ebook img

IT-Grundschutz-catalogues 14th version - Draft PDF

4618 Pages·2016·13.49 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview IT-Grundschutz-catalogues 14th version - Draft

Foreword 14. EL Foreword The revelations by Edward Snowden and the corresponding consequences for IT security of companies and authorities have been a predominant topic in the IT security scene. In the beginning of 2014, two cases of identity theft became known, the magnitude of which marked a turning point in the area of IT-supported mass attacks. The responsible IT persons of companies and authorities are exposed to even more sophisticated attacks that – due to the practices of the attackers – can only be detected with a great deal of effort. Particularly in companies and authorities, the protection of company data is of existential importance because the business operations can be disturbed and even disrupted in case of massive impairments or outages of the systems. Furthermore, there can also be financial damage that may reach considerable magnitudes rapidly. When using cloud computing, availability, confidentiality and integrity of information can be affected in particular. Securing of cloud applications still represents a great challenge for organisations. The IT-Grundschutz of the BSI offers a proven safeguard catalogue that enables companies and authorities to provide reliable protection of their IT systems against digital attacks. The IT-Grundschutz catalogues include organisational, technical, personnel-related and infrastructure-related recommendations that are of basic importance for security of all company data. Due to the dynamic developments in the field of IT and the corresponding cyber threats, the IT-Grundschutz modules are subject to continuous updating. The present 14th version reflects the current state of the art. Furthermore, it considers requests from the user group of IT-Grundschutz. This resulted, among others things, in four modules on the secure application of cloud computing, on cloud management, on storage solutions / cloud storage, and on web services. These can be used to show the specific properties of cloud applications, platforms such as abstraction of the resources, elasticity, service-oriented architecture, secure orchestration and automation of processes as well as prioritisation and de-provisioning of IT resources in IT-Grundschutz. The IT-Grundschutz recommendations for security of cloud applications provide a secure and well-founded basis for cloud solutions of organisations right from the beginning. In addition to the topic of cloud computing, the 14th version also includes further important updates. The topic of mobile end devices has been revised completely in IT-Grundschutz, i.e. the modules "Mobile telephones" and "Smartphones, tablets and PDAs". The module "General application", which deals with specialised application software, is newly integrated. Furthermore, the module "Awareness and training" has been revised. Both modules were kindly provided by IT-Grundschutz users. During the past two decades, IT-Grundschutz has developed into one of the most successful standard works of the BSI, a large part of this positive development being provided by the users themselves. That is why I would like to take this opportunity to express my gratitude to the IT-Grundschutz users. Bonn, November 2014 Dr. Hartmut Isselhorst, President of Department C IT-Grundschutz Catalogues: 14. EL, 2014 1 Acknowledgements 14. EL Acknowledgements We will continue to develop the IT-Grundschutz Catalogues as needed based on the annual survey of the needs of registered users. At this point, we would like to thank the following persons involved for their cooperation in the further development of the IT-Grundschutz and their committed support regarding the continuation of the 14th version of the IT-Grundschutz Catalogues: Contents Persons Overall coordination and chief editorship Mr. Holger Schildt, BSI Editing Ms. Jessika Welticke, BSI Mr. Michael Förtsch, BSI Mr. Fabian Schelo, BSI Mr. Christoph Wiemers, BSI Revision of module M 1.13 Information security Ms. Isabel Münch, BSI awareness: Mr. Christian Aust, consecco Module M 1.17 Cloud use Mr. Marko Klaus, Computacenter AG & Co. oHG Ms. Antje Straube, Computacenter AG & Co. oHG Mr. Michael Broermann, Computacenter AG & Co. oHG Ms. Dr. Clemens Doubrava, BSI Mr. Dr. Patrick Grete, BSI Mr. Alex Essoh, BSI Module M 3.303 Storage solutions / cloud storage Mr. Marko Klaus, Computacenter AG & Co. oHG