IT baseline protection

Last updated August 30, 2024

The IT baseline protection (German : IT-Grundschutz) approach from the German Federal Office for Information Security (BSI) is a methodology to identify and implement computer security measures in an organization. The aim is the achievement of an adequate and appropriate level of security for IT systems. To reach this goal the BSI recommends "well-proven technical, organizational, personnel, and infrastructural safeguards".^[1] Organizations and federal agencies show their systematic approach to secure their IT systems (e.g. Information Security Management System) by obtaining an ISO/IEC 27001 Certificate on the basis of IT-Grundschutz.

Overview baseline security

The term baseline security signifies standard security measures for typical IT systems. It is used in various contexts with somewhat different meanings. For example:

Microsoft Baseline Security Analyzer: Software tool focused on Microsoft operating system and services security
Cisco security baseline: Vendor recommendation focused on network and network device security controls
Nortel baseline security: Set of requirements and best practices with a focus on network operators
ISO/IEC 13335-3 defines a baseline approach to risk management. This standard has been replaced by ISO/IEC 27005, but the baseline approach was not taken over yet into the 2700x series.
There are numerous internal baseline security policies for organizations,^[2]^[3]
The German BSI has a comprehensive baseline security standard, that is compliant with the ISO/IEC 27000-series ^[4]

BSI IT baseline protection

The foundation of an IT baseline protection concept is initially not a detailed risk analysis. It proceeds from overall hazards. Consequently, sophisticated classification according to damage extent and probability of occurrence is ignored. Three protection needs categories are established. With their help, the protection needs of the object under investigation can be determined. Based on these, appropriate personnel, technical, organizational and infrastructural security measures are selected from the IT Baseline Protection Catalogs.

The Federal Office for Security in Information Technology's IT Baseline Protection Catalogs offer a "cookbook recipe" for a normal level of protection. Besides probability of occurrence and potential damage extents, implementation costs are also considered. By using the Baseline Protection Catalogs, costly security analyses requiring expert knowledge are dispensed with, since overall hazards are worked with in the beginning. It is possible for the relative layman to identify measures to be taken and to implement them in cooperation with professionals.

The BSI grants a baseline protection certificate as confirmation for the successful implementation of baseline protection. In stages 1 and 2, this is based on self declaration. In stage 3, an independent, BSI-licensed auditor completes an audit. Certification process internationalization has been possible since 2006. ISO/IEC 27001 certification can occur simultaneously with IT baseline protection certification. (The ISO/IEC 27001 standard is the successor of BS 7799-2). This process is based on the new BSI security standards. This process carries a development price which has prevailed for some time. Corporations having themselves certified under the BS 7799-2 standard are obliged to carry out a risk assessment. To make it more comfortable, most deviate from the protection needs analysis pursuant to the IT Baseline Protection Catalogs. The advantage is not only conformity with the strict BSI, but also attainment of BS 7799-2 certification. Beyond this, the BSI offers a few help aids like the policy template and the GSTOOL.

One data protection component is available, which was produced in cooperation with the German Federal Commissioner for Data Protection and Freedom of Information and the state data protection authorities and integrated into the IT Baseline Protection Catalog. This component is not considered, however, in the certification process.

Baseline protection process

The following steps are taken pursuant to the baseline protection process during structure analysis and protection needs analysis:

The IT network is defined.
IT structure analysis is carried out.
Protection needs determination is carried out.
A baseline security check is carried out.
IT baseline protection measures are implemented.

Creation occurs in the following steps:

IT structure analysis (survey)
Assessment of protection needs
Selection of actions
Running comparison of nominal and actual.

IT structure analysis

An IT network includes the totality of infrastructural, organizational, personnel, and technical components serving the fulfillment of a task in a particular information processing application area. An IT network can thereby encompass the entire IT character of an institution or individual division, which is partitioned by organizational structures as, for example, a departmental network, or as shared IT applications, for example, a personnel information system. It is necessary to analyze and document the information technological structure in question to generate an IT security concept and especially to apply the IT Baseline Protection Catalogs. Due to today's usually heavily networked IT systems, a network topology plan offers a starting point for the analysis. The following aspects must be taken into consideration:

The available infrastructure,
The organizational and personnel framework for the IT network,
Networked and non-networked IT systems employed in the IT network.
The communications connections between IT systems and externally,
IT applications run within the IT network.

Protection needs determination

The purpose of the protection needs determination is to investigate what protection is sufficient and appropriate for the information and information technology in use. In this connection, the damage to each application and the processed information, which could result from a breach of confidentiality, integrity or availability, is considered. Important in this context is a realistic assessment of the possible follow-on damages. A division into the three protection needs categories "low to medium", "high" and "very high" has proved itself of value. "Public", "internal" and "secret" are often used for confidentiality.

Modelling

Heavily networked IT systems typically characterize information technology in government and business these days. As a rule, therefore, it is advantageous to consider the entire IT system and not just individual systems within the scope of an IT security analysis and concept. To be able to manage this task, it makes sense to logically partition the entire IT system into parts and to separately consider each part or even an IT network. Detailed documentation about its structure is prerequisite for the use of the IT Baseline Protection Catalogs on an IT network. This can be achieved, for example, via the IT structure analysis described above. The IT Baseline Protection Catalog’s' components must ultimately be mapped onto the components of the IT network in question in a modelling step.

Baseline security check

The baseline security check is an organisational instrument offering a quick overview of the prevailing IT security level. With the help of interviews, the status quo of an existing IT network (as modelled by IT baseline protection) relative to the number of security measures implemented from the IT Baseline Protection Catalogs are investigated. The result is a catalog in which the implementation status "dispensable", "yes", "partly", or "no" is entered for each relevant measure. By identifying not yet, or only partially, implemented measures, improvement options for the security of the information technology in question are highlighted.

The baseline security check gives information about measures, which are still missing (nominal vs. actual comparison). From this follows what remains to be done to achieve baseline protection through security. Not all measures suggested by this baseline check need to be implemented. Peculiarities are to be taken into account! It could be that several more or less unimportant applications are running on a server, which have lesser protection needs. In their totality, however, these applications are to be provided with a higher level of protection. This is called the (cumulation effect).

The applications running on a server determine its need for protection. Several IT applications can run on an IT system. When this occurs, the application with the greatest need for protection determines the IT system’s protection category.

Conversely, it is conceivable that an IT application with great protection needs does not automatically transfer this to the IT system. This may happen because the IT system is configured redundantly, or because only an inconsequential part is running on it. This is called the (distribution effect). This is the case, for example, with clusters.

The baseline security check maps baseline protection measures. This level suffices for low to medium protection needs. This comprises about 80% of all IT systems according to BSI estimates. For systems with high to very high protection needs, risk analysis-based information security concepts, like for example ISO/IEC 27000-series standards, are usually used.

IT Baseline Protection Catalog and standards

During its 2005 restructuring and expansion of the IT Baseline Protection Catalogs, the BSI separated methodology from the IT Baseline Protection Catalog. The BSI 100-1, BSI 100-2, and BSI 100-3 standards contain information about construction of an information security management system (ISMS), the methodology or basic protection approach, and the creation of a security analysis for elevated and very elevated protection needs building on a completed baseline protection investigation.

BSI 100-4, the "Emergency management" standard, is currently in preparation. It contains elements from BS 25999, ITIL Service Continuity Management combined with the relevant IT Baseline Protection Catalog components, and essential aspects for appropriate Business Continuity Management (BCM). Implementing these standards renders certification is possible pursuant to BS 25999-2. The BSI has submitted the BSI 100-4 standards design for online commentary under.^[5]

The BSI brings its standards into line with international norms like the ISO/IEC 27001 this way.

Literature

BSI:IT Baseline Protection Guidelines (pdf, 420 kB)
BSI: IT Baseline Protection Cataloge 2007 (pdf)
BSI: BSI IT Security Management and IT Baseline Protection Standards
Frederik Humpert: IT-Grundschutz umsetzen mit GSTOOL. Anleitungen und Praxistipps für den erfolgreichen Einsatz des BSI-Standards, Carl Hanser Verlag München, 2005. Archived 2007-09-30 at the Wayback Machine ( ISBN 3-446-22984-1)
Norbert Pohlmann, Hartmut Blumberg: Der IT-Sicherheitsleitfaden. Das Pflichtenheft zur Implementierung von IT-Sicherheitsstandards im Unternehmen, ISBN 3-8266-0940-9

Related Research Articles

<span class="mw-page-title-main">Business continuity planning</span> Prevention and recovery from threats that might affect a company

Business continuity may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident", and business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations before and during execution of disaster recovery. Business continuity is the intended outcome of proper execution of both business continuity planning and disaster recovery.

