S 1.9 Hardware and software management
Description
In order to reach the required and desired level of security in the entire IT organisation, it is not enough to just secure the individual IT components. On the contrary, it is also necessary to design all processes and procedures associated with these IT systems so that the desired level of IT security is reached and maintained. Therefore, it is necessary to introduce and enforce rules applying to all these processes and procedures that guarantee the effectiveness of the security safeguards.
This module focuses on the rules and regulations applying specifically to information technology hardware or software components with the goal of ensuring proper management and organisation of IT operations. Security should be an integral part of the total life cycle of an IT system or IT product.
Threat scenario
The following typical threats to IT-Grundschutz are examined in this module:
Force Majeure
| T 1.1 | Loss of personnel |
| T 1.2 | Failure of the IT system |
| T 1.4 | Fire |
| T 1.5 | Water |
| T 1.8 | Dust, soiling |
| T 1.19 | Failure of a service provider or supplier |
Organisational Shortcomings
| T 2.1 | Lack of, or insufficient, rules |
| T 2.2 | Insufficient knowledge of rules and procedures |
| T 2.4 | Insufficient monitoring of security safeguards |
| T 2.6 | Unauthorised admission to rooms requiring protection |
| T 2.7 | Unauthorised use of rights |
| T 2.9 | Poor adjustment to changes in the use of IT |
| T 2.10 | Data media are not available when required |
| T 2.15 | Loss of confidentiality of sensitive data in the UNIX system |
| T 2.21 | Inadequate organisation of the exchange of users |
| T 2.22 | Lack of or insufficient evaluation of auditing data |
| T 2.24 | Loss of confidentiality of sensitive data of the network to be protected |
| T 2.67 | Incorrect administration of site and data access rights |
Human Error
| T 3.1 | Loss of data confidentiality or integrity as a result of user error |
| T 3.2 | Negligent destruction of equipment or data |
| T 3.3 | Non-compliance with IT security measures |
| T 3.5 | Inadvertent damaging of cables |
| T 3.6 | Hazards posed by cleaning staff or outside staff |
| T 3.8 | Improper use of the IT system |
| T 3.9 | Improper IT system administration |
| T 3.11 | Improper configuration of sendmail |
| T 3.17 | Incorrect change of PC users |
| T 3.35 | Disabling the server while in operation |
| T 3.44 | Carelessness in handling information |
Technical Failure
| T 4.10 | Complexity of access possibilities to networked IT systems |
| T 4.13 | Loss of stored data |
| T 4.22 | Software vulnerabilities or errors |
| T 4.31 | Failure or malfunction of a network component |
| T 4.35 | Insecure cryptographic algorithms |
| T 4.38 | Failure of components of a network management system or system management system |
| T 4.39 | Software design errors |
| T 4.43 | Undocumented functions |
Deliberate Acts
| T 5.1 | Manipulation or destruction of equipment or accessories |
| T 5.2 | Manipulation of information or software |
| T 5.4 | Theft |
| T 5.9 | Unauthorised use of IT systems |
| T 5.21 | Trojan horses |
| T 5.23 | Malicious software |
| T 5.26 | Analysis of the message flow |
| T 5.68 | Unauthorised access to active network components |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.82 | Manipulation of a cryptomodule |
| T 5.83 | Compromising cryptographic keys |
| T 5.84 | Forged certificates |
| T 5.87 | Web spoofing |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
An IT system consists of a number of IT components that need to be protected initially as individual components according to the safeguards suggested in the corresponding modules. In order to reach the same security level on all IT components used, uniform rules should be prescribed by hardware and software management.
A series of safeguards need to be implemented in the context of hardware and software management, regardless of the type of IT components used, starting from the design and purchasing phases and continuing through to the operation phase. The steps to be followed in this case as well as the safeguards to implement in each phase are listed in the following.
Planning and design
IT security aspects must be considered at an early stage in the strategic development phase and when purchasing IT systems since they have very specific effects on the how tasks are executed and on the flow of business processes. When considering these aspects, the security requirements defined for the existing IT systems as well as the requirements resulting from the planned operational scenarios must be consolidated (see S 2.214 Concept of IT operations).
Specific rules for the purchase and use of hardware and software are required for the various users.