Ms. Antje Straube, Computacenter AG & Co. oHG Mr. Michael Broermann, Computacenter AG & Co. oHG Mr. Dr. Clemens Doubrava, BSI Mr. Dr. Patrick Grete, BSI Mr. Alex Essoh, BSI Module M 3.404 Mobile telephones Mr. Dr. Patrick Grete, BSI Module M 3.405 Smartphones, tablets and PDAs Mr. Holger Schildt, BSI Module M 5.23 Cloud management Mr. Erwan Smits, Atos Origin GmbH Mr. Dominic Mylo, Atos Origin GmbH Dr. Clemens Doubrava, BSI Mr. Alex Essoh, BSI Dr. Patrick Grete, BSI Module M 5.24 Web services Mr. Frank Rustemeyer, HiSolutions AG Mr. David Fuhr, HiSolutions AG Mr. Dominik Oepen, HiSolutions AG Mr. Alexander Papitsch, HiSolutions AG Mr. Christoph Puppe, HiSolutions AG Dr. Patrick Grete, BSI Dr. Clemens Doubrava, BSI Mr. Alex Essoh, BSI Module M 5.25 General applications Mr. Isabel Münch, BSI Mr. Martin Meints, Dataport IT-Grundschutz Catalogues: 14. EL, 2014 1 Acknowledgements 14. EL Contents Persons Quality assurance Mr. Sebastian Frank, Secumedia Mr. Christian Merz, BSI In addition to updating and revising modules, numerous individual threats and safeguards were updated to reflect new developments in technology, new threat scenarios, and new developments in information security. We would also like to thank those involved in this process as well. Furthermore, we would like to thank everyone who has contributed to improving IT-Grundschutz and the IT-Grundschutz Catalogues by providing constructive criticism and practical suggestions for improvement. The persons and organisations listed in the following were involved in updating and developing previous versions of the IT-Grundschutz Catalogues. We would like to thank these people as well: Companies and persons • State and Federal Technology for Data • Novell GmbH Protection Officers Work Group • Oracle Deutschland GmbH • Atos Origin • Orange Business Services Mr. Herbert Blaauw, Mr. Matthias Mönter Mr. Josef Ledermann Mr. Götz, Mr. Jaster, Mr. Pohl Andreas Sesterhenn, Jörg Stockmann • Open Web Application Security Project - German Chapter • AXA Versicherung AG Mr. Tobias Glemser (Tele-Consulting security • Industry Association OSE - Organisation pro | networking | training GmbH), Software Escrow Mr. Ralf Reinhardt (sic[!]sec GmbH) Dr. Michael Eggers • PERSICON Information Risk Management • ConSecur GmbH GmbH Mr. Nedon, Mr. Eckardt Mr. Knud Brandis, Mr. Willy Wauschkuhn, Prof. Dr. Rainer Rumpel, Mr. Knut Haufe • European Commission DG Information Society & Media • Röhm GmbH Chemische Fabrik Mr. Achim Klabunde Mr. Güldemeister, Data Protection Officer • EUROSEC GmbH • SerNet GmbH Mr. Fünfrocken, Ms. Martina Seiler Mr. Christoph Zauner Mr. Vetter, Dr. Zieschang • T-Systems International GmbH • KPMG AG Mr. Stephan Hüttinger, Mr. Torsten Kullich, Mr. Alexander Geschonneck Mr. Klaus Müller, Mr. Stefan Morkovsky, Mr. Axel Nennker, Mr. Norbert Vogel • Guide Share Europe "Data Protection and Data Security" Working • TÜViT GmbH Group Mr. Adrian Altrhein, Mr. Peter Herrmann, Mr. Stephan Klein, Mr. Mirco Przybylinski, Mr. • HiSolutions Software GmbH Jan Seebens, Dr. Anja Wiedemann Mr. Timo Kob, Mr. Ronny Frankenstein, • German Chemical Industry Association • HiSolutions AG Mr. Christoph Puppe, Mr. Enno Ewers, Mr. • Secumedia Frank Rustemeyer Mr. Elmar Török • INFODAS GmbH • SIZ Dr. Gerhard Weck Mr. Gerhard Müller, Mr. Detlef Zimmer, Mr. IT-Grundschutz Catalogues: 14. EL, 2014 2 Acknowledgements 14. EL Companies and persons • Mink Consulting Engineers Ulrich Schmidt • Microsoft Germany GmbH • Symantec Germany GmbH • Networkers AG • VZM GmbH Mr. Ludger Hötting, Mr. Oliver Redeker, Mr. Mr. Bruno Hecht, Mr. Werner Metterhausen, Marcel Zamzow Mr. Rainer von zur Mühlen The following authors have incorporated their expert knowledge into the IT-Grundschutz Catalogues by writing corresponding modules. They deserve special thanks since their commitment enabled the creation and development of the IT-Grundschutz Catalogues in the first place. Federal Ministry of the Interior: Mr. Jörg-Udo Aden, Mr. André Reisen, Mr. Manfred Kramer, Dr. Christian Mrugalla, Dr. Lydia Tsintsifa Federal Ministry of Education and Research: Mr. Frank Stefan Stumm Federal Office for Information Security: Mr. Heinz Altengarten, Mr. Rainer Belz, Mr. Thomas Biere, Ms. Steffi Botzelmann, Ms. Elke Cäsar, Mr. Thomas Caspers, Mr. Markus de Brün, Mr. Björn Dehms, Mr. Thorsten Dietrich, Mr. Uwe Dornseifer, Dr. Clemens Doubrava, Mr. Günther Ennen, Mr. Olaf Erber, Mr. Alex Didier Essoh, Mr. Frank W. Felzmann, Mr. Michael Förtsch, Dr. Kai Fuhrberg, Mr. Heinz