Once the required information is available from the IT structure analysis and the assessment of protection requirements, the next major task is to model the IT assets under consideration with the aid of the existing modules of the IT Baseline Protection Manual. The outcome of this exercise is an IT baseline protection model of the IT assets which is made up from different modules of the manual, in some cases with the same modules being used several times over, and maps the security-relevant aspects of the IT assets onto specific modules and vice versa.

It makes no difference to the IT baseline protection model created whether the IT assets consist of IT systems already in service or whether the IT assets in question are still at the planning stage. However, the model may be used differently depending on whether the assets are already in use or not.

• The IT baseline protection model for IT assets already in service identifies the standard security safeguards that are relevant through the modules used. It can be used in the form of a test plan for carrying out a target versus actual comparison.
• By contrast, the IT baseline protection module for a planned set of IT assets constitutes a design concept. It specifies via the selected modules which standard security safeguards must be implemented on entry into service of the IT assets.

Figure: outcome of IT baseline protection modelling

Typically a set of IT assets currently in use will contain not only elements which have already been implemented but also elements which are still at the planning stage. The resulting IT baseline protection model then contains both a test plan and also elements of a design concept. The IT security concept will then be based on a combination of the IT security safeguards which are identified during the target versus actual comparison as being inadequate or missing and those identified for IT assets which are still at the planning stage.

To map a generally complex set of IT assets to the modules in the manual it is recommended that the IT security aspects are considered as groups arranged according to particular topics.

Figure: Tiers in the IT baseline protection model

The IT security aspects of a set of IT assets are assigned to the individual tiers as follows:

• Tier 1 covers all the general IT security aspects which apply equally to all or large numbers of the IT assets, particularly any universally applicable concepts and the procedures derived therefrom. Typical Tier 1 modules include IT Security Management, Organisation, Data Backup Policy and Computer Virus Protection Concept.

• Tier 2 is concerned with architectural and structural factors, in which aspects of the infrastructural security are brought together. This concerns especially the Buildings, Rooms, Protective Cabinets and Working Place at Home (Telecommuting) modules.

• Tier 3 concerns the individual IT systems in the set of IT assets which may be grouped together. The IT security aspects considered here relate not only to clients but also to servers and stand-alone systems. Thus, for example, the modules UNIX System, Laptop PC, Windows NT Network and Telecommunications System (Private Branch Exchange) fall within Tier 3.

• Tier 4 considers the networking aspects of the IT systems, which refer to the network connections and communications rather than to particular IT systems. The modules which are relevant here include, for example, Heterogeneous Networks, Network and System Management and Firewalls.

• Finally Tier 5 is concerned with the actual IT applications which are used on the IT assets. In this tier, the modules used for modelling purposes could include E-Mail, WWW Server, Fax Servers and Databases.

• The complexity of the IT security is reduced because the individual aspects are divided up in a meaningful manner.

• As higher order aspects and common infrastructural issues are considered separately from the IT systems, duplication of effort is avoided as those aspects only need to be dealt with once and not repeated for every IT system.

• The various tiers have been defined so that responsibilities for the aspects under consideration are grouped. Tier 1 is concerned with fundamental issues relating to the use of IT, Tier 2 with site technical services, Tier 3 with matters that concern administrators and IT users, Tier 4 with matters that concern the network and system administrators and finally Tier 5 with matters that concern those responsible for or who will run the IT applications.

• Breaking down the security aspects into tiers enables individual subject areas within the ensuing IT security concepts to be updated and expanded more easily, without having a significant effect on other tiers.

The IT baseline protection model, i.e. the assignment of modules to target objects, should be documented in the form of a table containing the following columns:

• Number and title of the module.

• Target object or target group. For example, this could be the identification number of a component or a group or the name of a building or organisational unit.

• Sample. If the target object is a group, then the number and names of the samples taken from this group should be noted.

• Contact person. This column serves initially only as a place holder. The contact person is not determined at the modelling stage, but only at the point when the target versus actual comparison in the basic security check is being planned.

• NB incidental information and the reasoning behind the modelling can be documented in this column.

2.3.1 Modelling a Set of IT Assets

When modelling a set of IT assets it is recommended that the modules are assigned using the 5-tier model. This is then followed by a completeness check.

