S 2.24 Introduction of a PC Checklist Booklet
Initiation responsibility: IT Security Officer
Implementation responsibility: Head of IT, IT Security Officer
The first step in the creation of an IT security concept consists of obtaining an overview of the existing systems, applications, and data. For small organisations, it is usually most effective to proceed based on the existing IT systems. For this reason, a corresponding overview should be available. One possibility is to introduce a IT checklist booklet for every IT system in which the most important information about the IT system is recorded.
The IT checklist booklet should provide the persons responsible for IT with an overview of the existing IT systems in the organisation and enable them to react quickly and effectively to problems. The IT checklist booklet is always a useful aid in very small organisations with just a few IT systems where it is not worthwhile to perform an extensive structure analysis. Initially the following information should be recorded for each IT system:
- name/designation of the IT system (e.g. inventory number)
- contact person in case of problems, for example service and hotline numbers in case the system fails and for maintenance purposes
- information on the operating system
- information on the virus scanner
- location of the system (which room)
- overview of the most important information stored on the system and on the applications running on the system
- protection requirement based on the basic security values of confidentiality, integrity, and availability
- information on the system installation and the system configuration
- list of the accessories available
- records of all maintenance and repairs performed
- method used to perform the data backups
Note: The printers connected directly to terminal devices should not be recorded as separate components but recorded as part of the corresponding terminal device instead. They can be listed in the IT checklist booklet under the "Peripherals" or "Hardware" heading.
IT systems of the same type, for example user PCs, can also be assigned to a single group. Mobile phones, PDAs or similar devices should also be summarized in IT checklist booklets and the fields of the checklist booklet should be adapted accordingly.
The most important information for the telephone systems and data network connections should also be documented in the form of an IT checklist booklet.
To document the protection requirement of the IT system, the IT checklist booklet should state for every major application if the application processes personal data, for example. The protection requirement should be specified depending on the basic values of confidentiality, integrity, and availability.
In addition, the IT security safeguards implemented on the IT system can be documented to enable a quick reaction in the event of damage.
The IT checklist booklet should be updated by the security management or by the administrator. They can also be filled out by employees, but then the changes need to be checked and the booklets themselves must be checked for completeness. IT checklist booklets should be stored at a central location, but also be locally available, if possible. Since numerous entries will be repeated when dealing with IT systems of the same type, e.g. PCs, it helps to maintain the IT checklist booklets electronically. IT checklist booklets should be stored at a central location, but also be locally available, if possible.
When changes are made to an IT system, the data entered in the IT checklist booklet must be updated immediately so that the documentation is always up to date.
IT checklist booklets make it much easier to perform checks since the documentation of all relevant changes made and of the IT security safeguards implemented can be found in the IT checklist booklets. In addition, maintaining such IT checklist booklets helps an organisation to maintain the IT and IT security safeguards, for example in terms of data backups and password changes. This in turn supports the contingency planning process.
A sample IT checklist booklet can be found in the Resources for IT-Grundschutz on the BSI web server in the document "IT-Grundschutz Profile for small organisations".
Review questions:
- Is there an overview of the existing systems, applications, and data in the organisation, for example, in form of IT checklist booklets?