Gerwing, Dr. Patrick Grete, Mr. Karl Greuel, Mr. Thomas Häberlen, Dr. Dirk Häger, Dr. Timo Hauschild, Mr. Florian Hillebrand, Dr. Hartmut Isselhorst, Ms. Angelika Jaschob, Mr. Harald Kelter, Mr. Kurt Klinner, Dr. Robert Krawczyk, Mr. Michael Mehrhoff, Mr. Christian Merz, Ms. Isabel Münch, Ms. Sabine Mull, Dr. Frank Niedermeyer, Dr. Harald Niggemann, Mr. Daniel Nowack, Mr. Michael Otter, Mr. Jonas Paulzen, Mr. Robert Rasten, Ms. Martina Rohde, Ms. Gabriele Scheer-Gumm, Mr. Fabian Schelo, Ms. Cornelia Schildt, Mr. Holger Schildt, Dr. Arthur Schmidt, Dr. Willibald Schneider, Mr. Heiner Schorn, Dr. Ernst Schulte-Geers, Mr. Carsten Schulz, Mr. Bernd Schweda, Ms. Petra Simons-Felwor, Mr. Martin Telzer, Mr. Berthold Ternes, Mr. Hristoforos Thomaidis, Ms. Katja Vogel, Ms. Anne-Kathrin Walter, Mr. Frank Weber, Mr. Helmut Weisskopf, Ms. Jessika Welticke, Mr. Maximilian Winkler as well as: Mr. Markus Balkenhol, Mr. Marcel Birkner, Mr. Werner Blechschmidt, Ms. Anastasia Eifer, Mr. Mounir Guiche, Mr. Tobias Hödtke, Mr. Björn Jacke, Ms. Sabine Kammerhofer, Mr. Thomas Ledermüller, Mr. Tim Lemmen, Dr. Marie-Luise Moschgath, Mr. Joachim Pöttinger, Mr. Philipp Rothmann, Mr. Michael Ruck , Mr. Michael Schwank, Mr. Ranbir Singh Anand, Mr. Markus Steinkamp, Mr. Felix Stolte, Dr. Stefan Wolf Special thanks for decades of organisation of IT-Grundschutz and long-term overall coordination and editorship up until 2013 go to Ms. Isabel Münch. IT-Grundschutz Catalogues: 14. EL, 2014 3 New functions in the 14th version of the IT-Grundschutz Catalogues New functions New functions in the 14th version of the IT-Grundschutz Catalogues Further development as needed The IT-Grundschutz Catalogues are developed further as needed based on the annual survey of the needs of registered users. The new and revised modules address the following topics: Revision of Information security awareness and training The revised module M 1.13 Information security awareness and training describes how to create and maintain an efficient information security awareness and training programme. Both awareness and training measures are required to teach the employees the required knowledge. Here, reasonable information security of all employees should be internalised as a natural part of their working environment. Cloud use The module M 1.17 Cloud use is intended for all types of cloud service users and mainly refers to two scenarios: In the first scenario an organisation provides its users with certain cloud services that are either provided by the organisation itself or that are purchased from third parties. If such organisation implements the IT-Grundschutz, then it will make demands on the provider regarding the information security and the information security management system (ISMS). In the second scenario an organisation uses the cloud services of a third party (e.g. security as a service) and is required to integrate such services into its own IT landscape. The requirements for information security and the ISMS are slightly different and are also dealt with in this module. Revision of Storage solutions / cloud storage Many parts of the module M 3.303 Storage solutions / cloud storage are based on the existing module "Storage systems and storage networks" and add new storage concepts that are used for cloud computing such as Fibre Channel (FC), Fibre Channel over Ethernet (FCoE), NFS, Cloud Storage or Object Storage. The security mechanisms of the appropriate protocols are explained in detail. Revision of Mobile telephones Mobile telephones are integral elements of today's communication infrastructure. This poses the question of how to use them securely. The module M 3.404 Mobile telephones considers digital mobile radio systems based on the GSM standard (D and E networks) as well as UMTS and LTE. These mobile radio standards mainly differ in the frequency range of the radio connection used and the correspondingly applied duplex techniques. Such techniques also result in different bit rates. Revision of smartphones, tablets and PDAs The module M 3.405 Smartphones, tablets and PDAs deals with mobile end devices for collection, processing and communication of data. They come in different categories with varying dimensions and performance features. Amongst other things, these include: Organisers, PDAs, smartphones and tablets. When using sub-notebooks (netbooks, ultrabooks etc.) or tablets, also the module M 3.203 Laptops should be implemented. Cloud management The module M 5.23 Cloud management