|
|
IT-Baseline Protection Manual July 2001 - changes -
 |
modified documents | |
 |
new documents | |
|
Introduction | |
|
chapter 1.4 Brief Outline of Existing Modules | |
|
chapter 2.3 IT Baseline Protection Modelling | |
|
chapter 3.1 Organisation | |
|
chapter 3.3 Contingency planning | |
|
chapter 3.9 Hardware- and Software-Management | |
|
chapter 4.3.2 Server room | |
|
chapter 4.6 Computer Centres | |
|
chapter 5.3 Laptop PC | |
|
chapter 6.2 Unix-Server | |
|
chapter 7.7 Lotus Notes | |
|
T 1.2 Failure of the IT system | |
|
T 1.3 Lightning | |
|
T 1.4 Fire | |
|
T 1.5 Water | |
|
T 1.6 Burning cables | |
|
T 1.8 Dust, soiling | |
|
T 1.11 The effects of catastrophes in the environment | |
|
T 1.12 Problems caused by big public events | |
|
T 1.13 Storms | |
|
T 2.1 Lack of, or insufficient, rules |
|
|
T 2.2 Insufficient knowledge of requirements documents | |
|
T 2.4 Insufficient monitoring of IT security measures | |
|
T 2.11 Insufficient bandwidth planning | |
|
T 2.27 Lack of, or inadequate documentation | |
|
T 2.67 Inappropriate administration of access rights | |
|
T 3.46 Error in the configuration of a Lotus Notes server | |
|
T 3.47 Error in the configuration of browser access to Lotus Notes | |
|
T 4.1 Disruption of power supply |
|
|
T 4.3 Inoperability of existing safeguards | |
|
T 4.43 Undocumented functions | |
|
T 5.3 Unauthorised entry into a building | |
|
T 5.4 Theft | |
|
T 5.15 "Inquisitive" staff members | |
|
T 5.16 Threat posed by internal staff during maintenance/administration work | |
|
T 5.40 Monitoring rooms using computers equipped with microphones | |
|
T 5.100 Abuse of active contents on access to Lotus Notes | |
|
T 5.101 Hacking Lotus Notes | |
|
T 5.102 Sabotage | |
|
S 1.4 Lightning protection devices | |
|
S 1.6 Compliance with fire-protection regulations | |
|
S 1.7 Hand-held fire extinguishers | |
|
S 1.9 Fire sealing of trays | |
|
S 1.10 Use of safety doors | |
|
S 1.18 Intruder and fire detection devices | |
|
S 1.19 Protection against entering and breaking | |
|
S 1.23 Locked doors | |
|
S 1.24 Avoidance of water pipes | |
|
S 1.25 Overvoltage protection | |
|
S 1.26 Emergency circuit-breakers | |
|
S 1.27 Air conditioning | |
|
S 1.39 Prevention of transient currents on shielding | |
|
S 1.45 Suitable storage of business-related documents and data media | |
|
S 1.47 Separate fire cut | |
|
S 1.48 Fire alarm system | |
S 1.49 Technical and organisational requirements for the computer centre |
|
S 1.50 Smoke protection | |
|
S 1.51 Fire load reduction | |
|
S 1.52 Redundancies in the technical infrastructure | |
|
S 1.53 Video surveillance | |
|
S 1.54 Early detection of fires / fire extinguishing technology | |
|
S 1.55 Perimeter protection | |
|
S 1.56 Secondary power supply | |
|
S 1.57 Up-to-date infrastructure and building plans | |
|
S 1.58 Technische und organisatorische Vorgaben für Serverräume | |
|
S 2.2 Resource management | |
|
S 2.4 Maintenance/repair regulations | |
|
S 2.9 Ban on using non-approved software | |
|
S 2.10 Survey of the software held | |
|
S 2.15 Fire safety inspection | |
|
S 2.17 Entry regulations and controls | |
|
S 2.22 Escrow of passwords | |
|
S 2.52 Supply and monitoring of consumable fax accessories | |
|
S 2.206 Planning the use of Lotus Notes | |
|
S 2.207 Defining security guidelines for Lotus Notes | |
|
S 2.208 Planning of the domains and certificate hierarchy of Lotus Notes | |
|
S 2.209 Planning the use of Lotus Notes in an intranet | |
|
S 2.210 Planning the use of Lotus Notes in an intranet with browser access | |
