|
IT-Baseline Protection Manual July 2001 - changes -
modified documents | ||
new documents | ||
Introduction | ||
chapter 1.4 Brief Outline of Existing Modules | ||
chapter 2.3 IT Baseline Protection Modelling | ||
chapter 3.1 Organisation | ||
chapter 3.3 Contingency planning | ||
chapter 3.9 Hardware- and Software-Management | ||
chapter 4.3.2 Server room | ||
chapter 4.6 Computer Centres | ||
chapter 5.3 Laptop PC | ||
chapter 6.2 Unix-Server | ||
chapter 7.7 Lotus Notes | ||
T 1.2 Failure of the IT system | ||
T 1.3 Lightning | ||
T 1.4 Fire | ||
T 1.5 Water | ||
T 1.6 Burning cables | ||
T 1.8 Dust, soiling | ||
T 1.11 The effects of catastrophes in the environment | ||
T 1.12 Problems caused by big public events | ||
T 1.13 Storms | ||
T 2.1 Lack of, or insufficient, rules |
||
T 2.2 Insufficient knowledge of requirements documents | ||
T 2.4 Insufficient monitoring of IT security measures | ||
T 2.11 Insufficient bandwidth planning | ||
T 2.27 Lack of, or inadequate documentation | ||
T 2.67 Inappropriate administration of access rights | ||
T 3.46 Error in the configuration of a Lotus Notes server | ||
T 3.47 Error in the configuration of browser access to Lotus Notes | ||
T 4.1 Disruption of power supply |
||
T 4.3 Inoperability of existing safeguards | ||
T 4.43 Undocumented functions | ||
T 5.3 Unauthorised entry into a building | ||
T 5.4 Theft | ||
T 5.15 "Inquisitive" staff members | ||
T 5.16 Threat posed by internal staff during maintenance/administration work | ||
T 5.40 Monitoring rooms using computers equipped with microphones | ||
T 5.100 Abuse of active contents on access to Lotus Notes | ||
T 5.101 Hacking Lotus Notes | ||
T 5.102 Sabotage | ||
S 1.4 Lightning protection devices | ||
S 1.6 Compliance with fire-protection regulations | ||
S 1.7 Hand-held fire extinguishers | ||
S 1.9 Fire sealing of trays | ||
S 1.10 Use of safety doors | ||
S 1.18 Intruder and fire detection devices | ||
S 1.19 Protection against entering and breaking | ||
S 1.23 Locked doors | ||
S 1.24 Avoidance of water pipes | ||
S 1.25 Overvoltage protection | ||
S 1.26 Emergency circuit-breakers | ||
S 1.27 Air conditioning | ||
S 1.39 Prevention of transient currents on shielding | ||
S 1.45 Suitable storage of business-related documents and data media | ||
S 1.47 Separate fire cut | ||
S 1.48 Fire alarm system | S 1.49 Technical and organisational requirements for the computer centre | |
S 1.50 Smoke protection | ||
S 1.51 Fire load reduction | ||
S 1.52 Redundancies in the technical infrastructure | ||
S 1.53 Video surveillance | ||
S 1.54 Early detection of fires / fire extinguishing technology | ||
S 1.55 Perimeter protection | ||
S 1.56 Secondary power supply | ||
S 1.57 Up-to-date infrastructure and building plans | ||
S 1.58 Technische und organisatorische Vorgaben für Serverräume | ||
S 2.2 Resource management | ||
S 2.4 Maintenance/repair regulations | ||
S 2.9 Ban on using non-approved software | ||
S 2.10 Survey of the software held | ||
S 2.15 Fire safety inspection | ||
S 2.17 Entry regulations and controls | ||
S 2.22 Escrow of passwords | ||
S 2.52 Supply and monitoring of consumable fax accessories | ||
S 2.206 Planning the use of Lotus Notes | ||
S 2.207 Defining security guidelines for Lotus Notes | ||
S 2.208 Planning of the domains and certificate hierarchy of Lotus Notes | ||
S 2.209 Planning the use of Lotus Notes in an intranet | ||
S 2.210 Planning the use of Lotus Notes in an intranet with browser access | ||
S 2.211 Planning the use of Lotus Notes in a demilitarised zone | ||
S 2.212 Organisational requirements regarding cleaning contractors | ||
S 2.213 Maintenance of the technical infrastructure | ||
S 2.214 Concept of IT operations | ||
S 2.215 Error handling | ||
S 2.216 Approval procedure for IT components | ||
S 2.217 Careful classification and handling of information, applications and systems | ||
S 2.218 Procedures regarding the personal transportation of data media and IT components | ||
S 2.219 Continuous documentation of information processing | ||
S 2.220 Guidelines for access control | ||
S 2.221 Change management | ||
S 2.222 Regular checking of technical IT security measures | ||
S 2.223 Security objectives for the use of standard software | ||
S 2.224 Precautions against Trojan horses | ||
S 2.225 Assignment of responsibility for information, applications and IT components | ||
S 2.226 Procedures regarding the use of outside staff | ||
S 3.2 Commitment of staff members to compliance with relevant laws, regulations and provisions | ||
S 3.24 Training on the Lotus Notes system architecture for Administrators | ||
S 3.25 Training on Lotus Notes security mechanisms for users | ||
S 3.26 Briefing of staff in the secure handling of IT equipment | ||
S 4.21 Preventing unauthorised acquisition of administrator rights | ||
S 4.40 Preventing unauthorised use of computer microphones | ||
S 4.44 Checking of incoming files for macro viruses | ||
S 4.116 Secure installation of Lotus Notes | ||
S 4.117 Secure configuration of a Lotus Notes server | ||
S 4.118 Configuration as a Lotus Notes server | ||
S 4.119 Instituting restrictions on access to Lotus Notes servers | ||
S 4.120 Configuration of access control lists for Lotus Notes databases | ||
S 4.121 Configuration of rights of access to the Lotus Notes Name and Address Book | ||
S 4.122 Configuration for browser access to Lotus Notes | ||
S 4.123 Configuration of SSL-protected browser access to Lotus Notes | ||
S 4.124 Configuration of authentication mechanisms with browser access to Lotus Notes | ||
S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access | ||
S 4.126 Secure configuration of a Lotus Notes client | ||
S 4.127 Secure configuration of browser access to Lotus Notes | ||
S 4.128 Secure operation of Lotus Notes | ||
S 4.129 Secure handling of Notes ID files | ||
S 4.130 Security measures following the creation of a new Lotus Notes database | ||
S 4.131 Encryption of Lotus Notes databases | ||
S 4.132 Monitoring of a Lotus Notes system | ||
S 4.133 Appropriate choice of authentication mechanisms | ||
S 4.134 Choice of suitable data formats | ||
S 4.135 Restrictive granting of access rights to system files | ||
S 5.5 Damage-minimising routing of cables | ||
S 5.63 Use of GnuPG or PGP | ||
S 5.84 Use of encryption procedures for Lotus Notes communication | ||
S 5.85 Use of encryption procedures for Lotus Notes e-mail | ||
S 5.86 Use of encryption procedures with browser access to Lotus Notes | ||
S 5.87 Agreement regarding connection to third party networks | ||
S 5.88 Agreement regarding the exchange of data with third parties | ||
S 6.14 Replacement procurement plan | ||
S 6.27 Backup of the CMOS RAM | ||
S 6.73 Creation of a contingency plan for failure of the Lotus Notes system | ||
S 6.74 Emergency archive | ||
S 6.75 Redundant communication links |
© Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: July 2001 |