IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection of Generic Components
_________________________________________________________________________________________
Supplementary security analysis
The standard security safeguards aimed at securing baseline protection will normally provide a
reasonable and sufficient level of protection. However, if the protection requirement is high or very
high it may be appropriate to check whether more stringent IT security safeguards are needed either in
addition to or instead of the safeguards required to achieve IT baseline protection. To select a set of
suitable IT security safeguards, a supplementary security analysis is performed. This can entail the use
of a variety of methods, for example,
- risk analysis,
- penetration testing and
- differential security analysis.
An overview of these methods is presented in Section 2.5. The successful carrying out of the
supplementary security analysis depends critically on the expertise of the project team. It may
therefore be appropriate to employ the services of specialist external consultants.
Implementation of IT security concepts
A satisfactory level of IT security can only be established if existing weaknesses are ascertained in the
security analysis, the status quo is determined in a security concept, the safeguards that are necessary
are identified and, above all, these safeguards are also implemented systematically. Section 2.6
describes the factors which should be considered when planning the implementation of IT security
safeguards.
IT Baseline Protection Certification
The IT Baseline Protection Manual is used today not only to assist in drawing up IT security concepts
but also increasingly as a reference work in the sense of a security standard. By achieving IT Baseline
Protection certification, an organisation can provide documentary evidence to the outside world that it
has implemented IT baseline protection to the depth required. Section 2.7 introduces the idea of IT
Baseline Protection Certification and defines the certification scheme that this entails. The certification
level is assigned to one of three different classes which differ both in relation to quality (i.e. the degree
of implementation of security safeguards that is necessary) and to assurance. The lowest level can be
demonstrated by an employee of the agency/company, while the highest level requires testing by an
independent third party.
_________________________________________________________________________________________
IT-Baseline Protection Manual: Otober 2000