IT Baseline Protection - the Basis for IT Security

In our modern information and communication society, administrative tasks, both public and in industry, are increasingly routinely supported by the use of information technology (IT). Numerous work processes are electronically controlled and large amounts of information are stored in digital form, electronically processed and transferred on local and public networks. Many tasks performed within both the public and private sectors are simply not possible without IT, while others can only be partially performed without IT. Consequently many public or private sector organisations are totally reliant on the correct functioning of their IT assets. An organisation can only achieve its objectives if IT assets are used in a proper and secure manner.

There are many ways in which organisations depend on the correct functioning of IT resources. The financial success and competitiveness of companies is dependent on IT, so that ultimately jobs themselves depend directly on the functioning of IT assets. Whole industrial sectors such as banking and insurance, the car industry and logistics depend critically on IT today. At the same time, the well-being of every citizen also depends on IT, whether it is a matter of his job, satisfaction of his daily consumer needs or his digital identity in payment transactions, in communications and increasingly in e-commerce. As society becomes more dependent on IT, so the potential social damage which could be caused by the failure of IT resources increases. As IT resources of themselves are not without their weaknesses, there is justifiably great interest in protecting the data and information processed by IT assets and in planning, implementing and monitoring the security of these assets.

The potential damage which could result from malfunction or failure of IT assets can be assigned to several categories. The most obvious of these is loss of availability: if an IT system is out of service, no money transactions can be carried out, online orders are impossible and production processes grind to a halt. Another issue frequently discussed is loss of confidentiality of data: every citizen is aware of the necessity of maintaining the confidentiality of his person-related data, every company knows that company-confidential data about its sales, marketing, research and development would be of interest to competitors. Loss of integrity (the corruption or falsification of data) is another issue which can have major consequences: forged or corrupt data results in incorrect accounting entries, production processes stop if the wrong or faulty input materials are delivered, while errors in development and planning data lead to faulty products. For some years now, loss of authenticity, i.e. the attribution of data to the wrong person, has come to be regarded as another major aspect of the general concern regarding data integrity. For example, payment instructions or orders could be processed so that they are charged to a third party, digital declarations of intent that have not been properly protected could be attributed to the wrong persons, as "digital identities" are falsified or become corrupt.

This dependency on IT will only increase further in the future. Developments worthy of particular mention include the following:

All this implies a disproportionate increase in the potential threats, due to the co-existence and interaction of multiple factors:

When considering the threat potential, a distinction should be made between loss or damage which is the result of wilful action and that which is caused by "chance events". This latter category includes problems which are the result of force majeure, technical failures, carelessness and negligence. Statistically, these "chance events" are the ones which, collectively, cause the most damage. By contrast, damage which is attributable to wilful action occurs more seldom, but when it does occur the consequences are often more serious. The perpetrators may be driven by the desire for revenge, envy or personal enrichment, or they may simply find it fun to wreak havoc on IT systems. Both in the deliberate and unintentional case, an additional distinction can be made as to whether the cause of the damage lies within or outside of the company or agency. It should be noted in this context that most IT damage which is the result of deliberate action can be attributed to "insiders".

In view of the potential threats outlined above and the increasing dependence on IT resources, every enterprise, whether a company or an official body, must ask itself several key questions regarding IT security:

When seeking answers to these questions, it should be noted that IT security is not just a technical issue. Protection of an IT system to the level of security that is needed requires not only technical safeguards to be implemented but also measures covering organisational, personnel and building infrastructural aspects, and, in particular, it is necessary to establish IT security management roles which will be responsible for designing, co-ordinating and monitoring the IT security-related tasks.

If one now compares the IT assets of all institutions against the questions postulated above, a special group of IT assets emerges. The IT assets in this group may be characterised as follows:

If it were possible to identify a common set of security measures for this group of "typical" IT systems - a set of standard security measures - then this would significantly assist answering the above questions for those "typical" IT systems. Many of the protection requirements of IT systems which lie outside this group, possibly because the systems concerned are more unusual, customised systems or because they have very high protection requirements, can then be satisfied by implementing the standard security measures, although ultimately these systems need to be considered separately.

The IT Baseline Security Manual presents a detailed set of standard security measures which apply to virtually every IT system. It provides:

Because information technology is a highly innovative area and is constantly undergoing further development, the present manual is designed to be easily updated and expanded. The BSI continuously updates the manual and expands it to include new subjects on the basis of user surveys.

The response to this is very positive. In the Annex to the manual you will find a list of some of the organisations which use the IT Baseline Protection Manual. This list provides a summary of the industries, companies and official bodies in which IT baseline protection is applied.

As the manual is also held in high esteem internationally, an English-language version of it is also available in electronic form.

© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update: October 2000