Tier 1: Higher order aspects of IT security

In this tier the generic aspects of the IT assets, which apply to each individual component, are modelled. The primary elements under consideration here are policies and procedures derived from those policies. These aspects should be controlled uniformly for the entire set of IT assets so that in most cases the corresponding modules then only have to be applied once to the entire set of IT assets.

• Module 3.0 Security Management is applied once to the entire set of IT assets.

• Module 3.1 Organisation must be used at least once for every set of IT assets. If some of the IT assets under consideration are assigned to another organisational unit and are therefore subject to different framework conditions, the module should be applied separately to each organisational unit. If some of the IT assets are outsourced, this should be viewed as an important special case.

• Module 3.2 Personnel must be used at least once for every set of IT assets. If some of the IT assets under consideration are assigned to a different organisation or organisational unit and are therefore subject to different framework conditions, the module should be applied separately to each organisation or organisational unit. If some of the IT assets are outsourced, this should be viewed as an important special case.

• Module 3.3 Contingency Planning Concept must as a minimum be used where any components have been identified during the protection requirements assessment as having a high or very high protection requirement as regards availability or where relatively large IT systems and/or extensive networks are operated. When working through the module, particular attention should be given to these components.

• Module 3.4 Data Backup Policy is applied once to the entire set of IT assets.

• Module 3.6 Computer Virus Protection Concept should be applied once to the entire set of IT assets if this includes any systems which could fall prey to computer viruses.

• Module 3.7 Crypto concept should as a minimum be used where any components have been identified in the protection requirements assessment as having a high or very high protection requirement as regards confidentiality or integrity or where cryptographic procedures are already in use.

• Module 3.8 Handling of security incidents should as a minimum be used where any components have been identified in the protection requirements assessment as having a high or very high protection requirements as regards one of three basic parameters, or where failure of the entire set of IT assets would result in damage in the categories "high" or "very high".

• Module 9.1 Standard Software should be applied at least once to the entire set of IT assets. If there are any sub-areas within the IT assets which have different requirements or procedures as regards the use of standard software, then module 9.1 should be applied to each of these sub-areas separately.

The structural conditions relevant to the existing IT assets are modelled with the aid of the modules contained in Chapter 4 Infrastructure. This entails assignment of the relevant module from the IT Baseline Protection Manual to every building, room or protective cabinet (or group of these components).

• Module 4.1 Buildings must be used once for every building or every sample taken from a group of buildings.

• Module 4.2 Cabling must generally be applied once per building or sample of buildings (in addition to module 4.1). However, it may be that certain areas, for example the server room or control room, have special cabling requirements, in which case it may be advisable to apply module 4.2 to those parts of the building separately.

• Module 4.3.1 Office must be applied to all rooms or samples of rooms in which information technology is used but to which none of modules 4.3.2, 4.3.3 or 4.3.4 is being applied.

• Module 4.3.2 Server Room must be applied to every room or sample of rooms in which servers or PBXs are operated. Servers are IT systems which make services available on the network.

• Module 4.3.3 Data Media Archives must be applied to every room or sample of rooms in which data media are stored or archived.

• Module 4.3.4 Technical Infrastructure Room must be applied to every room or sample of rooms in which technical devices which require little or no human intervention to run are operated (e.g. distribution cabinet or standby power supply system).

• Module 4.4 must be applied to every protective cabinet or sample of cabinets once. Protective cabinets can serve as an alternative to a dedicated server room.

• Module 4.5 must be applied once to every working place at home or sample of the same (if corresponding groups have been defined).

This tier is concerned with security aspects relating to IT systems, i.e. to server and client computers, hosts, terminals etc. Tier 3 is covered by modules from Chapters 5 to 9 of the IT Baseline Protection Manual.

By analogy with the area "Security of the infrastructure", the modules relating to the area of "Security of the IT systems" may be applied either to individual IT systems or to samples from groups. This is assumed below although no further specific reference to it is made.

• Module 5.1 DOS-PC (single user) must be applied to every stand-alone computer or client on which the DOS operating system is installed.

• Module 5.2 UNIX System must be applied to every stand-alone computer or client which runs under the UNIX operating system.