|
S 2.211 Planning the use of Lotus Notes in a demilitarised zone | |
|
S 2.212 Organisational requirements regarding cleaning contractors | |
|
S 2.213 Maintenance of the technical infrastructure | |
|
S 2.214 Concept of IT operations | |
|
S 2.215 Error handling | |
|
S 2.216 Approval procedure for IT components | |
|
S 2.217 Careful classification and handling of information, applications and systems | |
|
S 2.218 Procedures regarding the personal transportation of data media and IT components | |
|
S 2.219 Continuous documentation of information processing | |
|
S 2.220 Guidelines for access control | |
|
S 2.221 Change management | |
|
S 2.222 Regular checking of technical IT security measures | |
|
S 2.223 Security objectives for the use of standard software | |
|
S 2.224 Precautions against Trojan horses | |
|
S 2.225 Assignment of responsibility for information, applications and IT components | |
|
S 2.226 Procedures regarding the use of outside staff | |
|
S 3.2 Commitment of staff members to compliance with relevant laws, regulations and provisions | |
|
S 3.24 Training on the Lotus Notes system architecture for Administrators | |
|
S 3.25 Training on Lotus Notes security mechanisms for users | |
|
S 3.26 Briefing of staff in the secure handling of IT equipment | |
|
S 4.21 Preventing unauthorised acquisition of administrator rights | |
|
S 4.40 Preventing unauthorised use of computer microphones | |
|
S 4.44 Checking of incoming files for macro viruses | |
|
S 4.116 Secure installation of Lotus Notes | |
|
S 4.117 Secure configuration of a Lotus Notes server | |
|
S 4.118 Configuration as a Lotus Notes server | |
|
S 4.119 Instituting restrictions on access to Lotus Notes servers | |
|
S 4.120 Configuration of access control lists for Lotus Notes databases | |
|
S 4.121 Configuration of rights of access to the Lotus Notes Name and Address Book | |
|
S 4.122 Configuration for browser access to Lotus Notes | |
|
S 4.123 Configuration of SSL-protected browser access to Lotus Notes | |
|
S 4.124 Configuration of authentication mechanisms with browser access to Lotus Notes | |
|
S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access | |
|
S 4.126 Secure configuration of a Lotus Notes client | |
|
S 4.127 Secure configuration of browser access to Lotus Notes | |
|
S 4.128 Secure operation of Lotus Notes | |
|
S 4.129 Secure handling of Notes ID files | |
|
S 4.130 Security measures following the creation of a new Lotus Notes database | |
|
S 4.131 Encryption of Lotus Notes databases | |
|
S 4.132 Monitoring of a Lotus Notes system | |
|
S 4.133 Appropriate choice of authentication mechanisms | |
|
S 4.134 Choice of suitable data formats | |
|
S 4.135 Restrictive granting of access rights to system files | |
|
S 5.5 Damage-minimising routing of cables | |
|
S 5.63 Use of GnuPG or PGP | |
|
S 5.84 Use of encryption procedures for Lotus Notes communication | |
|
S 5.85 Use of encryption procedures for Lotus Notes e-mail | |
|
S 5.86 Use of encryption procedures with browser access to Lotus Notes | |
|
S 5.87 Agreement regarding connection to third party networks | |
|
S 5.88 Agreement regarding the exchange of data with third parties | |
|
S 6.14 Replacement procurement plan | |
|
S 6.27 Backup of the CMOS RAM | |
|
S 6.73 Creation of a contingency plan for failure of the Lotus Notes system | |
|
S 6.74 Emergency archive | |
|
S 6.75 Redundant communication links |
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: July 2001 |