2.6 Implementation of IT Security Safeguards

This section presents a number of aspects which have to be considered when implementing IT security safeguards. It describes how the implementation of IT security safeguards identified as being missing or inadequately implemented can be planned, carried out, overseen and monitored.

Before work can commence on implementing IT security safeguards, the IT structure analysis, baseline protection assessment and modelling described in Sections 2.1 to 2.3 must have already been performed for the IT system or IT assets under examination. The results of the basic security check, and in particular of the target versus actual comparison which is the outcome of the basic security check, must also be available. If any supplementary security analysis has been performed for selected areas due to their higher protection requirements, then the suggestions which have been put forward as a result as to additional measures to be taken should also be available and taken into account in the process.

If there are a number of safeguards to be implemented but only limited financial and staffing resources are available to implement them, then implementation of the IT security safeguards can proceed as described below. An example to explain the procedure will be found at the end of this section.

If only a few missing safeguards have been identified whose implementation will tie up only small amounts of financial or staffing resources, it is often possible to decide on an ad hoc basis who should implement these measures and by when. This can be documented simply and without complication in the tables used to document the target versus actual comparison. In this case, steps 1, 3 and 4 may be omitted.

Step 1: Examine results of investigation

As a first step, the missing or only partially implemented IT baseline protection safeguards should be evaluated in an overall view. To do this, it is recommended that all the safeguards which have either not been implemented or only partially been implemented, including their priorities, are extracted from the results of the basic security check and put in a table.

Any additional safeguards requiring implementation can be identified through supplementary security analyses. These too should be drawn up in the form of a table. These additional measures should be arranged by subject in line with the objects examined during modelling and the corresponding IT baseline protection modules.

Step 2: Consolidate the safeguards

The first action here is to consolidate the IT security safeguards still requiring implementation. If any additional security analyses have been performed, these could have identified additional IT security safeguards which supplement or even replace safeguards contained in the IT Baseline Protection Manual. A check should be performed here as to which IT baseline protection safeguards do not need to be implemented as they are to be replaced by more stringent IT security safeguards.

As recommendations are made in the IT Baseline Protection Manual for a variety of different types of organisation and technical configurations, the safeguards that are selected may need to be made more specific and adapted so as to reflect the organisational and technical circumstances in the agency/company concerned. Moreover, all the IT security safeguards should be reviewed once more to ensure that they are suitable: they must provide effective protection against the possible threats but at the same time it must in practice be feasible to implement them. For example, they must not hinder the organisational processes or undermine other security measures. In such cases it could be necessary to replace certain IT baseline protection safeguards by adequate alternative IT security safeguards.

In order subsequently to be able to trace the procedure followed in drawing up and refining the list of specific measures, this should be suitably documented.

Examples:

Step 3: Prepare an estimate of the costs and effort required

As the budget for implementing IT security measures is in practice always limited, it is necessary for every measure to be implemented to identify how much will need to be invested and how much labour this will entail. A distinction should be made here between one-off and recurring investment/labour costs. At this point it should be mentioned that experience shows that savings on technology often result in high ongoing labour costs.

In this connection it is necessary to ascertain whether all the measures identified can be afforded. If there are any safeguards which cannot be funded, consideration should be given as to what alternative measures could be taken instead or whether the residual risk resulting from failure to implement a given measure is acceptable. This decision must likewise be documented.

If the financial and staffing resources estimated as being necessary are available, then one can proceed to the next step. However, in many cases it is necessary to take a further decision as to the extent of the resources to be used to implement the IT security measures. It is recommended here that a presentation on the results of the security study should be given to the person(s) responsible for making such decisions (Management, IT Manager, IT Security Officer etc.). To make those responsible aware of the security issues involved, the security weaknesses identified (i.e. missing or only partially implemented IT security safeguards) should be presented by protection requirement. It is also recommended that the cost and effort associated with implementing the missing priority 1, 2 and 3 safeguards should be presented. A decision regarding the budget should then be made following this presentation.

If it proves to be not possible to make available a sufficient budget to cover implementation of all the missing safeguards, then the residual risk resulting from failure to implement or delay in implementing certain measures should be pointed out. To assist with this, the Safeguard-Threat Tables (see CD-ROM: word20\tabellen) can be used to ascertain which threats are no longer adequately covered. The residual risk relating to any chance or wilful threats should be described clearly and presented to Management for decision. The remaining steps can only take place after Management has decided that the residual risk is acceptable, as Management must bear the responsibility for the consequences.

