1.1 IT Baseline Protection: the Aim, Concept and Central Idea

The IT Baseline Protection Manual presents a set of recommended standard security measures or "safeguards", as they are referred to in the manual, for typical IT systems. The aim of these IT baseline protection recommendations is to achieve a security level for IT systems that is reasonable and adequate to satisfy normal protection requirements and can also serve as the basis for IT systems and applications requiring a high degree of protection. This is achieved through the appropriate application of organisational, personnel, infrastructural and technical standard security safeguards.

To facilitate structuring and processing of the highly heterogeneous area of IT, including the operational environment, the IT Baseline Protection Manual is structured in a modular fashion. The individual modules reflect typical areas in which IT assets are employed, for example client/server networks, buildings, communications and application components Every module begins with a description of the typical threats which may be expected in the given area together with their assumed probability of occurrence. This "threat scenario" provides the basis for generating a specific package of measures from the areas of infrastructure, personnel, organisation, hardware, software, communications and contingency planning. The threat scenarios are presented in order to create awareness, and are not required any further for the creation of a security concept which affords IT baseline protection. It is not necessary for users to perform the analysis work mentioned above, which requires considerable effort, in order to attain the security level that is needed for an average protection requirement. On the contrary, it is sufficient to identify the modules which are relevant to the IT system or IT assets under consideration and to implement all the safeguards recommended in those modules in a consistent manner.

Using the IT Baseline Protection Manual, it is possible to implement IT security concepts simply and economically in terms of the resources required. Under the traditional risk analysis approach, first of all the threats are identified and assigned a likelihood of occurrence, and the results of this analysis are then used to select the appropriate IT security measures, following which the remaining residual risk can be assessed. The approach adopted in the IT Baseline Protection Manual on the other hand requires only that a target versus actual comparison is performed between the recommended measures and those already implemented. The security shortcomings which need to be eliminated through adoption of the recommended measures are defined in terms of those security measures identified which are lacking and not yet implemented. Only where the protection requirement is significantly higher is it necessary to also carry out a supplementary security analysis, weighing up the cost-effectiveness of implementing additional measures. However, it is generally sufficient here to supplement the recommendations made in the IT Baseline Protection Manual with appropriate tailored and more stringent measures.

The safeguards listed in the IT Baseline Protection Manual are standard security measures, i.e. measures which should be implemented for the modules concerned using the latest available technology in order to achieve a reasonable level of security. In some cases these safeguards also provide a higher level of protection than that required simply to implement a baseline level of protection; nevertheless, they are the minimum security precautions which it is reasonable to implement in the areas concerned.

Security concepts which are drawn up using the IT Baseline Protection Manual are compact, since all that is required within the concept is to reference the relevant safeguards in the manual. This makes them easier to understand and view in perspective. To facilitate implementation of the recommended measures, the safeguards are described in sufficient detail in the manual that they can serve as specific implementation instructions. With regard to the technical terminology used, care has been taken to ensure that the safeguard descriptions will be comprehensible to those who have to implement them. Accordingly, a distinction is made in the style and terminology used between safeguards which need to be implemented by an experienced administrator and those which a user is expected to implement.

To simplify implementation of the safeguards, the text of the manual is also available in its entirety in electronic form. In addition, implementation of the safeguards is also supported by aids and sample solutions, some of which have been provided by the BSI and some by users of the manual.

Bearing in mind the pace of innovation and version changes in the IT area, the IT Baseline Protection Manual has been designed so as to make it easy to expand and update. It therefore has a modular structure incorporating modules and catalogues and, as a collection of loose-leaf sheets, it is easy to expand. The BSI re-works and updates the existing modules at regular intervals in order to keep the recommendations made in the manual in line with the latest technological developments. In addition, new modules are regularly added to the existing body of documentation. In updating the IT Baseline Protection Manual, the BSI is guided by requests expressed by users which are obtained regularly from surveys. Only in this way can it be sure that in the long-term the document evolves in line with users' requirements. The BSI therefore offers all users the opportunity to register on a voluntary basis. Registration is free of charge. Registered users received information at regular intervals about topical subjects. Its pool of registered users also serves as the basis for its user surveys. It is only through a continuous exchange of experiences with users of the manual that the document can evolve in a manner which reflects users' needs. One of the aims of the BSI's efforts here is to be able to give up-to-date recommendations on the kinds of IT security problems currently actually experienced. Recommendations which are not continuously updated and expanded rapidly become out of date or else of necessity they become so generic that they fail to deliver the intended benefit of identifying security weaknesses and simplifying the specific task of implementing security measures.