• Module 5.3 Laptop PC must be applied to every mobile computer (laptop).

• Module 5.4 PCs with a Non-Constant User Population must be applied to every stand-alone computer or client on which different users work at different times.

NB it may not be necessary to apply module 5.4 to IT systems which are being modelled using modules 5.5, 5.6 or 5.9. These modules specifically address security aspects of situations where IT assets are used at different times by different users.

• Module 5.5 PC under Windows NT must be applied to every stand-alone computer or client which runs under Windows NT.

• Module 5.6 PC with Windows 95 must be applied to every stand-alone computer or client which runs under Windows 95.

• Module 5.99 Stand-alone IT systems must be applied to every IT system for which there is no operating system-specific module in the IT Baseline Protection Manual.

• Module 6.1 Server-supported Network must be applied to every IT system which offers services (e.g. file or print services) as a server in the network.

• Module 6.2 UNIX Server must be applied to every server which runs under the UNIX operating system.

• Module 6.3 Peer-to-Peer Network must be applied to every client which offers peer-to-peer services (for example shared directories) in the network.

• Module 6.4 Windows NT Network must be applied to every server which runs under Windows NT.

• Module 6.5 Novell Netware 3.x must be applied to every server which runs under this operating system.

• Module 6.6 Novell Netware 4.x must be applied to every server which runs under this operating system.

NB in addition to the operating system-specific module, module 6.1 must be applied for every server as this module draws together all the platform-independent security aspects of servers.

• Module 8.1 must be applied to every private branch exchange or to every sample of the same from a corresponding group.

• Module 8.2 must be applied to every fax machine or to every sample of the same from a corresponding group.

• Module 8.3 must be applied to every answering machine or to every sample of the same from a corresponding group.

• Module 8.6 Mobile Telephones should be applied at least once if the use of mobile phones is not forbidden in the organisation or organisational unit under consideration. If there are several different mobile phone operational areas (for example several mobile phone pools) then module 8.6 should be applied separately to each one.

• Module 9.3 Telecommuting must also be applied to every IT system which is used for telework.

This tier is concerned with security aspects in the network which cannot be isolated to particular IT systems (e.g. servers) in the network. Rather, the concern here is those security aspects which relate to the network connections and communications between the IT systems.

To simplify matters, it may be appropriate to consider sections within the complete network rather than the whole network at once. The division of the full network into subnetworks should be performed in accordance with these two criteria:

• The assessment of protection requirements will have identified connections over which certain data must under no circumstances be transported. These connections should be viewed as "interfaces" between subnetworks, i.e. the two endpoints of such a connection should be in different subnetworks. Conversely, connections which transport data that has a high or very high protection requirement should if possible not pass over any subnetwork boundaries. If this principle is followed, the protection requirements of the resulting subnetworks will be uniform as far as possible.

• Components which are only connected to each other over a long-distance connection should not be assigned to the same subnetwork i.e. subnetworks should not extend over more than one location or property. This is desirable both in order to retain an overview and for the efficient conduct of the project.

It is not possible to make a definite recommendation as to how best to subdivide the complete network into subnetworks, as the requirements stated above might be incompatible with the existing IT assets. Instead, a decision should be made in the individual case as to what is the most practical way of splitting up the complete network, bearing in mind the modules of the IT Baseline Protection Manual which are to be used.

• Module 6.7 Heterogeneous Networks must generally be applied to every subnetwork. However, if the subnetworks are small and several subnetworks fall within the responsibility of the same team of administrators, it may be sufficient to apply module 6.7 only once to all of these subnetworks.

• Module 6.8 Network and System Management must be applied to every network or system management system used on the IT assets under consideration.

• Module 7.2 Modem must be applied to every IT system equipped with a modem or to each corresponding sample thereof.

• Module 7.3 Firewall must be applied to every external connection to third party IT systems or networks where IT systems in the internal network which have a high protection requirement can be accessed over this external connection. This applies also if no firewall system is in use there yet. Examples here are Internet connections, remote access facilities and links to networks owned by business partners.

