3.1 Organisation

Description

This Chapter lists general and generic measures in the organisational field which, as standard organisational measures, are required to achieve a minimum protection standard. Specific measures of an organisational nature which directly relate to other measures (e.g. LAN administration) are listed in the relevant chapters.

Threat Scenario

In this Chapter, the following typical threats (T) are considered as regards IT baseline protection:

Organisational Shortcomings

• T 2.1 Lack of, or insufficient, rules
• T 2.2 Insufficient knowledge of requirements documents
• T 2.3 A lack of compatible, or unsuitable, resources
• T 2.4 Insufficient monitoring of IT security measures
• T 2.5 Lack of, or inadequate, maintenance
• T 2.6 Unauthorised admission to rooms requiring protection
• T 2.7 Unauthorised use of rights
• T 2.8 Uncontrolled use of resources
• T 2.9 Poor adjustment to changes in the use of IT
• T 2.10 Data media are not available when required

Human Failure:

• T 3.1 Loss of data confidentiality/integrity as a result of IT user error

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.
In the following, the countermeasure group "Organisation" is set out:

Organisation:

• S 2.1 (2) Specification of responsibilities and of requirements documents for IT uses
• S 2.2 (2) Resource management
• S 2.3 (2) Data media control
• S 2.4 (2) Maintenance/repair regulations
• S 2.5 (1) Division of responsibilities and separation of functions
• S 2.6 (1) Granting of site access authorisations
• S 2.7 (1) Granting of (system/network) access rights
• S 2.8 (1) Granting of (application/data) access permissions
• S 2.9 (2) Ban on using non-approved software
• S 2.10 (2) Survey of the software held
• S 2.11 (1) Provisions governing the use of passwords
• S 2.12 (3) Services and counselling for IT users (optional)
• S 2.13 (2) Correct disposal of resources requiring protection
• S 2.14 (2) Key management
• S 2.37 (2) Clean desk policy
• S 2.39 (2) Response to violations of security policies
• S 2.40 (2) Timely involvement of the staff/factory council
• S 2.62 (2) Software acceptance and approval Procedure
• S 2.69 (2) Establishing standard workstations
• S 2.110 (2) Data privacy guidelines for logging procedures
• S 2.167 (2) Secure deletion of data media

© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update: October 2000