The purpose of an information security concept is to implement the security strategy. The concept describes the planned approach for achieving an institution’s stipulated security objectives. The security concept is the central document in a company’s or public authority’s security process. Ultimately every concrete safeguard must be traceable back to the concept. For that reason a security concept must be carefully planned and implemented as well as regularly reviewed.
An IT security concept documents the results of BSI Standard 100-2 (IT-Grundschutz Methodology), which is why the project phases are geared towards this precise structure.
The following graphic shows the project phases for drawing up an IT security concept and explains individual working steps.
Project phase 1: IT security objectives and framework conditions
At the start of the project the IT security objectives and the legal and technical framework conditions are ascertained, documented and agreed for the client. The framework conditions to be stipulated then form the basis for the subsequent working packages for creating an IT security concept.
Project phase 2: IT structure analysis
The purpose of the IT structure analysis is to ascertain in advance the information needed for the next stages of the process right up to the creation of a security concept in accordance with IT-Grundschutz.
First, a rough classification of the applications, IT systems, rooms and communication connections is performed. Complexity is reduced by creating suitable groups of objects of the same type or configuration. The applications are then allocated to the IT systems that are required for their execution.
Project phase 3: Determining the protection requirements
The purpose of the protection requirements determination is to assess the level of protection that is adequate and appropriate for the business processes, the information processed, and the information technology used. For each application and the information processed with it, the potential damage which could occur as a result of the loss of confidentiality, integrity, or availability must be assessed. It is important to realistically assess any possible consequential damage. IT-Grundschutz defines three categories of protection requirements:
- “normal”, i.e. the impact of any loss or damage is limited and calculable
- “high”, i.e. the impact of any loss or damage may be considerable, or
- “very high”, i.e. the impact of any loss or damage may be of catastrophic proportions which could threaten the very survival of the organisation.
Project phase 4: IT-Grundschutz modelling
Detailed documents on the structure and the information domain and its required protection level are a prerequisite for applying the IT-Grundschutz Catalogues to the information domain. This information should be obtained before performing the steps described. To identify suitable security safeguards for the information domain examined, the modules in the IT-Grundschutz Catalogues only need to be associated with the corresponding target objects and subsections.
Project phase 5: Basic security check
The basic security check is an organisational tool which provides a quick overview of the existing security level. Interviews are used to establish and evaluate the current status of an existing information domain (modelled in accordance with IT-Grundschutz) in terms of the extent to which each relevant safeguard has been implemented (“unnecessary”, “yes”, “partially” or “no”). By identifying safeguards which have not yet been implemented or have only been partially implemented, it is possible to point out where there is room for improvement in the business processes and information technology being examined.
Project phase 6: Supplementary security analysis
A decision on whether additional risk analyses are required must be taken for all target objects of the information domain that
- have high or very high protection requirements in at least one of the three basic values – confidentiality, integrity, or availability – or
- could not be adequately associated (modelled) with the existing modules in the IT-Grundschutz Catalogues or
- are used in deployment scenarios (e.g. in environments or with applications) that were not foreseen in the scope of IT-Grundschutz.
This decision-making progress (at management level) is referred to as the supplementary security analysis.
Project phase 7: Risk analysis
A risk analysis must be performed for all target objects selected for further observation during the supplementary security analysis. A risk analysis in accordance with the BSI Standard 100-3 “Risk Analysis based on IT-Grundschutz” is provided for in the course of the creation of the IT security concept.
The risk analysis involves an individual check of all selected components. Checks regarding the threats of the IT-Grundschutz Catalogues establish whether the respective risk for the individual target object is adequately covered by (a combination of) IT-Grundschutz safeguards or whether additional safeguards need to be implemented. Further checks are made as to whether the threats list comprises all relevant threats pursuant to the IT-Grundschutz Catalogues or whether further threats need to be identified and analysed. This risk analysis also involves establishing the interest unauthorised parties may have in abusing the systems. The threats are subjected to a qualitative assessment of the potential damage and allocated a probability of occurrence.
Project phase 8: Implementation plan
The approach under BSI Standard 100-1 to 100-4 automatically produces a list of safeguards in which deficiencies exist. However, further deficiencies beyond the scope of these BSI standards may also documented. Over the course of the entire project a corresponding defect report containing current deficiencies is compiled. This relates to deficiencies of all types (e.g. organisational defects, human error, structural deficiencies, hardware and software errors) that represent a threat or risk to IT security.
Based on the results of this basic security check the implementation of the safeguards that still exhibit deficiencies – i.e. those that have not yet been (fully) implemented – is planned. In the first instance the only safeguards relevant to planning are those of certificate levels A (entry), B (secondary) and C (certificate). Safeguards of certificate level Z (additional) are only used if they are deemed necessary following the supplementary risk analysis. The same also applies to any other additional safeguards that are defined in the scope of the supplementary risk analysis.