When using software, the users must be informed of the IT system security parameter settings required for secure business processes (see S 2.223 Security objectives for the use of standard software). Even if they have received intensive training, the users must be provided with specific and fast support during live operations when questions arise relating to the functionality the programs or security, as well as when problems are encountered (see S 2.12 Services and counselling for IT users). A User Support team and help desks should be set up to provide this support.
All safeguards necessary for the secure operation of the IT components must be specified in a security policy. In order to maintain the level of security specified in the security policy, it is necessary to specify an extensive set of rules for the users to provide the users with assistance and precise, binding instructions, in addition to implementing technical safeguards. It is also necessary to minimise potential risk factors and vulnerabilities such as passwords, external personnel, the use of unapproved IT components and access to the IT systems by implementing organisational policies or a combination of organisational and technical safeguards (see S 2.11 Provisions governing the use of passwords). The users must be sensitised at regular intervals to handling security-critical information and IT components with care.
The efficient and secure operation of heterogeneous networks requires strict guidelines in terms of the testing, installation and documentation of new hardware and software (see S 2.216 Approval procedure for IT components) as well as an efficient user administration (see S 2.30 Provisions governing the configuration of users and of user groups). In general, physical access to the IT systems as well as authentication of the users by the applications and systems (see S 2.220 Guidelines for access control) should only be granted according to the need-to-know principle.
The use of external data media can pose a high security risk since it is easy in many cases to bypass or overcome supposedly effective security barriers. Rules for the use, labelling, and testing of diskettes, CD-ROMs, memory sticks and other devices connected via USB (for viruses, for example) used for the purpose of exchanging data also help to maintain secure IT operations (see S 2.3 Data media control).
The task of change management is to subject all changes made to current configurations to a formal documentation and approval process (see S 2.221 Change management). In change management, aspects critical to security also need to be evaluated in addition to the execution according to the two-person rule and the current documentation of the changes. This also means that only approved components should be allowed to be used because it is impossible to monitor and control operations otherwise (see S 2.9 Ban on using non-approved hardware and software).
Purchasing
When purchasing IT systems, the requirements for the particular products resulting from the concept must be formulated, and suitable products must be selected based on these requirements. Formal approval of a new product (see S 2.62 Software acceptance and approval procedure) should be preceded by a functional test and a consistency check to verify that the product possesses the required security properties (see S 4.65 Testing of new hardware and software).
Implementation
The implementation of the security policy for operations requires the specification of security safeguards to be taken during installation and initial configuration (see S 4.135 Restrictive granting of access rights to system files) as well as during live operation of the IT systems.
The structured storage of data, including consistent separation of program and work files (see S 2.138 Structured data storage), should take place on largely uniform system configurations. In turn, the use of uniform configurations allows a central system administration system to be used (see S 2.69 Establishing standard workstations).
Consistent and comprehensive system administration, including during downtimes and when personnel are ill or on holiday, can be ensured by making corresponding employee substitution arrangements (see S 2.26 Appointment of an administrator and his deputy). The substitute must be clear as to which authorities he/she has in the corresponding role.
The documentation of the system configuration must be understandable and kept up-to-date, and this documentation should be generated using a documentation tool (see S 2.25 Documentation of the system configuration). In addition to the physical IT components, it is also necessary to document the logical network structures as well as the roles and access rights.
Operation
The system administration is responsible for maintaining live operation and focuses on different aspects. Changes to the IT inventory resulting from migrations, failures and new equipment purchases (see S 4.78 Careful modifications of configurations) must be documented in the IT inventory list promptly after the changes are approved (see S 2.34 Documentation on changes made to an existing IT system and S 2.219 Continuous documentation of information processing).
The continuous monitoring and evaluation of operations (see S 2.10 Audit of the hardware and software inventory and S 2.64 Checking the log files) in terms of conformity and possible security violations, as well as implementing the corresponding security safeguards (see S 2.215 Error handling) requires a constant flow of information from the various manufacturers on corresponding updates (see S 2.35 Obtaining information on security weaknesses of the system). Installing the necessary security patches helps to reach the required level of security preventively as well (see S 2.273 Prompt installation of security-relevant patches and updates).
Disposal
When taking IT systems out of operation, it must be ensured that no important data is lost by backing it up before scrapping or disposing of the IT systems (see safeguard S 4.234 Orderly withdrawal from operation of IT systems and data media). However, it is almost more important to thoroughly erase the data media of such systems after backing up the data (see S 1.15 Deleting and destroying data) so that no unauthorised persons can obtain access to sensitive data after disposal or scrapping since you generally have no control over what happens to the IT systems afterwards.
The bundle of security safeguards for the "Hardware and software management" area is presented in the following:
Planning and design
| S 2.3 | (B) | Data media control |
| S 2.9 | (A) | Ban on using non-approved hardware and software |
| S 2.11 | (A) | Provisions governing the use of passwords |
| S 2.12 | (C) | Services and counselling for IT users |
| S 2.24 | (Z) | Introduction of a PC Checklist Booklet |
| S 2.30 | (A) | Provisions governing the configuration of users and of user groups |
| S 2.214 | (A) | Concept of IT operations |
| S 2.216 | (C) | Approval procedure for IT components |
| S 2.218 | (C) | Procedures regarding the personal transportation of data media and IT components |
| S 2.220 | (A) | Guidelines for access control |
| S 2.221 | (A) | Change management |
| S 2.223 | (B) | Security objectives for the use of standard software |
| S 4.133 | (Z) | Appropriate choice of authentication mechanisms |
| S 4.134 | (Z) | Selection of suitable data formats |
| S 4.434 | (C) | Secure use of appliances |
| S 5.68 | (Z) | Use of encryption procedures for network communications |
| S 5.77 | (Z) | Establishment of subnetworks |
Purchasing
| S 2.62 | (B) | Software acceptance and approval procedure |
Implementation
| S 1.29 | (Z) | Adequate siting of an IT system |
| S 1.32 | (B) | Suitable locations for printers and copiers |
| S 2.25 | (A) | Documentation of the system configuration |
| S 2.26 | (A) | Appointment of an administrator and his deputy |
| S 2.38 | (B) | Division of administrator roles |
| S 2.69 | (B) | Establishing standard workstations |
| S 2.111 | (A) | Keeping manuals at hand |
| S 2.138 | (B) | Structured data storage |
| S 2.204 | (A) | Prevention of insecure network access |
| S 4.1 | (A) | Password protection for IT systems |
| S 4.7 | (A) | Change of preset passwords |
| S 4.65 | (C) | Testing of new hardware and software |
| S 4.84 | (A) | Use of BIOS security mechanisms |
| S 4.135 | (A) | Restrictive granting of access rights to system files |
| S 5.87 | (C) | Agreement regarding connection to third party networks |
| S 5.88 | (C) | Agreement regarding the exchange of data with third parties |
Operation
| S 1.46 | (Z) | Use of anti-theft devices |
| S 2.10 | (C) | Audit of the hardware and software inventory |
| S 2.22 | (Z) | Escrow of passwords |
| S 2.31 | (A) | Documentation of authorised users and rights profiles |
| S 2.34 | (A) | Documentation on changes made to an existing IT system |
| S 2.35 | (B) | Obtaining information on security weaknesses of the system |
| S 2.64 | (A) | Checking the log files |
| S 2.65 | (C) | Checking the efficiency of user separation on an IT system |
| S 2.110 | (A) | Data protection guidelines for logging procedures |
| S 2.215 | (B) | Error handling |
| S 2.219 | (A) | Continuous documentation of information processing |
| S 2.273 | (A) | Prompt installation of security-relevant patches and updates |
| S 2.402 | (Z) | Resetting passwords |
| S 4.78 | (A) | Careful modifications of configurations |
| S 4.107 | (B) | Use of the vendor resources |
| S 4.109 | (Z) | Software reinstallation on workstations |
| S 4.254 | (Z) | Secure usage of wireless keyboards and mice |
| S 4.306 | (Z) | Handling of password storage tools |
| S 4.345 | (Z) | Protection against undesired outflows of information |
| S 5.150 | (Z) | Performing penetration tests |
Disposal
| S 2.167 | (B) | Selecting suitable methods for deleting or destroying data |
| S 4.234 | (B) | Orderly withdrawal from operation of IT systems and data media |
Contingency Planning
| S 6.27 | (C) | Secure update of BIOS |
| S 6.137 | (Z) | Trusted storage (escrow) |