• Module 7.6 Remote Access must be applied once wherever remote access to the internal network is possible by a route other than over a dedicated leased line (e.g. telework, linking of staff working out in the field over analogue dial-up lines, ISDN or mobile phone).

• Module 8.4 LAN integration of an IT system via ISDN must be applied to all external connections which are implemented over ISDN.

The lowest tier entails modelling of the applications. Modern applications are seldom limited to a single IT system. In particular, core applications used across an entire organisation are generally implemented as client/server applications. In many cases servers themselves access other servers downstream, e.g. database systems. The security of the applications must therefore be considered independently of the IT systems and networks.

• Module 7.1 Exchange of Data Media should be used once for every application which serves as a source of data for an exchange of data media or processes data received by this route.

• Module 7.4 E-Mail must be applied to every e-mail system (internal or external) of the IT assets under consideration.

• Module 7.5 WWW Server must be applied to every WWW service (e.g. Intranet or Internet) of the IT assets under consideration.

• Module 8.5 must be applied to every fax server or to every sample of the same from a corresponding group.

• Module 9.2 Databases should be used once for every database system or sample of the same.

In the final step a check should be performed as to whether the entire system has been modelled without any gaps. It is recommended that the network plan or a similar overview of the IT assets is used here and that the individual components are checked systematically. Every component should either be assigned to a group or else be modelled separately. If the complete network has been divided into subnetworks in connection with Tier 4, a check should be performed as to whether

• every subnetwork has been completely represented and

• the sum of all the subnetworks completely describes the whole system.

If, when performing these checks, any gaps are revealed in the modelling, the relevant missing components must be added. Otherwise there is a risk that important elements of the complete system or important security aspects will be overlooked when using the IT Baseline Protection Manual.

If it is not possible to perform all the modelling because some modules which are needed are missing from the IT Baseline Protection Manual, we would ask you to notify your requirements to the BSI's IT Baseline Protection Hotline.

Bundesamt für Organisation und Verwaltung (Federal Agency for Organisation and Administration, BOV) - Part 8

The table below is an excerpt from the modelling performed for the fictitious BOV Department.

No.	Name of module	Target object / target group	Sample	Contact person	Notes
3.1	Organisation	Bonn site			The Organisation module must be worked through separately for the Bonn and Berlin sites, as Berlin has its own organisational procedures.
3.1	Organisation	Berlin site
3.2	Personnel	Entire BOV			The BOV's Human Resources Department is located centrally in Bonn.
4.3.3	Storage Media Archives	R U.02 (Bonn)			The backup data media are kept in this room.
5.3	Laptop PC	C5	1 in R 1.06 (Bonn)		A sample will be selected from all the laptops, both in Bonn and Berlin.
5.3	Laptop PC	C6	1 in R 2.01 (Berlin)
7.5	WWW Server	S5			S5 functions as the server for the Intranet.
9.2	Databases	S5			A database is used on server S5.

2.3.2 Modelling of an Individual IT System

Depending on the object(s) under examination, the tables below serve different functions. If the IT assets under consideration consists only of a single IT system or a single group of IT systems which have the same configuration, same framework conditions and same applications, then as a minimum the modules required for modelling can be read directly out of these tables. Modules with no entry in the relevant column should be used as well if they are relevant to the individual IT system under consideration.

If on the other hand the IT assets are composed out of different components, then the tables provided below will help in checking whether modelling as described in Section 2.3.1 is complete. If, for example, the present IT assets contains Windows NT clients, then all the modules which have an "X" in the relevant table should be considered during modelling. Modules identified with "(X)" only need to be used when certain conditions apply. These conditions are listed in Section 2.3.1.

Key:

X: The module must be applied to this IT system.
(X): The module must be applied to this IT system if the conditions specified in Sectio  2.3.1 apply.
X1: A server room can be replaced by a server cabinet.

