IT Baseline Protection Manual - Chapter 3.9 Hardware and Software Management

-->

3.9 Hard- and Software-Management

Description

To achieve the necessary and desired degree of security for the entire IT organisation, it is not enough simply to protect the individual IT components. Rather, it is necessary to design all the procedures and processes which affect these IT systems in such away that the targeted IT security level can be achieved and maintained. For all these procedures rules must therefore be introduced and kept up-to-date which guarantee the effectiveness of the security measures.

The main focus of this module is on procedures which refer specifically to IT hardware or software components, with the aim of ensuring that the management and organisational aspects of IT operations are as they should be. Security should be an integrated element of the overall life cycle of an IT system or product.

Threat Scenario

In this chapter, the following typical threats (T) are considered as regards IT baseline protection:

Organisational Shortcomings

T 2.1 Lack of, or insufficient, rules

T 2.2 Insufficient knowledge of rules and procedures

T 2.4 Insufficient monitoring of IT security measures

T 2.9 Poor adjustment to changes in the use of IT

T 2.10 Data media are not available when required

T 2.22 Lack of evaluation of auditing data

T 2.67 Inappropriate administration of access rights

Human Error

T 3.1 Loss of data confidentiality/integrity as a result of IT user error

T 3.44 Carelessness in handling information

Technical Failures

T 4.22 Vulnerabilities or errors in standard software

T 4.43 Undocumented functions

Deliberate Acts

T 5.1 Manipulation or destruction of IT equipment or accessories

T 5.2 Manipulation of data or software

T 5.4 Theft

T 5.21 Trojan horses

Recommended Countermeasures

To implement IT baseline protection, selection of the required packages of safeguards ("modules") is recommended, as described in Sections 2.3 and 2.4.

An IT network consists of a number of IT components which first of all need to be protected as individual components in accordance with the safeguards suggested in the relevant modules. In order that the same security level is achieved for all the IT components used, uniform procedures should be laid down by hardware and software management.

In the context of hardware and software management, irrespective of the type of IT components used there are a number of safeguards that should be implemented, beginning with the conceptual design and running through procurement to operation. The steps involved here and the safeguards which should be considered at each of the steps are listed below.

It is always important to begin with drawing up a concept that is based on the security requirements for the existing IT systems as well as the requirements arising from the planned operational scenarios (see S 2.214 Concept of IT operations).

For the procurement of IT systems, the requirements regarding the relevant products resulting from the concept must be formulated and, based on these, suitable products must be selected.

The measures necessary for the secure operation of all IT components must be specified in a set of security guidelines. The areas covered should include the following:

authorisation concepts for the use of IT assets

administration and role distribution (especially with networked IT systems, it is important that the division of administrative tasks is properly controlled)

identification and authentication of users

data keeping and general handling of IT equipment

determining in-house standards for IT components

secure connection to outside networks

raising IT security awareness and training of administrators and users

Building on the security guidelines, security safeguards must be specified for the installation and initial configuration and also for the ongoing operation of IT systems.

The package of measures which fall under the heading "Hardware and Software Management" is set out below:

Infrastructure

S 1.46 (3) Use of anti-theft devices (optional)

Organisation

S 2.3 (2) Data media control

S 2.9 (2) Ban on using non-approved software

S 2.10 (2) Survey of the software held

S 2.11 (1) Provisions governing the use of passwords

S 2.12 (3) Services and counselling for IT users (optional)

S 2.30 (1) Provisions governing the designation of users and of user groups

S 2.62 (2) Software acceptance and approval procedure

S 2.64 (2) Checking the log files

S 2.69 (2) Establishing standard workstations

S 2.110 (2) Data privacy guidelines for logging procedures

S 2.111 (2) Keeping manuals at hand

S 2.138 (2) Structured data storage

S 2.167 (2) Secure deletion of data media

S 2.182 (2) Regular checking of organisational IT security measures

S 2.204 (1) Prevention of insecure network access

S 2.214 (1) Concept of IT operations

S 2.215 (2) Error handling

S 2.216 (2) Approval procedure for IT components

S 2.217 (1) Careful classification and handling of information, applications and systems

S 2.218 (3) Procedures regarding the personal transportation of data media and IT components

S 2.219 (1) Continuous documentation of information processing (especially administration)

S 2.220 (1) Guidelines for access control

S 2.221 (2) Change management

S 2.222 (2) Regular checking of technical IT security measures

S 2.223 (2) Security objectives for the use of standard software

S 2.224 (2) Precautions against Trojan horses

S 2.226 (2) Procedures regarding the use of outside staff

Personnel

S 3.26 (1) Briefing of staff in the secure handling of IT equipment

Hardware and Software

S 4.42 (2) Implementation of security functions in the IT application (optional)

S 4.65 (2) Testing of new hardware and software

S 4.78 (2) Careful modifications of configurations

S 4.109 (2) Software reinstallation on workstations

S 4.133 (2) Appropriate choice of authentication mechanisms (optional)

S 4.134 (3) Choice of suitable data formats

S 4.135 (1) Restrictive granting of access rights to system files

Communication

S 5.68 (2) Use of encryption procedures for network communications (optional)

S 5.77 (1) Establishment of subnetworks (optional)

S 5.87 (2) Agreement regarding connection to third party networks

S 5.88 (2) Agreement regarding the exchange of data with third parties

Contingency Planning

S 6.75 (3) Redundant communication links (optional)

last update:
July 2001

home