2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee , Bonn - PDF

Description
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee , Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application

Please download to get full document.

View again

of 72
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information
Category:

Travel/ Places/ Nature

Publish on:

Views: 22 | Pages: 72

Extension: PDF | Download: 0

Share
Transcript
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee , Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application 1.5 References 2 Information security management with IT-Grundschutz 2.1 Scope of the subject areas 2.2 Overview of the information security process 2.3 Application of the IT-Grundschutz Catalogues 3 Initiation of the security process 3.1 Accepting Responsibility by Management 3.2 Designing and planning the security process Determining the Environmental Conditions Formulation of general information security objectives Determining the appropriate security level for the business process 3.3 Creation of a policy for information security Responsibility of management for the security policy Specifying the scope and contents of the security policy Summoning a development team for the security policy Releasing the security policy Updating the security policy 3.4 Organisation of the security process Integrating information security into organisation-wide procedures and processes Structure of the information security organisation Tasks, responsibilities, and authorities in the IS organisation The IT Security Officer The IS Management Team Area IT Security Officer, Project Security Officer, and IT System Security Officer IT Co-ordination Committee The Data Protection Officer 3.5 Providing the resources for information security Cost-efficient security strategy Resources for the IS organisation Resources for monitoring information security Resources for IT operations 3.6 Integration of all employees in the security process Training and raising awareness Communication, integration, and reporting routes When employees leave or switch jobs 4 Producing an IT Security Concept in accordance with IT-Grundschutz BSI Standard IT-Grundschutz Methodology Page 3 Contents 4.1 Defining the scope 4.2 Structure analysis Reducing complexity by forming groups Documenting the applications and related information Preparing a network plan Survey of the IT Systems Documenting the rooms 4.3 Determining the protection requirements Defining the protection requirements categories Determination of the protection requirements for applications Determining the protection requirements for IT systems Determining the protection requirements for rooms Determining the protection requirements for communications links Conclusions drawn from the results of the protection requirements determination 4.4 Selecting and adapting safeguards The IT-Grundschutz Catalogues Modelling and information domain Adapting safeguards 4.5 Basic security check Organisational preparation for the basic security check Performing the target/actual state comparison Documenting the results 4.6 Supplementary security analysis Two-stage approach of the IT-Grundschutz Methodology Procedure for the supplementary security analysis Risk Analysis based on IT-Grundschutz 5 Implementing the security concept 5.1 Viewing the results of the examination 5.2 Consolidating the safeguards 5.3 Estimation of the costs and personnel required 5.4 Determining the order of implementation of the safeguards 5.5 Specifying the tasks and responsibility 5.6 Safeguards accompanying implementation 6 Maintenance and continuous improvement of the information security 6.1 Checking the information security process at all levels Methods for checking the information security process Checking the implementation of security safeguards Suitability of the information security strategy Integrating the results into the information security process 6.2 The flow of information in the information security process Reports to management Documentation in the information security process Information flow and reporting routes 7 ISO certification on the basis of IT-Grundschutz Page 4 BSI Standard IT-Grundschutz Methodology Contents Appendix 89 BSI Standard IT-Grundschutz Methodology Page 5 1 Introduction 1 Introduction 1.1 Version History As per Version Changes December May Stronger emphasis on the information security instead of the IT security, resulting in the modification of various terms 1.2 Objective Addition of data protection aspects Updated to reflect new and revised ISO standards Improved organisation The order of the categories in the structure analysis has been changed. Clearer separation of the tasks in the security process both in the preparatory tasks in Chapter 3 and in the implementation in Chapters 4 to 6 The IT-Grundschutz Methodology is a BSI methodology for effective management of the information security that can be easily adapted to the situation of a specific organization. The procedure described in the following chapters is based on the BSI Standard Management Systems for Information Security (ISMS) (refer to [BSI1]) and explains the IT-Grundschutz Methodology presented in BSI Standard A management system for information security (ISMS) is the planned and organised course of action taken to achieve and maintain an appropriate level of information security. For this reason, the suggested implementation for IT-Grundschutz is presented explicitly for every single phase described in BSI Standard IT-Grundschutz represents a standard for establishing and maintaining an appropriate level of protection for all information at an organisation. This method, which was introduced by BSI in 1994 and has been refined and developed ever since then, provides both a methodology for setting up a management system for information security and a comprehensive basis for assessing risks, monitoring the existing security level, and implementing the appropriate information safeguards. One of the most important objectives of IT-Grundschutz is to reduce the expense of the information security process by offering reusable bundles of familiar procedures to improve information security. In this manner, the IT-Grundschutz Catalogues contain standard threats and security safeguards for typical business processes and IT systems which can be used in your organisation, if necessary. Through appropriate application of the standard technical, organisational, personnel, and infrastructural security safeguards recommended for IT-Grundschutz, a security level is reached for the business processes being analysed that is appropriate and adequate to protect business-related information having normal protection requirements. Furthermore, the safeguards in the