BS 7799 was a British standard "Code of Practice for Information Security Management", first published as such by the British Standards Institution (BSI) in February 1995. Read about the origins of BS 7799 here.

ISO/IEC 20000 is the international standard for IT service management. It was developed in 2005 by ISO/IEC JTC1/SC7 and revised in 2011 and 2018. It was originally based on the earlier BS 15000 that was developed by BSI Group.

Information security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

<span class="mw-page-title-main">Standard of Good Practice for Information Security</span>

The Standard of Good Practice for Information Security (SOGP), published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.

ISO/IEC 27000 is one of the standards in the ISO/IEC 27000 series of information security management systems (ISMS)-related standards. The formal title for ISO/IEC 27000 is Information technology — Security techniques — Information security management systems — Overview and vocabulary.

The British Standards Institution (BSI) is the national standards body of the United Kingdom. BSI produces technical standards on a wide range of products and services and also supplies certification and standards-related services to businesses.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

The ISO/IEC 27000 family comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Part of the ISO/IEC 27000 series of ISO/IEC Information Security Management System (ISMS) standards, it is titled Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.

ISO/IEC 27003 Information technology — Security techniques — Information security management systems — Guidance. It is part of a family of standards of information security management system (ISMS), which is a systematic approach to securing sensitive information, of ISO/IEC. It provides standards for a robust approach to managing information security (infosec) and building resilience. It was published on February 1, 2010, and revised in April 2017. It is currently not certifiable and is not translated into Spanish.

ISO/IEC 27004 Information Technology – Security techniques – Information Security Management – Measurement. It is part of a family of standards of information security management system (ISMS), which is a systematic approach to securing sensitive information, of ISO/IEC. It provides standards for a robust approach to managing information security (infosec) and building resilience. It was published on December 7, 2009 and revised in December 2016. It is currently not certifiable and is not translated into Spanish.

ISO/IEC 27007 is a standard on Information security, cybersecurity and privacy protection that provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. This standard is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. It was published on November 14, 2011, and revised on January 21, 2020.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

ISO/IEC 27701:2019 is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.

ISO/IEC 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is part of the ISO/IEC 27000 family of standards, standards which provides best practice recommendations on information security management. This standard was built from ISO/IEC 27002, suggesting additional security controls for the cloud which were not completely defined in ISO/IEC 27002.

References

↑ "IT-Grundschutz". bsi.bund.de. BSI. Archived from the original on 30 September 2013. Retrieved 29 November 2013.
↑ "Department Baseline Security Policy and End User Agreement" (PDF). Purdue University. Retrieved 17 December 2009.^{[ permanent dead link ]}
↑ "D16 Baseline Security Requirements for Information Systems". Kent Police. Archived from the original on 15 December 2009. Retrieved 17 December 2009.
↑ "Mapping ISO 27000 to baseline security" (PDF). BSI. Retrieved 17 December 2009.
↑ Entwurf BSI 100-4 ^{[ permanent dead link ]} (pdf)

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "IT-Grundschutz". bsi.bund.de. BSI. Archived from the original on 30 September 2013. Retrieved 29 November 2013.

[purdue-university-2] "Department Baseline Security Policy and End User Agreement" (PDF). Purdue University. Retrieved 17 December 2009.^{[ permanent dead link ]}

[kent-police-3] "D16 Baseline Security Requirements for Information Systems". Kent Police. Archived from the original on 15 December 2009. Retrieved 17 December 2009.

[iso27000-gs-4] "Mapping ISO 27000 to baseline security" (PDF). BSI. Retrieved 17 December 2009.

[5] Entwurf BSI 100-4 ^{[ permanent dead link ]} (pdf)

[1]

[2]

[3]

[4]

[5]