	IT Systems	Stand-Alone Systems / Clients
	Module	DOS-PC (Single User)	UNIX System	Laptop PC	PC (Multi-user)	Windows NT PC	Windows 95 PC
3.0	IT Security Management	X	X	X	X	X	X
3.1	Organisation	X	X	X	X	X	X
3.2	Personnel	X	X	X	X	X	X
3.3	Contingency Planning Concept	(X)	(X)	(X)	(X)	(X)	(X)
3.4	Data Backup Policy	X	X	X	X	X	X
3.6	Computer Virus Protection Concept	X	X	X	X	X	X
3.7	Crypto Concept	(X)	(X)	(X)	(X)	(X)	(X)
3.8	Handling of Security Incidents	(X)	(X)	(X)	(X)	(X)	(X)
4.1	Buildings	X	X		X	X	X
4.2	Cabling	X	X		X	X	X
4.3.1	Offices	X	X		X	X	X
4.3.2	Server rooms
4.3.3	Storage Media Archives
4.3.4	Technical Infrastructure Rooms
4.4	Protective Cabinets
4.5	Working Place At Home (Telecommuting)
5.1	DOS PC (Single User)	X		(X)	(X)
5.2	UNIX System		X	(X)	(X)
5.3	Laptop PC			X	(X)
5.4	PCs With a Non-Constant User Population	(X)	(X)	(X)	X
5.5	PC under Windows NT			(X)		X
5.6	PC with Windows 95			(X)			X
5.99	Stand-Alone IT Systems Generally
6.1	Server-Supported Network
6.2	UNIX Server
6.3	Peer-to-Peer Network
6.4	Windows NT Network
6.5	Novell Netware 3.x
6.6	Novell Netware 4.x
6.7	Heterogeneous Networks
6.8	Network and System Management
7.1	Exchange of Data Media	(X)	(X)	(X)	(X)	(X)	(X)
7.2	Modem
7.3	Firewall
7.4	E-Mail
7.5	WWW Server
7.6	Remote Access
8.1	Telecommunications System (Private Branch Exchange, PBX)
8.2	Fax Machine
8.3	Answering Machine
8.4	LAN connection over ISDN
8.5	Fax Servers
8.6	Mobile Telephones
9.1	Standard Software	X	X	X	X	X	X
9.2	Databases
9.3	Telecommuting

 

	IT Systems	Stand-Alone Systems / Clients	Stand-Alone Systems / Clients
	Module	Telecommuting	Stand-Alone IT Systems Generally
3.0	IT Security Management	X	X
3.1	Organisation	X	X
3.2	Personnel	X	X
3.3	Contingency Planning Concept	(X)	(X)
3.4	Data Backup Policy	X	X
3.6	Computer Virus Protection Concept	X	X
3.7	Crypto Concept	(X)	(X)
3.8	Handling of Security Incidents	(X)	(X)
4.1	Buildings		X
4.2	Cabling		X
4.3.1	Offices		X
4.3.2	Server Rooms
4.3.3	Storage Media Archives
4.3.4	Technical Infrastructure Rooms
4.4	Protective Cabinets
4.5	Working Place At Home (Telecommuting)	X
5.1	DOS PC (Single User)	(X)
5.2	UNIX System	(X)
5.3	Laptop PC
5.4	PCs With a Non-Constant User Population
5.5	PC under Windows NT	(X)
5.6	PC with Windows 95	(X)
5.99	Stand-Alone IT Systems Generally	(X)	X
6.1	Server-Supported Network
6.2	UNIX Server
6.3	Peer-to-Peer Network
6.4	Windows NT Network
6.5	Novell Netware 3.x
6.6	Novell Netware 4.x
6.7	Heterogeneous Networks
6.8	Network and System Management
7.1	Exchange of Data Media	(X)	(X)
7.2	Modem	(X)
7.3	Firewall
7.4	E-Mail
7.5	WWW Server
7.6	Remote Access
8.1	Telecommunications System (Private Branch Exchange, PBX)
8.2	Fax Machine	(X)
8.3	Answering Machine	(X)
8.4	LAN connection over ISDN	(X)
8.5	Fax Servers
8.6	Mobile Telephones
9.1	Standard Software	X	X
9.2	Databases
9.3	Telecommuting	X

 

