1.4 Brief Outline of Existing Modules

The overview which follows provides a brief outline of the modules which currently exist in the IT Baseline Protection Manual. It gives a compact summary of the scope of the recommended safeguards contained in the IT Baseline Protection Manual.

3.0 IT Security Management

This chapter presents a systematic approach to establishing functional IT security management and adapting it over time in line with developments in business operations.

3.1 Organisation

This module lists the organisational procedures that are basically required for IT security. Examples are the determination of responsibilities, data media administration and procedures regarding the use of passwords. They apply to every IT system.

3.2 Personnel

The Personnel module describes staff-related safeguards to be observed for the achievement of IT security. Examples are arrangements during staff absences, training activities, and controlled procedures in the case of termination of employment. They apply regardless of the type of IT system employed.

3.3 Contingency Planning Concept

This module presents a procedure for drawing up a contingency planning concept and is especially important for larger IT systems.

3.4 Data Backup Policy

This module shows how a sound data backup policy can be systematically developed. It is especially intended for larger IT systems or IT systems on which a large amount of data is stored.

3.5 Data Privacy Protection

This module presents the basic conditions for realistic data privacy and shows the interrelationship of IT security and IT baseline protection. It was developed under the lead of the Federal Data Privacy Officer (BfD) in co-operation with the data privacy officers of the German state and the individual German Länder, and can be obtained from the BfD.

3.6 Computer Virus Protection Concept

The aim of the computer virus protection concept is to create a suitable package of safeguards which will enable penetration of an organisation's IT systems by computer viruses to be prevented or detected as early as possible so that countermeasures can be taken and possible damage can be minimised.

3.7 Crypto Concept

This module describes a procedure whereby in a heterogeneous environment both the data stored locally and the data to be transmitted can be protected effectively through cryptographic procedures and techniques.

3.8 Handling of Security Incidents

To maintain IT security in ongoing operations, it is necessary to have developed and practised a policy for the handling of security incidents. A security incident is an event whose impact could cause significant loss or damage. To prevent or contain any loss or damage, security incidents should be dealt with swiftly and efficiently.

3.9 Hardware and Software Management

The aim of the Hardware and Software Management module is to ensure that IT operations are managed and organised properly. To this end the main focus in the module is on recommendations for procedures and sequences which refer specifically to IT hardware or software components.

4.1 Buildings

This module specifies the safeguards which must be observed in every building in which data processing takes place. These include safeguards relating to the power supply, fire protection and building protection, as well as organisational safeguards such as key management.

4.2 Cabling

The Cabling module recommends safeguards which should be adopted when laying utility and communications lines in a building. Subjects covered include fire sealing of routes, selection of appropriate types of cables and documentation of cabling.

4.3.1 Offices

The Office module covers all the safeguards to be observed in connection with the use of IT in an office. Subjects covered include closed windows and doors and supervision of visitors and contractors.

4.3.2 Server rooms

This module lists the safeguards to be observed in the use of a room housing a server (for IT systems or PBXs). Subjects covered include avoidance of water pipes, air conditioning, local uninterruptible power supply (UPS) and smoking bans.

4.3.3 Storage Media Archives

If a room is used to accommodate data media archives, certain requirements for IT security must be adhered to. These are presented in the form of safeguards for IT baseline protection. Subjects covered include hand-held fire extinguishers, use of safety doors and smoking bans.

4.3.4 Technical Infrastructure Rooms

It is also necessary to take certain IT security measures in rooms where technical infrastructure is installed, for instance the PTT cable entry room, distributor room and low-voltage distribution room. These are specified in this section.

4.4 Protective Cabinets

Secure cabinets can be used to increase protection in rooms where data media or hardware are kept (e.g. server room, data media archive). If necessary, a special server cabinet can be used as an alternative to a server room. The necessary procedures for obtaining, siting and using a secure cabinet are described in this module.

4.5 Working Place At Home (Telecommuting)

This module describes the measures required to set up a telecommuting workstation with an appropriate security standard in such a way that it can be used for official tasks.

4.6 Computer Centres

A computer centre comprises the facilities and premises necessary to operate a large data processing system installed centrally for a number of offices. This module contains recommendations as to security measures for a computer centre whose security requirements lie between those of a server room and those of a high-security computer centre.

5.1 DOS PC (Single User)

This module specifies the safeguards to be observed when using a normal PC that is routinely used by a single user. Subjects covered include password protection, use of a virus detection program, regular backup.

5.2 UNIX System

This module considers IT systems which run under the UNIX or Linux operating systems and are operated either on a stand-alone basis or as a client in a network. Terminals or PCs which are run as terminals can be connected. Both organisational and UNIX-specific safeguards are listed.

5.3 Laptop PC

As compared with a normal PC, a portable PC (laptop) requires additional IT security safeguards because it is exposed to other threats due to its mobile nature. Examples of additional safeguards which apply to laptop PCs are suitable safe-keeping during mobile use and use of an encryption product.

5.4 PCs With a Non-Constant User Population

This module specifies the safeguards which must be adhered to when using a normal PC which is routinely used by several users. Subjects covered include PC security products, password protection, use of a virus detection program, regular backup.

5.5 PC under Windows NT

The safeguards needed for non-networked PCs which run under the Windows NT operating system (version 3.51 or 4.0) are described in this module. Security-specific aspects of individual Windows NT applications are only covered briefly.

5.6 PC with Windows 95

Non-networked PCs which run under Windows 95 can be configured as stand-alone systems or as clients in a network for one or more users. The necessary safeguards for both operating variations are described in this module.

5.99 Stand-Alone IT Systems Generally

For IT systems not yet considered in the IT Baseline Protection Manual the generic module 5.99 can be used.

