Download IT Security Guidelines PDF

TitleIT Security Guidelines
File Size455.6 KB
Total Pages49
Table of Contents
                            1 Introduction
2 IT security in focus
3 Important concepts relating to IT security
4 Regulations and legal requirements in Germany
5 How not to do it: some warning examples
6 The most common failures to act
	6.1 Inadequate IT security strategy
	6.2 Mistakes in the configuration of IT systems
	6.3 Insecure networking and internet connection
	6.4 Failure to observe security requirements
	6.5 Poor maintenance of IT systems
	6.6 Careless handling of passwords and security mechanisms
	6.7 Inadequate protection against intruders and damage by the elements
7 Essential security safeguards
	7.1 Systematic approach to IT security
	7.2 Security of IT systems
	7.3 Networking and internet connection
	7.4 The human factor: knowledge and heeding of security requirements
	7.5 Maintenance of IT systems: handling security-relevant updates
	7.6 Use of security mechanisms: handling passwords and encryption
	7.7 Protection against catastrophes and damage by the elements
8 The BSI's IT-Grundschutz methodology
	8.1 The BSI's IT-Grundschutz methodology as the basis for a professional IT security concept
	8.2 Structure of the IT-Grundschutz Catalogues
	8.3 Performing an IT-Grundschutz analysis
9 Standards and certification of one's own IT security
10 Annex
	10.1 Checklists
	10.2 Example: What should be regulated in the security concept for a private branch exchange
	10.3 Additional information
Document Text Contents
Page 1

IT Security Guidelines
IT-Grundschutz in brief

Page 2


Dr. Udo Helmbrecht
President of the Federal Office for Information Security (BSI)

Work and business processes are increasingly based on IT solutions. For this reason, the security and
reliability of information and communications technology gains all the more importance. The right IT
security concept can assist you in building a solid basis for a level of IT security you can rely on.
These IT Security Guidelines are designed to help you with this, providing a compact overview of the
most relevant security safeguards. Using practical examples we draw your attention to the risks and
illustrate the necessary organisational, infrastructural and technical safeguards. Checklists will assist
you in analysing your own situation.

One thing is sure: Security can be achieved without a huge IT budget.

Page 24

Essential security safeguards

and functions that are not essential to the work that is expected to be carried out with the program.
Often an aggressor will succeed in penetrating a server by misusing a program that did not even need
to be installed on that server. Moreover, regular maintenance and updating of a computer naturally
means more work when it contains more programs. For these reasons, all unnecessary application
programs should be removed. The same applies to individual tools, drivers, subcomponents etc. It may
even be possible to remove individual "commands" that are not required (i.e. the associated operating
system routines).

20. Manuals and product documentation should be
read promptly

An experienced administrator will often be in a position to boot up a system without reading the
operating manuals in advance. However, this success is often deceptive. Thus, for example,
manufacturer warnings can be overlooked, resulting in unexpected problems later on, such as
incompatibilities, system crashes or undetected vulnerabilities. It is therefore careless and
unprofessional to ignore the help and information provided by the manufacturer and thus create
unnecessary risks.

21. Detailed installation and system documentation
must be created and updated regularly

It is advisable to document all operator actions performed prior to, during and after an installation in
writing. This will make it possible to recover more quickly and also, in case of problems, to locate the
possible causes. It is also important that the system documentation can be understood by third parties
(e.g. by a "stand-in" administrator or when someone is away on holiday). This reduces the risk of
failures in the event that the full-time administrator is suddenly no longer available. Moreover, if a
hacker attack is carried out, it will make it possible for unauthorised changes to the system to be
identified more quickly.

7.3 Networking and internet connection

For most users with internet access, e-mail and web browsers are the two most important internet
applications. It is no wonder that many dangers lurk here. Harmful routines that could escape detection
by a virus protection program could sneak in along with files that are downloaded. Unwanted actions
can be triggered while surfing on the Internet, especially where risky active content (see safeguard 26)
is allowed to execute.

On the BSI's website you will always find up-to-date information, studies on various subjects and also
detailed examples under the heading "Internet security".


Page 25

Essential security safeguards

22. Networks must be protected by a firewall

No computer used for business purposes should be connected to the Internet without the protection of
a suitable firewall.

Even within relatively large internal networks there are normally several subnets with different user
groups and different protection requirements. Often it is therefore necessary to protect one's "own"
subnet against adjacent networks to ward off threats which may be qualitatively similar to threats from
the Internet (e.g. isolation of the Human Resources department from the rest of the organisation).
Therefore protection mechanisms should be installed on these network connections.

