IT Baseline Protection Manual - Chapter 3.9 Hardware and Software Management
3.9 Hard- and Software-Management
Description
To achieve the necessary and desired degree of security for the entire IT
organisation, it is not enough simply to protect the individual IT components.
Rather, it is necessary to design all the procedures and processes which affect
these IT systems in such away that the targeted IT security level can be achieved
and maintained. For all these procedures rules must therefore be introduced
and kept up-to-date which guarantee the effectiveness of the security measures.
The main focus of this module is on procedures which refer specifically to
IT hardware or software components, with the aim of ensuring that the management
and organisational aspects of IT operations are as they should be. Security
should be an integrated element of the overall life cycle of an IT system or
product.
Threat Scenario
In this chapter, the following typical threats (T) are considered as regards IT baseline protection:
To implement IT baseline protection, selection of the required packages of safeguards ("modules") is recommended, as described in Sections 2.3 and 2.4.
An IT network consists of a number of IT components which first of all need to be protected as individual components in accordance with the safeguards suggested in the relevant modules. In order that the same security level is achieved for all the IT components used, uniform procedures should be laid down by hardware and software management.
In the context of hardware and software management, irrespective of the type of IT components used there are a number of safeguards that should be implemented, beginning with the conceptual design and running through procurement to operation. The steps involved here and the safeguards which should be considered at each of the steps are listed below.
It is always important to begin with drawing up a concept that is based on the security requirements for the existing IT systems as well as the requirements arising from the planned operational scenarios (see S 2.214 Concept of IT operations).
For the procurement of IT systems, the requirements regarding the relevant products resulting from the concept must be formulated and, based on these, suitable products must be selected.
The measures necessary for the secure operation of all IT components must be specified in a set of security guidelines. The areas covered should include the following:
authorisation concepts for the use of IT assets
administration and role distribution (especially with networked IT systems, it is important that the division of administrative tasks is properly controlled)
identification and authentication of users
data keeping and general handling of IT equipment
determining in-house standards for IT components
secure connection to outside networks
raising IT security awareness and training of administrators and users
Building on the security guidelines, security safeguards must be specified for the installation and initial configuration and also for the ongoing operation of IT systems.
The package of measures which fall under the heading "Hardware and Software Management" is set out below: