New functions in the 13th version of the IT-Grundschutz Catalogues

Further development as needed

The IT-Grundschutz Catalogues were developed further as needed based on the annual survey of the needs of registered users. The new and revised modules address the following topics:

General building

Module S 2.1 General building was revised completely based on the previous module so that it is the starting point for all other layer 2 modules as the basic module in the field of Infrastructure. The module includes the protection of all buildings forming an outer frame in order to be able to conduct business processes. A building encloses the stationary workplaces, the processed information, the other resources of an organisation, including the information technology used, and must ensure proper external protection for the aforementioned.

Revision Local workplace

Together with module S 2.1 General building, module S 2.3 Office / local workplace was revised with the same orientation. The module does not only focus on offices; local workplaces are the areas where employees are located in order to perform their tasks and differ greatly depending on the organisation. This may include production environments or selling areas.

Windows Server 2008

Microsoft Windows Server 2008 can be used as the operating system for servers with different tasks, from Windows domain controllers, Active Directory servers and database servers to application servers or infrastructure services such as DHCP, DNS, or VPN. Module S 3.109 Windows Server 2008 shows a systematic way for drawing up a concept for securely operating servers in Windows 2008 in an organisation.

Client under Mac OS X

Module S 3.211 Client under Mac OS X deals with the client operating system Mac OS X from Apple. This module is based on the "Snow Leopard" client version (Mac OS 10.6), but can be applied to all versions of Mac OS X where the software components discussed (e.g. FileVault in version 10.3 and higher, Dashboard in version 10.4 an higher, or Time Machine in version 10.5 and higher) are available.

Client under Windows 7

Module S 3.212 Client under Windows 7 complements the series of modules dealing with the secure use of Windows operating systems on client PCs. The present module addresses the Windows 7 client operating system. Here, the user is made aware of conceptional security aspects, but also of security recommendations for specific configuration settings.

Revision of Lotus Notes / Domino

Lotus Notes is a Groupware platform for communication, collaboration, and information management. Module S 5.5 Lotus Notes / Domino was revised. In doing so, the changes to the software were taken into account, and the releases 8.0.x and

8.5.x were focused on in particular. However, the majority of the considerations are also applicable to earlier releases.

Revision of Microsoft Exchange/Outlook

Microsoft Exchange is a Groupware system, which supports the exchange of communications in large and small groups together with the Outlook email client. Module S 5.12 Microsoft Exchange/Outlook was revised. The recommendations of this module are focused on the functions of Microsoft Exchange 2010 and/or Microsoft Outlook 2010, but can be similarly applied to previous and subsequent versions as well.

OpenLDAP

Module S 5.20 OpenLDAP addresses the basic security properties of OpenLDAP. OpenLDAP is a directory service available for free which provides information in an IT network using any objects, for example users or computers, in a defined manner.

Web applications

In order to adequately protect web applications, module S 5.21 Web applications was developed in cooperation with the German Chapter of the Open Web Application Security Project (OWASP). Web applications are exposed to attacks with an increasing frequency and at the same time, more and more services are offered by means of web applications . This module, requested by many IT-Grundschutz users, provides very specific and extensive recommendations regarding the protection of web applications.

Logging

Module S 5.22 Logging describes what must be taken into consideration when recording security-relevant events. Logging procedures aim at being able to comprehend significant changes to IT systems and applications in order to be able to comprehend their security. Logging is used in many information systems in order to be able to promptly identify hardware and software problems and resource bottlenecks. However, security problems and attacks to the operated services can also be comprehended on the basis of logged data.

New threats and safeguards

Furthermore, various new safeguards and threats were added relating to the following topics, for example:

Module S 1.5 Data protection

Up to now, module S 1.5 Data protection was not directly integrated into the IT-Grundschutz Catalogues, but was sorted into the loose-sheet collection printed out as required and uploaded as a module to the GSTOOL. However, treatment and use of this module are made significantly easier by the complete integration into the IT-Grundschutz Catalogues and this is therefore implemented by this version. The module is still not an integral part of the certification according to ISO 27001 based on IT-Grundschutz, however.

Modules removed

Along with different modules added to the 13th version, there are also modules that were removed, namely the modules S 3.105 Servers under Novell Netware version 4.x, S 3.106 Servers under Windows 2000, and S 3.207 Client under Windows 2000. For users still using these old versions or intending to use these as a basis for drawing up security considerations of the new versions, the modules will continue to be available for download in the Resources for IT-Grundschutz.

Review questions

With the 13th version, review questions were introduced for all modules. At the end of the majority of the safeguards there are review questions. These questions are formulated in such a way that they can be used as the final checklist in order to be able to control the implementation of the safeguards. They specify the objective and the basic orientation of the security recommendations and can be used as the basis for audits and certification audits. After having answered all review questions, it can be stated to which extent the objectives of the individual modules are fulfilled in the organisation.

Review questions were not necessarily introduced for all safeguards, because the questions are not intended for designing security concepts, but for checking the implemented security safeguards. For example, the safeguards in the "Purchasing" life cycle phase do not contain any review questions, because security recommendations to be observed before purchasing systems were formulated here. However, within the framework of an audit it can only be checked whether the existing systems are operated securely.

Updates and revisions

Furthermore, numerous individual threats and safeguards were updated to reflect new developments in technology, new threat scenarios, and new developments in information security.

No other structural changes were made to this updated version. The numbers of the existing threats and safeguards have been retained so that it is possible to update a security concept drawn up in the previous year on the basis of the IT-Grundschutz Catalogues. However, it is still recommended to read the selected safeguards completely during revision in order to take additions into account and to refresh our knowledge of information security.

© Federal Office for Information Security. All rights reserved.