1 BSI Baseline Protection Manual - How to measure IT-Security - Thomas Biere Federal Information Security Agency, Germany
2 Prejudices against IT-Security! IT-Security - causes a lot of expenses - is too expencive - hinders the users to do their jobs - causes much more work in the IT-administration - is only something for larger companies
3 IT-Security Why should I think about IT-Security Security?
4 The importance of IT! nearly all companies are using IT! nearly all processes depend on IT! the niveau of local and global networking rises up! the IT becomes more and more complex! the systems has been opened (remote access, internet)
5 The importance of IT rising up dependency means opening for attacks
6 In IT-Security interested people and organisations internal:! the board! the owner! the IT-security security- management! the internal audit ma- nagement! the marketing external:! customers! business partners! the banks! insurers! authorities! courts of justice! the prosecuting attorney s office
7 Internal measurability problems:! no possibility to make balance between the pros and cons! there are no parameters of business management - the return of investment is not measurable! some categories of use and damage are not scalable! paradoxon of security: people see the necessity to invest in IT-Security only, if something happens
8 Internal measurability! to measure the effectiveness of IT- Security by registering of incidents - you need a special organisation to be able to register all incidents - you need the results of registering from some years - it is not very useful, if a seldom but catastrophic event happens - it is not useful to document externally the level of IT-Security
10 Demands! state of IT-Security - it should say something about the state of IT- Security of a IT-combine and the IT-Security management! completeness - all parts of an IT environment should be objects of the survey! lucidity - the results must be lucid
11 Demands! comparability - the results must be comparable! methodology of the survey - the methodology of the survey must be exactly defined! relevance - the results must be relevant! documentation - one of the results of the survey should be a documentation
12 Demands! expenses - the expenses for the process should be low! benchmarking - there must be the possibility to compare the own company with other companies. The aim: increasing the level of IT-Security! publication - the marketing should be able to use the results of the process
13 IT-Security We have something like a standard for IT-Security Security: The BSI Baseline Protection Manual
14 IT Baseline Protection Main ideas! The whole system consists of typical components (e.g. server and client computers, operating systems)! Threats and their probabilities are lumped together.! Suitable groups of Standard Security Safeguards are recommended.! Detailed pieces of advice for the implementation of these safeguards are included.
15 IT Baseline Protection Advantages! A simple target/performance comparison allows for economic application and procedures.! Resulting IT security concepts are compact due to references to standard source.! Practical, reliable, and effective safeguards are implemented.! The concept is expandable and continuously updated.
16 IT Baseline Protection The aim is to achieve a security level for IT installations by appropriate employment of organisational, personnel, infrastructural, and technical standard security measures which is adequate and sufficient for average protection requirements and may also serve as a basis for IT applications with higher protection requirements.
17 Structure of the IT Baseline Protection Manual Chapters ("modules") Threats Catalogues Safeguards Catalogues
18 Structure of the IT Baseline Protection Manual Modules (examples)! Personnel! Contingency Planning! Data Media Archives! Windows NT! Unix-Server! Lotus Notes! Remote Access! Mobile phone About 50 modules on technical and non-technical aspects of IT security
19 Structure of the IT Baseline Protection Manual Threats Catalogues and examples! T 1 Force majeure T 1.6 Burning cables T 1.7 Inadmissible temperature and humidity! T 2 Organisational Shortcomings T 2.29 Software testing with production data T 2.61 Unauthorised collection of personal data
20 Structure of the IT Baseline Protection Manual Threats Catalogues and examples! T 3 Human Failure T 3.25 Negligent deletion of objects! T 4 Technical Failure T 4.16 Fax transmission errors! T 5 Deliberate Acts T 5.88 Misuse of active contents
21 Structure of the IT Baseline Protection Manual Safeguards Catalogues and examples! S 1 Infrastructure S 1.21 Sufficient dimensioning of lines! S 2 Organisation S 2.46 Appropriate key management! S 3 Personnel S 3.17 Briefing personnel on modem usage
22 Structure of the IT Baseline Protection Manual Safeguards Catalogues and examples! S 4 Hardware/Software S 4.97 One service per server! S 5 Communications S 5.45 Security of WWW browsers! S 6 Contingency planning S 6.11 Development of a post-incident recovery plan
23 Structure of the IT Baseline Protection Manual Modules
24 Structure of the IT Baseline Protection Manual Modules! Tier 1: general IT security aspects (e.g. IT Security Management, Organisation, Data Backup Policy and Computer Virus Protection Concept)! Tier 2: infrastructural security (e.g. Buildings, Rooms, Protective Cabinets and Working Place at Home)! Tier 3: IT systems (e.g. Unix System, Laptop, PC, Windows NT Network and Telecommunications System)
25 Structure of the IT Baseline Protection Manual Modules! Tier 4: networks (e.g. Heterogeneous Networks, Network and System Management and Firewalls)! Tier 5: IT applications (e.g. , WWW Server, Fax Servers and Databases)
26 Structure of the IT Baseline Protection Manual New modules! IT security management (reorganised as a module)! Remote Access! Mobile phone! Lotus Notes! Computer centre! Windows 2000 (March 2002)! MS Internet Information Server (March 2002)! Apache Web Server (March 2002)
27 How to apply the IT Baseline Protection Manual Network chart register all components Modelling map modules to components Interviews/Inspection not needed/yes/partly/no Evaluation status quo and improvements
28 Some facts about the IT Baseline Protection Manual! about 4500 voluntarily registers users worldwide! has become one of the de-facto standard reference manuals for IT security in Germany! available as a printed loose-leaf edition (German only)! available on CD-ROM (English and German)! available on the Internet (English and German) a certification scheme will be available soon
29 Qualification according to IT Baseline Protection Motivation! Agencies and companies want to identify the security level of co-operating institutions.! Institutions want to demonstrate, that they have successfully applied IT Baseline Protection.! Companies want to make their efforts regarding IT security transparent to clients and customers.