IT- Grundschutz Catalogues not only form a basis for IT systems and applications requiring a high level of protection, but also provide an even higher level of security in many areas. Page 6 BSI Standard IT-Grundschutz Methodology 1 Introduction 1.3 Target group This document is primarily aimed at those who are responsible for security, security officers, security experts, security consultants, and anyone interested who is familiar with the information security management. It also provides a practical foundation for those responsible for IT, the management personnel, and the project managers who ensure that the security issues in their projects or organisation have been adequately taken into account. The IT-Grundschutz Methodology is aimed at organisations of all types and sizes that require a costeffective and targeted method of setting up and implementing the appropriate level of security in their organisation. The term organisation is used in this context for companies, government agencies, and other public and private organisations. IT-Grundschutz can be implemented by small organisations as well as in large organisations. Note, though, that all recommendations should be examined and appropriately implemented in the context of the particular organisation. 1.4 Application BSI Standard Management Systems for Information Security describes the general methods for the initiation and management of information security in an organisation. The IT-Grundschutz Methodology now provides specific assistance on how to introduce a management system for information security step by step. IT also discusses the individual phases of this process and presents practical, model solutions, so-called best practice approaches, to accomplish the tasks. This methodology provides a comprehensive framework for an ISMS and only needs to be adapted to the individual conditions in an organisation so a suitable management system for information security can be set up. In order to successfully establish a continuous and effective information security process, an entire series of actions must be performed. The IT-Grundschutz Methodology and the IT- Grundschutz Catalogues provide information on the methodology and practical aids for its implementation. Furthermore, the IT-Grundschutz Methodology also provides a standard with which an organisation can publicise the quality of its own ISMS via a certificate and which can be used as a criterion to assess the level of maturity of the ISMS in other organisations. ISO certification based on IT-Grundschutz can also be used as a security requirement for potential co-operation partners in order to define the required level of information security in the partner's organisation. Even if a different methodology is used as the basis for the ISMS, it is still possible to benefit from the IT-Grundschutz Methodology. For example, IT-Grundschutz also provides approaches to solutions for various issues relating to information security, for example for the creation of concepts, performing audits, and for certification in the area of the information security. Depending on the task at hand, different ways of applying IT-Grundschutz may be appropriate, for example by applying only some aspects of it. Depending on the area of application, individual modules, the threat and safeguard catalogues, and other aids provided by IT-Grundschutz form a helpful basis for security management tasks. Chapter 2 provides a summary of the most importance steps for introducing an ISMS and the procedure to follow to produce a security concept. Chapter 3 describes how the fundamental phase in initiating the information security process could look and which organisational structures are appropriate for the process. In addition, a systematic path is shown for setting up a functioning security management system and for developing it further during live operation. Chapter 4 describes the IT-Grundschutz Methodology used to produce a security concept. This chapter first shows how the basic information on an information domain can be collected and reduced by forming groups. Subsequently, the protection requirements for the applications, IT systems, communication links, and rooms must be determined based on the business processes. The BSI Standard IT-Grundschutz Methodology Page 7 1 Introduction appropriate modules and safeguards from the recommendations in the IT-Grundschutz Catalogues must then be selected for the relevant information domain, i.e. they are modelled in accordance with IT-Grundschutz Methodology. Before implementing the security safeguards, the existing and additional security safeguards which were, for example, defined and detected in the supplemental security analysis and in the subsequent risk analysis based on IT-Grundschutz according to BSI Standard (refer to [BSI3]) must be integrated into the IT-Grundschutz Methodology. Chapter 5 then describes how the detected and consolidated security safeguards should subsequently be implemented. The main task of an ISMS is to ensure that information security is maintained. This subject is tackled in Chapter 6, and the possibility of publicising the security level attained in the form of a certificate is presented as well. The IT-Grundschutz Methodology, and in particular the IT-Grundschutz Catalogues, are expanded and adapted to reflect recent developments regularly. Due to the constant exchange of information with the users of IT-Grundschutz, it is possible to continually development the catalogues to reflect new requirements. The ultimate objective of these efforts, though, is to point out the current recommendations for common security problems. 1.5 References [BSI1] Information Security Management Systems (ISMS), BSI Standard 100-1, Version 1.5, May 2008, [BSI2] IT-Grundschutz Methodology, BSI Standard 100-2, Version 2.0, May 2008, [BSI3] Risk Analysis on the Basis of IT-Grundschutz, BSI Standard 100-3, Version 2.5, May 2008, [GSK] [SHB] [OECD] [ZERT] [ZERT2] IT-Grundschutz Catalogues Standard Security Safeguards, BSI, new each year, IT Security Manual Manual for the secure application of information technology, BSI, Version 1.0 March 1992, Bundesdruckerei Organisation for Economic Co-operation and Development (OECD), Guidelines for the Security of Information Systems and Networks, 2002, Certification according to ISO on the basis of IT-Grundschutz - audit scheme for ISO audits, BSI, Version 1.2, March 2008, Certification scheme for audit team leaders for ISO audits on the basis of IT-Grundschutz, BSI, Version 1.2, March 2008, [27000] ISO/IEC (3rd CD, 2008) ISMS Overview and Vocabulary , ISO/IEC JTC1/SC27 [27001] ISO/IEC 27001:2005 Information technology - Security techniques - Information security management systems requirements specification , ISO/IEC JTC1/SC27 [27002] ISO/IEC 27002:2005 Information technology - Code of practice for information security management , ISO/IEC JTC1/SC27 [27005] ISO/IEC (2nd FCD, 2008) Information security risk management , ISO/IEC JTC1/SC27 Page 8 BSI Standard IT-Grundschutz Methodology 2 Information security management with IT-Grundschutz 2 Information security management with IT-Grundschutz Information is highly valuable to companies and government offices and needs to be appropriately protected. Most information today is created, stored, transported, or processed at least in part using information technology (IT). It is impossible to imagine modern business processes without IT support in companies and administration offices. A reliable system for processing information is essential to be able to maintain operations in an organisation. Inadequately protected information is a frequently underestimated risk factor that can threaten the existence of some organisations. However, reasonable information protection as well as baseline protection for the IT systems can be achieved with relatively modest resources. Note, though, that it takes more than simply purchasing anti-virus software, firewalls, or data back-up systems to achieve a level of security for all business processes, information, and IT systems in an organisation that meets the requirements. It is important to take a holistic approach. This includes, above all, a functional security management that is integrated into the organisation. Information security management (or IS management for short) is the part of general risk management intended to ensure the confidentiality, integrity, and availability of information, applications and IT systems. This process is a continuous process whose strategies and concepts are monitored on an ongoing basis for their performance and effectiveness and adapted when necessary. Information security is not only a question of technology, but depends a great deal on the general organisational and personnel requirements. The BSI IT-Grundschutz Methodology and the IT- Grundschutz Catalogues have taken this into account for a long time already by recommending both technical and non-technical standard security safeguards for common business areas, applications, and IT systems. In this context, emphasis is placed on practical and action-based information with the goal of keeping the entry barriers of the security process as low as possible and avoiding highly complex procedures. The IT-Grundschutz Methodology describes how an efficient management system for information security can be set up and how the IT-Grundschutz Catalogues can be used for this purpose. The IT- Grundschutz Methodology combined with the IT-Grundschutz Catalogues provide a systematic method for developing security concepts and practical, standard security safeguards that have already been successfully implemented by numerous government agencies and companies. The IT-Grundschutz Catalogues, which were published the first time in 1994 and now contain over 4000 pages, describe potential threats and protective safeguards in detail. The IT-Grundschutz Catalogues are constantly being revised, and new, specialised subjects are added as required. All information on IT-Grundschutz is available free of charge from the BSI website. In order to support the international co-operation of government agencies and companies, all documents relating to IT- Grundschutz are also available in English and in electronic form. More and more business processes are being linked together via information and communication technology. This is accompanied by increases in the complexity of the technical systems and with a growing dependence on the correct operation of the technology. For this reason, all those involved must be plan and organise the procedures in order to implement and maintain an appropriate level of security. The only way to guarantee that this process will be anchored in all business areas is by making it a high priority task in the top management level. The highest level of management is responsible for the correct and targeted operation of an organisation, and hence for guaranteeing information security internally and externally. They are thus responsible for initiating, controlling, and monitoring the security process. This includes issuing key strategic statements on information security, conceptual requirements, and the organisational framework to be used to attain information security in all business processes. The responsibility for information security remains at this level in any case, but the task of ensuring information security is usually delegated to an information security officer. In the IT-Grundschutz documents, this role is often referred to as the IT Security Officer even when the job of an IT Security Officer extends beyond pure IT security tasks. BSI Standard IT-Grundschutz Methodology Page 9 2 Information security management with IT-Grundschutz If this framework does not exist in a given situation, then the first step should be an attempt to implement the missing security safeguards into the daily routine. In all cases, though, the idea is to raise the awareness of management for information security issues so that they will bear their share of the responsibility for information security in the future. Although many aspects of the information security process can even be initiated in daily operations and will result in an improvement in the security situation; there is no guarantee that such actions will lead to a permanent increase in the level of information security. The IT-Grundschutz Methodology describes a method for setting up and integrating IS management in an organisation. If an organisation has effective IS management integrated into the business processes, it can be assumed that it is in a position to achieve the desired security level, to improve it where necessary, but that it will be able to meet new challenges as well. A consolidated, properly functioning security management is the essential basis for the reliable and continuous implementation of security safeguards in an organisation. For this reason, there is also a Security Management module in the IT-Grundschutz Catalogues in addition to the detailed information available in this document. This module is used to achieve a uniform method of applying IT-Grundschutz and for integrating security management in the certification process in accordance with IT-Grundschutz to the extent it should be accorded due to its importance. In addition to the IT-Grundschutz Methodology, the IT-Grundschutz Catalogues also provide implementation aids for the security process in the form of field-proven, standard se
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks