IT Baseline Protection Manual - Chapter 2.4 Basic Security Check

-->

2.4 Basic Security Check

In the discussion below it is assumed that for a given set of IT assets a summary was prepared of the existing assets, their installation locations and the IT applications supported, based on the IT structure analysis of the IT assets. Building on this, the protection requirements were then assessed, resulting in an overview of the protection requirements of the IT applications, the IT systems, the rooms in which IT assets are used and the communication links. This information was then used to perform IT baseline protection modelling of the IT assets, in the course of which the IT assets under consideration were mapped to modules in the manual.

This IT baseline protection module is now used as a test plan to establish, using a target versus actual comparison, which standard security safeguards have been adequately implemented and which have not been satisfactorily implemented.

This section describes how to perform the basic security check in the context of the central task of drawing up an IT security concept which affords IT baseline protection. This basic security check consists of three different steps. The first step entails making the organisational preparations and in particular selecting the relevant contact persons for the target versus actual comparison. In step 2 the target versus actual comparison is performed using interviews and sampling checks. In the final step, the results of the target versus actual comparison are documented, together with the reasoning behind it.

These three stages of the basic security check are described in detail below.

2.4.1 Organisational Preliminary Work

To ensure that the target versus actual comparison proceeds smoothly, a certain amount of preliminary work is required. It is necessary first to inspect all the in-house documentation which controls IT security-relevant processes, e.g. organisational instructions, work instructions, security instructions, manuals and "informal" procedures. These documents can be helpful in ascertaining the degree of implementation, especially for questions about existing organisational procedures. It is further necessary to clarify who is currently responsible for their content, in order to be able subsequently to determine the correct contact person.

It must then be established whether and to what extent any external parties need to be involved in ascertaining the implementation status. For example, this might be necessary if there are any external computer centres, external parent organisations, companies to which parts of the IT operations have been outsourced or building authorities which are responsible for infrastructural measures.

Another step which needs to be performed before the target versus actual comparison can be carried out is to ascertain who are the right people to interview. Here one should start by establishing a primary point of contact for every individual module which has been used in modelling the existing IT assets.

For the modules in Tier 1 "Higher order aspects of IT security" a suitable contact person will generally be found from the subject matter dealt with in the module. For example, for module 3.2 Personnel someone who works in the relevant Human Resources Department should be selected as point of contact. For the design modules, e.g. module 3.4 Data Backup Policy, ideally the person who is responsible for updating the relevant document should be made available. Otherwise the person whose terms of reference include the updating of procedures in the area under consideration should be interviewed.

For Tier 2 " Infrastructure" the selection of suitable contact persons should be agreed with the general services and/or site technical services sections. Depending on the size of the agency/company being examined, different contact persons could be responsible, for example, for the two infrastructural areas Cabling and Protective Cabinets. In small organisations the caretaker will often be able to provide information. It should be noted that in the infrastructural area it may be necessary to involve external parties. This applies especially to larger companies and agencies.

In the modules of Tier 3 "IT systems" and Tier 4 "Networks" there is a heavy emphasis on technical aspects in the security safeguards to be checked. This means that generally the main point of contact will be the administrator for the component or group of components to which the module in question has been assigned during modelling.

For the modules in Tier 5 "IT applications" persons who support or are responsible for the individual IT applications should be selected as the main points of contact.

In many cases the main point of contact will not be able to provide information on every aspect of the relevant module. In such cases it is useful to include one or more additional persons in the interview. Guidance as to which persons should be involved is provided in the entries "Initiation responsibility" and "Implementation responsibility" which are to be found at the beginning of every safeguard description.

A schedule, possibly including alternative dates, should be prepared to cover the interviews with the system administrators, administrators and other contact persons. Special attention should be given here to co-ordinating appointments with persons from other organisational units or other agencies/companies.

Depending on the size of the project team, tasks should be allocated between different teams of interviewers. Experience shows that working in two-man teams works very well. Here one person writes down the answers and comments on them while the other is asking the necessary questions.

2.4.2 Performing the Target Versus Actual Comparison

Once all the necessary preliminary work has been completed, the actual survey can begin on the previously agreed dates. This entails working through the safeguards contained in the module for which the person being interviewed is responsible in sequence.

The answers regarding implementation status for the individual safeguards may be classified into the following categories:

"Unnecessary"	Implementation of the recommended safeguards is not necessary in the form suggested as other measures (e.g. safeguards which are not contained in the IT Baseline Protection Manual but achieve the same effect) already provide sufficient protection against the relevant threats, or else the measures recommended are not relevant (e.g. because certain services have not been implemented).
"Yes"	All the recommendations in the safeguard have been implemented effectively and in their entirety.
"Partially"	Some of the recommendations have been implemented, while others have not yet been implemented or only partially implemented.
"No"	Most of the recommendations contained in the safeguard have not yet been implemented.

Reading out the text of the recommendations contained in a given safeguard during the interview is not recommended as the manual was not designed for this purpose. Hence, the interviewer needs to be familiar with the contents of the module. If necessary, handy checklists containing keywords should be prepared in advance of the interviews. In order to be able to clarify any disagreements in case of doubt, it is nevertheless useful to have the full text of the safeguards at hand. Direct entry of the answers into a PC during the interview is likewise not recommended as it would be distracting to those involved and cause unwanted interruption to communication.

