (1) of the Act on the Federal Office for Information Security (BSIG). The text of the law says:

Beyond the legal basis, further strategic and conceptual resolutions and strategies of the federal government refer to the minimum standards of the BSI. The federal implementation plan 2017, as information security guideline of the federal government, calls for compliance with the "information technology requirements resulting from the minimum standards". It also stipulates that minimum standards for specifying the standard protection described in the IT-Grundschutz, for the information security requirements for connection to federal networks (user obligations) and minimum standards for logging and detecting cyber attacks must be drawn up. The federal IT architecture guideline calls for the implementation of minimum standards on the topics of cloud computing , logging and detection of cyber attacks, and the creation and implementation of security concepts for IT processes. The budget committee of the German Bundestag has in its 82nd session u. a. decided to set a minimum standard for the security of federal data centers. The civil defense concept also mentions the minimum standards of the BSI and describes them as “decisive” for IT security in the federal administration.

Standardized approach

The minimum standards of the BSI are drawn up by the Federal Minimum Standards Department. The development is based on a standardized process. This consists of seven phases:

• Pre-Alpha (Pre-α) : Identification of possible topics
• Alpha (α) : Creation and coordination of a first draft by the BSI
• Beta (β) : Consultation process in which the BSI collects external feedback from the departments of the federal ministries and interested specialist audiences
• Release Candidate (RC) : Incorporation of the feedback and finalization of the minimum standard in the BSI
• Release : Publication
• Delta (Δ) : Support and monitoring during the operating phase of the minimum standard
• Request for Change (RfC) : Change or update of a published minimum standard

Published minimum standards

The BSI has published minimum standards on the following topics:

• External cloud services
• HV benchmark compact
• Mobile device management
• Logging and detection
• Interface controls
• Secure web browser
• SSL / TLS protocol

Web links

• BSI website
• Website of the BSI on the federal minimum standards

Individual evidence

1. ↑ Federal minimum standards of the BSI
2. ^ Act on the Federal Office for Information Security
3. ^ Act on the Federal Office for Information Security
4. ↑ Federal implementation plan 2017
5. ↑ Architecture guidelines for federal IT (PDF file)
6. ↑ Civil Defense Concept (PDF file)
7. ↑ Organization plan of the BSI (PDF file)
8. ↑ Standardized approach