What is a firewall?

A firewall is a hardware or software system that monitors the connection between networks
and, in particular, averts attacks on the network (intranet) from the Internet. The
possibilities start with simple, sometimes free of charge computer programs ("personal
firewalls") that generally only protect the computer on which they are installed. On large
networks on the other hand, complex firewall systems that consist of several hardware and
software components are used.

23. A secure firewall must satisfy certain minimum

To protect the internal network against neighbouring, less trusted networks, a suitable firewall type
must be selected. The design of the firewall architecture and the firewall installation should be left to

Generally a multi-level firewall concept is recommended, under which additional filter elements (for
example routers) are positioned upstream and downstream. In the individual case, if for example there
is only a single computer or a complex firewall system is not possible for other reasons, it is
recommended installing a personal firewall on the computer to be protected and thus providing at least
basic protection.

The filter rules in firewalls tend to grow and become less straightforward with the passage of time.
Firewall administrators comply with requests from users all too lightly, thus watering down the rules.
There should be no exceptions, not even for the CEO! It is therefore necessary to check at regular
intervals whether the existing filter rules are still consistent, whether they can be simplified and
whether they are sufficiently restrictive. Moreover, checks should be carried out from time to time as
to whether the existing firewall design can still cope from the point of view of IT security with
communications protocols that have already been introduced or are expected to enter use before long.
Again, new technologies can pose additional challenges to existing firewall concepts. Detailed
technical information on firewalls is contained in the IT-Grundschutz Catalogues and on the BSI's


Page 48


German CERTs (Computer Emergency Response Teams)
Information on computer viruses and security problems in software and hardware that have been
newly identified is published on the information pages of Computer Emergency Response Teams
(CERTs). CERTs answer questions related to IT security issues, publish up-to-date information on
vulnerabilities and provide information on incidents related to IT security. Based on this information,
the system administrators or end users in charge can immediately take concrete steps to avert threats.
This way, possible damage is already avoided in advance.

If a security incident occurs, some CERTs offer reactive services to mitigate the consequences, to
remedy the damages, or to resolve the incident.

The BSI operates a CERT for the German Federal authorities (the CERT-Bund) and offers, e.g.,
an up-to-date e-mail newsletter on various security issues as part of its warning and information
service WID (Warn- und Informationsdienst). The CERT-Bund services are primarily provided
for the main target group in the German Federal administration.

Here, CERT-Bund and Mcert operate a joint platform which is primarily intended for regularly
informing citizens about current security and virus warnings. Apart from getting information on
the latest security and virus warnings, users also have the possibility to subscribe to the BSI’s
newsletter "Sicher Informiert" which explains current issues in brief. The service provided
here is completely free of charge.

The CERT-Verbund is an alliance of German CERTs who have committed themselves to
cooperate on the basis of a Code of Conduct. This alliance is open to all interested German

The German research network (Deutsches Forschungsnetz, DFN) traditionally operates the
CERT for the German Research and Education Community. They offer mailing lists for all
interested persons.

Mcert is specifically oriented towards small and medium-sized enterprises. Among others, the
German Association for Information Technology, Telecommunications and New
Media(BITKOM), the German government and private companies participate in this CERT.

This is an English-language site of a well-respected CERT that has been in operation for many
years and was also the first of its kind.

Standards and certification

The D21 initiative has brought together and compared the most important IT security standards
in an article.

Cobit can be reached on the site of the "Information Systems Audit and Control Association &

ISO standards can be purchased on the ISO website. Unfortunately they are normally not cheap.

The Common Criteria standard mentioned above can be downloaded free of charge from the


Page 49



respective homepage. Anyone seeking further details on this subject will also find a wealth of
additional information there.
Several large companies have joined forces in the Information Security Forum (ISF) to jointly
work on IT security issues. A very good set of guidelines on information security, "The Forum's
Standard of Good Practice", is available to the public (in English).

Data protection and the law

The Federal Commissioner for Data Protection and Freedom of Information provides valuable
information on every aspect of data protection on his website. This includes the addresses and
links to the State Data Protection Officers who also offer extensive information on the subject
of IT security.
The "Virtual Privacy Office" is a project involving, amongst others, the Privacy Commissioners
both at national and state level. It is above all intended to serve as a single portal to the
(primarily German language) data protection knowledge on the Internet and contains a large
number of contributions and articles.
Here you can find an article from the German computer magazine ct including a commented list
of some important sources of legal literature.

Date: June 2007

Similer Documents