Step 4: Determine implementation sequence

If the existing budget or staffing resources are not sufficient to be able to implement all the missing safeguards immediately, the sequence in which these measures will be implemented must be determined. When determining the sequence, the following aspects should be considered:

Step 5: Assign responsibilities

Once the sequence in which the safeguards will be implemented has been determined, it is then necessary to specify who is responsible for implementing which safeguards and by when. Unless this is done, experience indicates that implementation of safeguards tends to be delayed and in some cases never takes place. Care must be taken here to ensure that the person to whom responsibility is assigned possesses the skills and authority necessary to implement the safeguards and that the resources he needs are made available to him.

Similarly, someone must be allocated responsibility for overseeing implementation. This person must also be notified when implementation of individual safeguards has been completed. Typically it is the IT Security Officer who is notified. Progress in the matter of implementation should be checked at regular intervals to ensure that the implementation work does not drag on.

The implementation plan which should now be complete should contain the following information as a minimum:

Step 6: Measures to accompany implementation

It is also important to specify any measures which need to take place in parallel to implementation and to plan them into the implementation. In particular, such measures include measures designed to inform members of staff who will be affected by the new IT security measures of their necessity and consequences and to make them aware of the importance of IT security.

The staff concerned must also receive training as to how to implement and apply the new IT security safeguards correctly. If this training is left out, it is possible that the safeguards might not be implemented and/or that they might fail to achieve the desired effect. Another consequence would be that staff would feel inadequately informed, and this in turn often results in a negative attitude towards IT security.

After the new IT security measures have been implemented, the IT Security Officer should check to ensure that staff have fully accepted them. Should it turn out that the new measures have not gained acceptance, they are doomed to failure. The causes of the lack of acceptance should be investigated and, if necessary, those concerned should be given an additional briefing.

Example:

Excerpts from a fictitious example are provided below in order to illustrate the steps listed above in more detail. The table below shows the consolidated list of safeguards to be implemented, together with estimates of the associated costs, which is generated as a result of steps 1 to 3.

Target object Module Safeguard Priority Costs Notes
      1 2 3    
Entire organisation 3.1 S 2.11 Provisions Governing the Use of Passwords P     a) euro 0
b) 2 working days
c) euro 0 p.a.
d) 0 working days p.a.
 
Server room R 3.10 4.3.2 S 1.24 Avoidance of Water Pipes     X a) euro 20,000
b) 12 working days
c) euro 0 p.a.
d) 0 working days p.a.
This safeguard is not cost-effective to implement. Instead, safeguard A1 will be implemented.
Server room R 3.10 4.3.2 A1 Installation of metal sheets to take water away, with monitoring via a water alarming device which alerts the porter.       a) euro 4,000
b) 3 working days
c) euro 0 p.a.
d) 0 working days p.a.
Replaces safeguard S 1.24.
Server S4 6.5 S 1.28 Local Uninterruptible Power Supply X     a) euro 1,000
b) 1 working day
c) euro 0 p.a.
d) 0 working days p.a.
 
C1 group of clients 5.5 A2 Smart card-supported authentication plus local encryption of hard disks       a) euro 1,400
b) 2 working days
c) euro 0 p.a.
d) 2 working days p.a.
This additional measure replaces safeguard S 4.1.
...              

Key:

The implementation plan resulting from Management's decisions regarding the above table is now drawn up in tabular form.

Implementation plan (as of 30 September 2000)
Target object Module Safeguard Implement by Person responsible Budgetary framework Notes
Entire organisation 3.1 S 2.11 Provisions Governing the Use of Passwords 31/12/00 a) A. Müller
b) P. Meier
a) euro 0
b) 2 working days
c) euro 0 p.a.
d) 0 working days p.a.
 
Server room R 3.10 4.3.2 A1 Installation of metal sheets to take water away, with monitoring via a water alarming device which alerts the porter. 30.04.2001 a) C. Schmitz
b) F. Hofmann
a) euro 1,000
b) 1 working day
c) euro 0 p.a.
d) 0 working days p.a.
Metal sheets only to be installed under pipes carrying fresh and wastewater.
Server S4 6.5 S 1.28 Local Uninterruptible Power Supply 31.10.2000 a) C. Schulz
b) P. Meier
a) euro 500
b) 1 working days
c) euro 0 p.a.
d) 0 working days p.a.
 
C1 group of clients 5.5 A2 Smart card-supported authentication plus local encryption of hard disks 31.12.2000 a) C. Schulz
b) P. Meier
a) euro 1,400
b) 2 working days
c) euro 0 p.a.
d) 2 working days p.a.
 
...            

Key:


© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update: October 2000