S 1.1 Organisation
Description
This module presents generic and generally applicable organisational safeguards that, as standard organisational safeguards, are required to reach a minimum level of protection. Special organisational safeguards directly related to other safeguards (e.g. LAN administration) are contained in the corresponding modules. Standard security safeguards related to the proper management of information technology components (hardware or software) can be found in module S 1.9 Hardware and software management.
Threat scenario
The following typical threats to IT-Grundschutz are examined in this module:
Organisational Shortcomings
| T 2.1 | Lack of, or insufficient, rules |
| T 2.2 | Insufficient knowledge of rules and procedures |
| T 2.3 | Lack of, inadequate, incompatible resources |
| T 2.5 | Inadequate or non-existent maintenance |
| T 2.6 | Unauthorised admission to rooms requiring protection |
| T 2.7 | Unauthorised use of rights |
| T 2.8 | Uncontrolled use of resources |
Human Error
| T 3.1 | Loss of data confidentiality or integrity as a result of user error |
| T 3.6 | Hazards posed by cleaning staff or outside staff |
Deliberate Acts
| T 5.1 | Manipulation or destruction of equipment or accessories |
| T 5.2 | Manipulation of information or software |
| T 5.3 | Unauthorised entry into a building |
| T 5.4 | Theft |
| T 5.5 | Vandalism |
| T 5.6 | Attack |
| T 5.16 | Threat during maintenance/administration work |
| T 5.68 | Unauthorised access to active network components |
| T 5.102 | Sabotage |
Method recommendation
To secure the information system examined, other modules must be implemented in addition to this module, with these modules being selected based on the results of the IT-Grundschutz modelling process.
A minimum level of protection can only be reached in an organisation when binding, organisation-wide rules for information security are specified. For this, it is necessary to implement a series of safeguards ranging from the specification and appointment of people to be responsible for individual objects (e.g. information, business processes, applications, and IT components) to issuing the corresponding organisational instructions, and up to handling operating resources requiring protection. The steps to be followed to maintain a continuous information security process, as well as the safeguards to be implemented in the respective steps are listed in the following.
Planning and design
Organisational measures must be specified and personnel assigned to initiate and implement the processes resulting from the security objectives and the security policies. Here, it is necessary to respect the rights of co-determination of the personnel representatives, if this is necessary (see S 2.40 Timely involvement of the staff/factory council). The various organisational levels and the personnel working in these levels require specific instructions and areas of responsibility in order to perform the processes affecting them (see S 2.225 Assignment of responsibility for information, applications, and IT components).
The strategic considerations must be defined in detail in an operating concept in terms of how they will be implemented in the company and/or government agency.
The use of the required resources must be aligned with the tasks to be performed and the security requirements and documented using a resource management system (see S 2.2 Resource management). The corresponding documentation must be complete and kept up-to-date at all times by corresponding processes.
One prerequisite for a functioning infrastructure that is also able to react appropriately to malfunctions includes regulations for purchasing replacement parts and contracting repair and maintenance work (see S 2.4 Maintenance / repair regulations). The maintenance contracts must contain binding specifications of the maintenance schedules and maintenance tasks to be performed for individual IT systems (or groups of systems), as well as the types of access necessary (remote, on-site) and the required response times of the contracted maintenance personnel adapted to the security requirements.
The division of tasks and the roles and functions required for this (see S 2.5 Division of responsibilities and separation of functions) must be organised in such a way that operative and monitoring functions are distributed to different people in order to minimise or completely eliminate conflicts of interest for the acting persons.
Operation
The concepts specified are to be written down in specific instructions that are then adopted for operations. Regulations relating to the employees must cover the entire career of an employee in the company from the day the employee started working until he leaves the organisation. The need-to-know principle and the two-person rule must be applied in order to ensure that the authorisations are assigned purposefully on the various levels (e.g. access to rooms, access to information systems), but are still practicable (see S 2.6 Granting of site access authorisations and S 2.7 Granting of (system/network) access).
These authorisations granted must be documented and supported using various methods such as, for example, the controlled and documented issuing of keys to authorised personnel only, access authentication, access control systems for high security areas, and supervision of the actions of external personnel (see S 2.16 Supervising or escorting outside staff/visitors). The assignment of roles to individuals or groups of people makes administration of the corresponding authorisations easier (see S 2.8 Granting of (application/data) access authorisations). When regulations are violated intentionally or unintentionally, the employees must know which information and escalation processes apply so that they can react purposefully to the violation (see S 2.39 Response to violations of security policies).
Disposal
Data media, operating resources, and materials subject to special protection requirements must be disposed of in such a way that no conclusions can be drawn regarding their use or content (see S 2.13 Correct disposal of resources requiring protection). Corresponding regulations must be specified to this end and, if necessary, the regulations should also apply to external companies. The corresponding data protection laws must be followed in all cases.
The bundle of security safeguards for the "Organisation" area are presented in the following.
Planning and design
| S 2.1 | (A) | Specification of responsibilities and provisions |
| S 2.2 | (C) | Resource management |
| S 2.4 | (B) | Maintenance / repair regulations |
| S 2.5 | (A) | Division of responsibilities and separation of functions |
| S 2.40 | (A) | Timely involvement of the staff/factory council |
| S 2.225 | (B) | Assignment of responsibility for information, applications and IT components |
| S 2.393 | (A) | Regulations concerning information exchange |
Operation
| S 2.6 | (A) | Granting of site access authorisations |
| S 2.7 | (A) | Granting of (system/network) access authorisations |
| S 2.8 | (A) | Assignment of access rights |
| S 2.16 | (B) | Supervising or escorting outside staff/visitors |
| S 2.18 | (Z) | Inspection rounds |
| S 2.37 | (C) | Clean desk policy |
| S 2.39 | (B) | Response to violations of security policies |
| S 2.177 | (Z) | Security during relocation |
| S 5.33 | (B) | Secure remote maintenance |
Disposal
| S 2.13 | (A) | Correct disposal of resources requiring protection |