summarises the cloud-specific security aspects of IT management regarding information security, and provides a holistic view of the same. For example, cloud management does not replace, but accesses the management of networks, system and storage. These areas are already dealt with in the corresponding modules. Thus, the new module focuses on the security aspects that are connected to the original properties of cloud computing such as multi-client capability, orchestration and automation of processes as well as provisioning and/or de-provisioning of IT resources. IT-Grundschutz Catalogues: 14. EL, 2014 1 New functions in the 14th version of the IT-Grundschutz Catalogues New functions Web services The module M 5.24 Web services shows the specific risks of a service-oriented architecture (SOA) and recommends measures for secure provisioning of web services. In addition to SOAP-based (Simple Object Access Protocol) web services, the REST-based (Representational State Transfer) web services in particular are addressed in detail. General application The module B 5.25 General applications deals with specialised application software. This includes individual software created by internal or external developers, standard software with internal adaptations, e.g. through program changes or through developing specific modules (customising) and standard software that is used as delivered by the manufacturer and that is configured in accordance with the specialised tasks and the security policies. Updates and revisions Furthermore, numerous individual threats and safeguards were updated to reflect new developments in technology, new threat scenarios, and new developments in information security. No other structural changes were made to this updated version. The numbers of the existing threats and safeguards have been retained so that it is possible to revise a security concept based on an earlier version of the IT-Grundschutz Catalogues. However, it is still recommended to read the selected safeguards completely during revision in order to take additions into account and to refresh our knowledge of information security. IT-Grundschutz Catalogues: 14. EL, 2014 2 1 IT-Grundschutz - The basis for information security 1 1 IT-Grundschutz - The basis for information security 1.1 Why is information security important? Information constitutes an essential asset for companies and government agencies and so requires adequate protection. Today, the majority of information is at least partially generated, stored, transported, or processed further with the help of information technology (IT). State-of-the-art business processes in the fields of economy and administration without IT support are no longer imaginable today. A reliably working information processing system is as indispensable for maintaining operations as the related technology. Inadequately protected information is a frequently underestimated risk factor that can threaten the existence of some organisations. At the same time, reasonable information protection and basic IT protection can be achieved with relatively modest resources. With the IT-Grundschutz, the BSI offers a simple method for appropriately protecting all an organisation's information. With a combination of the IT-Grundschutz approach in BSI standard 100-2 and the IT-Grundschutz Catalogues, the BSI provides both a collection of security safeguards and a corresponding methodology for selecting and adapting suitable safeguards for safe handling of information for most different application environments. Nowadays, almost all business processes and specialised tasks are controlled electronically. These processes and tasks store large amounts of information digitally, process it electronically, and transmit it in local and global networks, as well as in private and public networks. Many tasks and projects in the public or private sector cannot be implemented at all or can only be implemented in part without IT. As a result, many administrative and business organisations depend on the correct operation of the IT used. The corresponding goals of government agencies and companies can only be achieved when their IT is used properly and securely. As the level of dependency on IT increases, the potential damage to society caused by a failure of information technology also increases accordingly. Since IT systems are never completely free of vulnerabilities, there is a justifiably great interest regarding the protection of the data and information processed