30 Qualification according to IT Baseline Protection Terms! BSI is going to define a "Qualification Scheme according to IT Baseline Protection".! Having completed this scheme the institution is awarded an "IT Baseline Protection Seal".! Two entry-level seals and the final "IT Baseline Protection Certificate" will be offered.
31 Qualification according to IT Baseline Protection Three different seals! "IT Baseline Protection Certificate" granted by an accredited testing laboratory. All required safeguards are implemented.! "Advanced Seal" Most important safeguards are implemented.! "Entry-level Seal" The essential safeguards are implemented.
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application
PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTION IT SYSTEMS SECURITY SUBSECTION PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS
Federal Office for Information Security 1 BSI Standard 100-4 2009 by Federal Office for Information Security (BSI) Godesberger Allee 185-189, 53175 Bonn, Germany 2 Table of Contents Table of Contents 1
White Paper Security Recommendations for Cloud Computing Providers (Minimum information security requirements) www.bsi.bund.de Contents Contents Preamble 3 The BSI Serving the Public 5 1 Introduction 7
MaximumOnTM Bringing High Availability to a New Level Introducing the Comm100 Live Chat Patent Pending MaximumOn TM Technology Introduction While businesses have become increasingly dependent on computer-based
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
ISMS User s Guide for Medical Organizations Guidance on the Application of ISMS Certification Criteria (Ver.2.0) ISMS: Information Security Management System 8 November 2004 Japan Information Processing
Author: Role: Mal Blackburne College Learning Manager Page 1 of 14 Introduction...3 Objectives/Constraints...3 Assumptions...4 Incidents Requiring Action...4 Physical Safeguards...5 Types of Computer Service
Guidelines for smart phones, tablets and other mobile devices Summary Smart phones, tablets and other similar mobile devices are being used increasingly both privately and in organisations. Another emerging
ITIL glossary and abbreviations English This glossary may be freely downloaded. See www.itil-officialsite.com/internationalactivities/itilglossaries.aspx for details of licence terms. 1 Acknowledgements
2014 Australian Government Information Security Manual CONTROLS 2014 Australian Government Information Security Manual CONTROLS Commonwealth of Australia 2014 All material presented in this publication
NIL OPERATE COMPREHENSIVE IT ENVIRONMENT MANAGEMENT MODEL ARE YOU STILL ABLE TO KEEP UP WITH BUSINESS TRENDS? More and more business user requirements, market challenges and rapidly evolving IT technologies
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
MailStore Server Sales Guide Email Archiving ediscovery Compliance Email Backup Data Loss Protection Lower IT Costs Introduction For most companies, email is not only the most important way of communicating,
Acceptance to Acceptance Glossary of s, s and Acronyms V3, 30 May 2007 Acknowledgements We would like to express our gratitude and acknowledge the contribution of Stuart Rance and Ashley Hanna of Hewlett-Packard
Chapter 6 Business Continuity Planning & Disaster Recovery Planning LEARNING OBJECTIVES: To develop business continuity plan 6.0 Introduction Business continuity focuses on maintaining the operations of
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
Information Technology Outsourcing 2nd Edition Global Technology Audit Guide (GTAG ) 7 Information Technology Outsourcing 2nd Edition June 2012 GTAG Table of Contents Table of Contents...1 Executive Summary...2
Credit value:? Unit 3 Information systems 3 Information systems Organisations can exploit information to do better at planning, monitoring and controlling their business activity. However, it is easy to
AN ENTERPRISE INFORMATION SECURITY MODEL FOR A MICRO FINANCE COMPANY: A CASE STUDY by MORNÉ OWEN 9203958 TREATISE Submitted in partial fulfilment of the requirements for the degree M TECH: Business Information
INTRODUCTION Legal practices are increasingly using cloud storage and software systems as an alternative to in-house data storage and IT programmes. The cloud has a number of advantages particularly flexibility
FRAUNHOFER RESEARCH INSTITUTION AISEC CLOUD COMPUTING SECURITY PROTECTION GOALS.TAXONOMY.MARKET REVIEW. DR. WERNER STREITBERGER, ANGELIKA RUPPEL 02/2010 Parkring 4 D-85748 Garching b. München Tel.: +49
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
Network Monitoring as an essential component of IT security White Paper Author: Daniel Zobel, Head of Software Development, Paessler AG Published: July 2013 PAGE 1 OF 8 Contents Introduction... Current