	IT Systems	Server / Network
	Module	UNIX Network	Peer-to-Peer Network	Windows NT Network	Novell 3.x Network	Novell 4.x Network
3.0	IT Security Management	X	X	X	X	X
3.1	Organisation	X	X	X	X	X
3.2	Personnel	X	X	X	X	X
3.3	Contingency Planning Concept	(X)	(X)	(X)	(X)	(X)
3.4	Data Backup Policy	X	X	X	X	X
3.6	Computer Virus Protection Concept	X	X	X	X	X
3.7	Crypto Concept	(X)	(X)	(X)	(X)	(X)
3.8	Handling of Security Incidents	(X)	(X)	(X)	(X)	(X)
4.1	Buildings	X	X	X	X	X
4.2	Cabling	X	X	X	X	X
4.3.1	Offices		X
4.3.2	Server Rooms	X		X	X	X
4.3.3	Storage Media Archives
4.3.4	Technical Infrastructure Rooms
4.4	Protective Cabinets	X1	X1	X1	X1	X1
4.5	Working Place At Home (Telecommuting)
5.1	DOS PC (Single User)		(X)
5.2	UNIX System		(X)
5.3	Laptop PC		(X)
5.4	PCs With a Non-Constant User Population		(X)
5.5	PC under Windows NT		(X)
5.6	PC with Windows 95		(X)
5.99	Stand-Alone IT Systems Generally		(X)
6.1	Server-Supported Network	X		X	X	X
6.2	UNIX Server	X
6.3	Peer-to-Peer Network		X
6.4	Windows NT Network			X
6.5	Novell Netware 3.x				X
6.6	Novell Netware 4.x					X
6.7	Heterogeneous Networks	X	X	X	X	X
6.8	Network and System Management
7.1	Exchange of Data Media
7.2	Modem
7.3	Firewall
7.4	E-Mail
7.5	WWW Server	(X)		(X)	(X)	(X)
7.6	Remote Access
8.1	Telecommunications System (Private Branch Exchange, PBX)
8.2	Fax Machine
8.3	Answering Machine
8.4	LAN connection over ISDN
8.5	Fax Servers	(X)		(X)	(X)	(X)
8.6	Mobile Telephones
9.1	Standard Software	X	X	X	X	X
9.2	Databases	(X)		(X)	(X)	(X)
9.3	Telecommuting

 

	IT Systems	Communication System
	Module	Firewall	Private Branch Exchange	Fax Machine	Answer-phone	Fax Servers
3.0	IT Security Management	X	X	X	X	X
3.1	Organisation	X	X	X	X	X
3.2	Personnel	X	X	X	X	X
3.3	Contingency Planning Concept	(X)	(X)	(X)	(X)	(X)
3.4	Data Backup Policy	X	X	X	X	X
3.6	Computer Virus Protection Concept	X	X	X	X	X
3.7	Crypto Concept	(X)	(X)	(X)	(X)	(X)
3.8	Handling of Security Incidents	(X)	(X)	(X)	(X)	(X)
4.1	Buildings	X	X	X	X	X
4.2	Cabling	X	X	X	X	X
4.3.1	Offices			X	X
4.3.2	Server Rooms	X	X			X
4.3.3	Storage Media Archives
4.3.4	Technical Infrastructure Rooms
4.4	Protective Cabinets	X1	X1			X1
4.5	Working Place At Home (Telecommuting)
5.1	DOS PC (Single User)
5.2	UNIX System
5.3	Laptop PC
5.4	PCs With a Non-Constant User Population
5.5	PC under Windows NT
5.6	PC with Windows 95
5.99	Stand-Alone IT Systems Generally
6.1	Server-Supported Network	X				X
6.2	UNIX Server	(X)				(X)
6.3	Peer-to-Peer Network
6.4	Windows NT Network	(X)				(X)
6.5	Novell Netware 3.x	(X)				(X)
6.6	Novell Netware 4.x	(X)				(X)
6.7	Heterogeneous Networks	X				X
6.8	Network and System Management
7.1	Exchange of Data Media
7.2	Modem
7.3	Firewall	X
7.4	E-Mail
7.5	WWW Server
7.6	Remote Access
8.1	Telecommunications System (Private Branch Exchange, PBX)		X
8.2	Fax Machine			X
8.3	Answering Machine				X
8.4	LAN connection over ISDN
8.5	Fax Servers					X
8.6	Mobile Telephones
9.1	Standard Software	X				X
9.2	Databases
9.3	Telecommuting

© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update: October 2000