by the IT and regarding the processes of planning, implementing, and monitoring their security. Here, it is important to not to only focus on the security of IT systems, because information security is not only a question of technology, but also greatly depends on the organisational and personnel boundary conditions. The security of the operating environment, the reliability of services, proper handling of the information to be protected, and many other important aspects must not be neglected. Deficiencies in the field of information technology may cause significant problems. Potential damage can be assigned to different categories. • Loss of availability: If basic information is not present, this is most often noticed quickly when tasks cannot be continued in the absence of this information. If an IT system is down, financial transactions cannot be executed, online orders cannot be placed, and production processes come to a halt, for example. However, even just limiting the availability of certain information can result in IT-Grundschutz Catalogues: 14. EL, 2014 1 1 IT-Grundschutz - The basis for information security 1 impairments of the processes of an organisation. • Loss of confidentiality of information: Each citizen wants his/her personal data to be treated confidentially. Each company knows that the competition is interested in internal, confidential data about turnover, marketing, research, and development. The accidental disclosure of information may cause serious damage in many areas. • Loss of integrity (correctness of the information): Falsified or manipulated data may cause erroneous bookings, incorrect deliveries, or faulty products, for example. Over the last few years, the loss of data authenticity as a component of data integrity has become increasingly important: data is assigned to the wrong person. For example, payment instructions or orders could be processed to the account of a third person, inadequately secured digital declarations of intent could be associated with the wrong persons, or someone’s "digital identity" could be forged. Information and communication technology plays an important role in more and more areas of daily life, with a consistently high speed of innovation over the past few years. The following developments are particularly worth mentioning: • Increasing level of networking: today, humans, but also IT systems, no longer operate isolated from each other and are in fact becoming increasingly networked. Networking allows access to shared databases and use of intensive forms of cooperation across geographic, political, or institutional boundaries. The result is not only dependence on the individual IT systems, but also a high level of dependence on the data networks. This in turn means that security deficiencies may quickly have global effects. • IT distribution and penetration: more and more areas are supported by information technology, often without this support even being noticed. The necessary hardware is becoming increasingly compact and inexpensive so that small and miniature IT units can be integrated into all aspects of daily life. For example, there are jackets with integrated PDAs, RFIDs for controlling the flow of visitors or goods, and IT-based sensors in cars in order to be able to automatically adjust to changes in the environment. The various IT components communicate with each other more and more frequently over wireless connections. This way, even everyday objects can be localised and controlled via the internet. • Disappearance of network borders: until recently, it was possible to clearly limit business processes and applications to specific IT systems and the communication routes between these systems. Likewise, it was also possible to determine where the systems were located and to which organisation they belonged. Due to globalisation and the increasing use of wireless and spontaneous communication, it is becoming more and more difficult to detect borders between these systems. • Attacks come more quickly: The best way to prevent computer viruses, Trojan horses, or other attacks to IT systems, application programs, and protocols is to obtain the most recent information on security gaps and how to eliminate them, e.g. by installing patches or updates. However, the time between the announcement of a security gap and the first targeted large-scale attacks is constantly decreasing, which means it is becoming more and more important to have a well-staffed information security management