6.1 Server-Supported Network

The necessary safeguards that must be taken into account when operating a server-supported network are explained in this module. These considerations are independent of the operating system used on the servers and clients. Safeguards pertaining to operating systems can be found in the specific modules of Chapters 5 and 6.

6.2 UNIX Server

IT systems which, as servers, provide services on a network and run under the UNIX or Linux operating system are considered here. Safeguards directed at providing IT security in this IT environment are described here. These safeguards are UNIX-specific and must be supplemented by Section 6.1.

6.3 Peer-to-Peer Network

This section describes how a peer-to-peer network can be securely operated for IT baseline protection. Topics include the design of such a network from the point of view of security, administrative options and functional limitations. The operating systems Windows for Workgroups 3.11, Windows 95 and Windows NT apply here.

6.4 Windows NT Network

The design and operation of a secure Windows NT network is described in this module. Windows NT-specific safeguards are predominantly dealt with here. They must be supplemented by the general safeguards contained in Section 6.1.

6.5 Novell Netware 3.x

This section covers a Novell 3.x network providing client/server functionality. As such, it serves as an operating system-specific supplement to Section 6.1 Server-Supported Network. The installation, configuration, operation and maintenance of Novell NetWare servers are dealt with.

6.6 Novell Netware 4.x

This section covers a Novell 4.x network providing client/server functionality. As such, it serves as an operating system-specific supplement to Section 6.1 Server-Supported Network. The necessary safeguards for installation, configuration and operation of a Novell 4.x network are described. The directory service NDS (NetWare Directory Services) is considered in detail.

6.7 Heterogeneous Networks

This module enables existing heterogeneous networks to be analysed and enhanced and new ones to be planned. It shows how to segment a heterogeneous network in a suitable way, how to plan and implement a network management system and how auditing and maintenance can be implemented, so as to ensure secure operation. Additional topics covered include redundant network components and backup of configuration data for contingency planning.

6.8 Network and System Management

A management system enables all the hardware and software components in a local network to be managed centrally. This module describes the steps necessary to successfully set up a network and system management system, starting with the design, then going on to procurement and finally use in service.

7.1 Exchange of Data Media

This module describes the safeguards which should be considered when exchanging data media. Technical measures, such as encryption, are described, as well as the correct choice of delivery method. These measures are addressed particularly at situations where data media are exchanged on a regular basis.

7.2 Modem

This module deals with measures to be adhered to when working with a modem, notably call-back mechanisms and encryption. Information is also given regarding remote maintenance over a modem.

7.3 Firewall

Networking of existing subnetworks with global networks such as the Internet requires that the internal network is effectively protected. In order that such protection can be provided by a firewall, the security objectives must be clearly formulated and then put into practice through the correct installation and administration of the firewall.

7.4 E-Mail

The safeguards required both on the mail server and the mail client for secure communication via e-mail are listed. The safeguards that have to be observed by the users are also presented.

7.5 WWW Server

A WWW server is an IT system which makes files from an information database available to WWW clients. A WWW client, also called a browser, displays the information from a WWW server on the user's computer. The security of the use of the WWW is based on the security of the WWW server, the WWW client and the communications link between the two. The WWW Server module describes the safeguards required for secure use of the WWW.

7.6 Remote Access

In order for a user to be able to access a remote computer network from his local computer, appropriate remote access services must be established. This module explains how to protect the individual RAS system components and draw up a corresponding RAS security concept.

7.7 Lotus Notes

Notes is a product used to support workgroups. To this end it provides functionality for communication, data transmission and data keeping. The module contains safeguards aimed at the secure planning, installation, configuration and operation of Lotus Notes components, both client and server-side.

8.1 Telecommunications System (Private Branch Exchange, PBX)

This module considers private branch exchanges (PBX) based on ISDN. A PBX is typically a complex IT system whose administration requires a number of safeguards if it is to operate securely.

8.2 Fax Machine

The transmission of information over a stand-alone fax machine opens up a new area of threats. The safeguards required to ensure IT baseline protection when using fax machines are described. These include the disposal of fax consumables, the appropriate positioning of the fax machine and, if appropriate, any communication between sender and receiver.

8.3 Answering Machine

Modern answering machines with remote access capabilities can be thought of as IT systems which store speech information. They are at risk from abuse of the remote replay facility. IT baseline protection measures for answering machines are described, also specifically in regard to this threat.

8.4 LAN connection of an IT system via ISDN

This module considers the integration of an IT system into a remote LAN by means of an ISDN adapter card with S0-interface. It is assumed that this LAN contains a router which is connected to the public telephone network via an S2M-interface.

8.5 Fax Servers

This module concentrates on fax transmissions using a fax server. A fax server in this sense is an application which is installed on an IT system and provides services on a network enabling other IT systems to send and/or receive faxes.

8.6 Mobile Telephones

This section presents a set of security safeguards for the components mobile phone, base station and fixed network and their mutual interaction, which are aimed at ensuring that use of digital mobile telephone systems based on the GSM standard (D and E networks) is secure.

9.1 Standard Software

A procedure is described as to how the life cycle of standard software can be structured, i.e. requirements catalogue, selection, testing, approval, installation and deinstallation. Aspects such as functionality tests and security characteristics, installation instructions and the approval process are described.

9.2 Databases

Safeguards relating to the selection, installation, configuration and ongoing operation of a database system are described. These include the development of a database concept, provisions for the creation of database users and user groups, and guidelines for database queries.

9.3 Telecommuting

The procedures for installing telecommuting workstations are described from an organisational and personnel point of view. The security-relevant requirements for telecommuting which need to be implemented through the use of suitable IT components are described.