If the interview begins with a few introductory words and the purpose of the basic security check is briefly introduced, this can help to create a relaxed, open and productive atmosphere. It is recommended continuing by naming and briefly explaining the safeguard. Rather than conducting a monologue, it is better to give the interviewee(s) the opportunity to go into those parts of the safeguard which have already been implemented and then discuss any items still at issue.

The questions asked should always be directed at the level of standard security safeguards, and only after the basic security check has been completed should any more far-reaching aspects of highly sensitive applications be considered. If there is a requirement to verify the statements made in the interviews, this could be achieved, for example, by examining samples of the relevant procedures and concepts, in the case of the area of infrastructure by visiting the objects under investigation on-site with the contact person, and/or by checking client and/or server settings in selected IT systems.

To conclude each safeguard, the interviewee should be informed of the assessment result (i.e. safeguard implementation status = Unnecessary/Yes/Partially/No) and this decision should be explained.

2.4.3 Documentation of Results

When it comes to documenting the results of the basic security check, some forms are provided on the CD-ROM which comes with the IT Baseline Protection Manual (see Annex: Additional Aids). The directory contains a file in Word format for every module of the IT Baseline Protection Manual, in which the results of the target versus actual comparison can be entered in tabular form for every safeguard in the given module.

First of all at the beginning of the form the following information should be entered in the fields provided:

the number and name of the component or group of components to which this module was assigned during modelling;

the location of the assigned component or group of components;

the date on which the information was recorded and the name of the author;

the name of the person interviewed.

The actual results of the target versus actual comparison are entered in the table contained on the form. For each safeguard in the relevant module, the fields should be completed as follows:

Degree of implementation (Unnecessary/Yes/Partially/No)

In this field the implementation status which has been established during the interview for the relevant safeguard is entered.

Implement by

This field is generally not completed during the basic security check. It serves as a place holder which will be used during implementation planning to document the date by which the safeguard concerned should have been fully implemented.

Person responsible

If during carrying out of the target versus actual comparison it is clear which member of staff will be responsible for implementing fully a safeguard that is not currently in place, the name of this person can be documented in this field. If it is not clear who will be responsible for implementation, this field should be left blank. It will be completed later during implementation planning with the name of the person to whom responsibility is then assigned.

Notes / reason(s) for non-implementation

In the case of safeguards whose implementation appears unnecessary, the rationale for this should be stated and/or any alternative measure taken which achieves the same end should be specified. In the case of safeguards which have not yet been implemented or only partially implemented, it should be documented in this field which recommendations of the safeguard still have to be implemented. Any other notes which will assist in rectifying security shortcomings or which need to be considered in the context of the safeguard should also be entered here.

Cost estimate

In the case of measures which have not yet been implemented or only partially implemented, an estimate can be entered in this field of the financial and staffing resources which will be needed to eliminate the deficits.

An example of a completed survey form is provided at the end of this section.

The results can also be documented using a tool, for example the IT Baseline Protection Tool which was specially developed for the BSI. This tool serves as a convenient way of analysing and auditing the results, for example, it is possible to search for particular entries, generate user-defined reports, perform various statistical analyses etc.

Number of the IT-system	S5	Date	24 May 2000	Persons interviewed	A. Müller
Designation:	Communications server for Intranet	Author:	N. Meyer	- " -	C. Schulz
Site:	Bonn, Room 3.10			- " -	C. Schmitt
				- " -
				- " -

Safeguard Priority	Module: Server-supported Netware	Unnecessary	Yes	Partially	No	Implementation	Person responsible	Notes / reason(s) for non-implementation	Cost estimate
S 1.28 (2)	Local Uninterruptible Power Supply (UPS)			X		31/12/01	A. Müller	There is a UPS for the server, but it has insufficient capacity.	DM 1,000
S 1.29 (3)	Adequate Siting of an IT System (optional)		X						DM 0
S 1.32 (1)	Adequate siting of the Consoles, Devices with Exchangeable Data Media, and Printers		X						DM 0
S 2.03 (2)	Data Media Control		X						Necessary for IT operation
S 2.04 (2)	Maintenance/Repair Regulations	X						This safeguard is not being implemented as maintenance and repair is all performed in-house.	---
S 2.09 (2)	Ban on Using Non-Approved Software				X	31/12/00	N. Meyer		DM 0 1 day p.a.
S 2.10 (3)	Survey of the Software Held				X	30/6/00	C. Schulz		DM 0 10 days p.a.
S 2.13 (2)	Correct Disposal of Resources Requiring Protection		X						DM 10,000
S 2.22 (2)	Escrow of Passwords			X		31/12/00	A. Müller	Depositing of passwords is recommended but is not consistently performed. It is hoped to introduce a systematic procedure.	DM 0 2 days p.a.
S 2.25 (1)	Documentation of the System Configuration		X						DM 0 3 days p.a.

last update:
October 2000

home