team and a warning system. • Higher interactivity of applications: Under the heading Web 2.0, previously existing technologies are combined in order to create new application and use models this way. This includes the most diverse fields of application such as new, social communication platforms, portals for the joint use of information, photos, and videos, or interactive web applications. Due to the increased integration of user feedback, information is not only distributed faster, but it is also more difficult to control its disclosure. • Responsibility of the users: The best technology and quickest elimination of security gaps do not result in sufficient information security, unless humans are considered as a risk factor in so doing. This is not only about being able to identify security-critical situations, but also about the responsible behaviour of the individual. For this, it is necessary to dispose of knowledge regarding IT-Grundschutz Catalogues: 14. EL, 2014 2 1 IT-Grundschutz - The basis for information security 1 security gaps and codes of conduct. Given the above-mentioned potential threats and the increasing dependence on IT, each organisation, regardless of whether it is a company or a government agency, must ask itself the following key questions relating to IT security: • How carefully is business-relevant information handled? • How secure is the information technology of the organisation? • Which security safeguards need to be adopted? • How do these safeguards need to be implemented specifically? • How does the organisation maintain and/or improve the level of security attained? • Are the personnel aspects of information security taken into consideration sufficiently? • What is the level of security of other organisations the organisation cooperates with? • Is there a contingency plan in order to be able to react quickly in the event of a threat? When searching for answers to these questions, it must be taken into consideration that information security is a combination of technical, organisational, personnel, and structural/infrastructural aspects. It makes sense to introduce an information security management team designing, coordinating, and monitoring the tasks related to information security. When comparing the business processes, applications, and IT systems of all organisations regarding the questions raised above, a special group would emerge. The approaches and IT systems in this group can be characterised as follows: • The approaches and IT systems are typical, meaning that they are not individual solutions, but rather commonly used. • The protection requirements of the information in terms of confidentiality, integrity, and availability are within the normal range. • The approaches and IT systems are subject to the usual general conditions and are therefore exposed to typical basic threats and hazards. If it were possible to identify the common denominator of all required security safeguards for this group of "typical" business processes, applications, and IT systems, i.e. the standard security safeguards, this would make answering the questions raised above for these "typical" application cases much easier. Areas outside of this group, regardless of whether they are rare, custom solutions, or IT systems with high protection requirements, can be based on the standard security safeguards, but will ultimately need to be examined individually. The IT-Grundschutz Catalogues describe these standard security safeguards in detail, which should be taken into consideration for practically every IT system. The catalogues contain: • standard security safeguards for typical business processes, applications, and IT systems with "normal" protection requirements, • a description of the threat scenarios usually applicable, and • detailed descriptions of safeguards to facilitate their implementation. A comprehensive description of the process for achieving and maintaining an adequate level of security, as well as a simple approach for determining the achieved level of security in the form of a target-actual comparison can be found in BSI standards 100-1, 100-2, and 100-3 for IT-Grundschutz. Since the IT-Grundschutz also proved popular on an international scale, the IT-Grundschutz Catalogues and the GSTOOL, as well as most of the other documents relating to IT-Grundschutz, are also available in digital form in the English language. IT-Grundschutz Catalogues: 14. EL, 2014 3

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.