S 2.195 Creating a security concept

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: IT Security Officer

An information security concept serves to implement the security strategy and describes the approach planned to achieve the security objectives set in an organisation. The security concept is the main document in the security process of a company or government agency. It must be possible to trace every safeguard back to the security concept. For this reason, a security concept must be carefully planned and implemented and then revised regularly. Each of the aspects described briefly in the following are handled in detail in BSI Standard 100-2 IT-Grundschutz Methodology.

It is not necessary to have a single security concept that covers every area of the organisation. If the implementation of IT-Grundschutz in one big step would be an overly complicated task, then it may make sense to implement the required level of security in selected areas first. The security process could then be expanded to the organisation as a whole based on these areas. In large government agencies and companies in particular, there may be several security concepts covering different organisational units. It must be guaranteed in this case, though, that all areas of the organisation are covered by adequate security concepts.

Complex business processes or applications can be handled in separate security concepts. This is particularly recommended when introducing new tasks or applications.

The scope specified is referred to in the following as the information system and illustrates in detail the area in which the security concept should be implemented. An information system can therefore refer to specialised tasks, business processes, or organisational units. It covers all the infrastructural, organisational, personnel, and technical components that serve to fulfil the tasks in this area of application of information processing.

The information system must be specified so that all business processes and information examined can be associated with this area. The dependencies of all security-related processes must be taken into account. The interfaces to other areas must be clearly defined so that the information system has a reasonable minimum size with respect to the organisation as a whole.

Security management must select a method for risk assessment that allows it to analyse and evaluate the potential damage of security incidents. It is also possible to select several different risk assessment procedures that build upon one another.

When the methodology according to IT-Grundschutz is used, a risk assessment is performed implicitly for areas with normal protection requirements.

In certain cases, for example when the information system under examination contains components with high or very high protection requirements, it will be necessary to perform a supplementary security analysis and possibly even an explicit risk analysis. The steps to follow to perform these tasks are illustrated in BSI Standard 100-2 and 100-3.

Every risk assessment is based on the description of the information and business processes to be protected. To obtain an overview of the organisational or technical structures that are important to the business processes, the information system should be documented in a structured fashion. In addition to the technical components, applications, and information processed, it is also necessary to document the building infrastructure and the networks. The dependencies between each of the various components also need to be documented.

The protection requirements determination consists of the following steps:

• Analysis of the threats and risks posed to the organisation as a result of inadequate information security.
• Identification of the potential damage caused by a loss of confidentiality, integrity, or availability.
• Analysis and evaluation of the potential impact of security incidents and other security risks to the business activities of an organisation or its ability to perform its tasks.

Based on these considerations, it is possible to estimate the risks posed to the company or government agency and define the protection requirements of information, applications, and IT systems.

The actual security safeguards appropriate for the information system under examination are derived from the general security objectives, the protection requirements identified, and the risk assessment. This includes selecting specific modules from the IT-Grundschutz Catalogues for the security requirements of an information system. This is done in order to compile a specific package of security safeguards for use as a specification of the target state.

A basic security check is performed to determine which of the security safeguards have already been implemented and where there are still gaps in security.

It is generally adequate for typical business processes, applications, and components with normal protection requirements to implement the safeguards suggested according to IT-Grundschutz. A supplementary security analysis is necessary, though, for elements of the information system to which any of the following apply:

• having high or very high protection requirements in at least one of the three basic values - confidentiality, integrity or availability or
• the target objects could not be adequately depicted (modelled) with the existing modules in the IT-Grundschutz Catalogues or
• the target objects are used in operating scenarios (e.g. in environments or with applications) that were not foreseen in the scope of IT-Grundschutz.

The goal of the supplementary security analysis is to help prepare management to decide which of these elements need to be subjected to a risk analysis.

Supplementary safeguards are added to or corrections are made to the security concept based on the threat scenario when the risk analysis has determined such changes are necessary. Risks that cannot be reduced through suitable or economical countermeasures are identified and included in a systematic procedure for handling these risks.

Before completing the final security concept, the additional safeguards identified in the risk analysis and the IT-Grundschutz safeguards must be consolidated. All new security safeguards must be examined in this case to determine if they will replace the existing safeguards, supplement these safeguards, or have an adverse effect on them. After that, it is necessary to review and update the results of the basic security check.

A security concept is only effective when the safeguards specified in it are also implemented promptly in practice. Their implementation must be planned and monitored.

Implementation planning should specify the time frame in which each individual safeguard must be implemented and which safeguards can be appropriately combined and implemented at the same time. In addition, the safeguards must be prioritised according to the urgency of their implementation. The implementation plan should be documented in the security concept or in an implementation plan that is then appended to the security concept. The implementation plan absolutely must contain the order of implementation and the corresponding responsibilities:

• Specification of priorities (implementation sequence): All security safeguards should be prioritised according to their importance and effectiveness. In general, priority should be given to implementing safeguards against particularly serious threats. This is particularly important in cases where there has been little protection against these threats so far. If, for example, it is impossible to implement all safeguards immediately for financial reasons, then the safeguards with the broadest effect should be implemented first.
• When specifying the order of implementation, possible interactions between the safeguards should be taken into account.
• Responsibilities : It must be specified for each safeguard who is responsible for its initialisation, implementation, and monitoring (in the form of an audit), or for auditing the safeguard.

When selecting security safeguards, it is also necessary to consider their appropriateness and efficiency. It must be possible to understand why the selected safeguards are appropriate for achieving the security objectives and meeting the security requirements. For this reason, the documentation should contain concrete specifications of the responsibilities and authorities as well as the activities planned for the purpose of controlling, auditing, and monitoring the safeguards.

The order of implementation of all unfinished activities must be defined. In addition, the resources planned and used to implement the individual security safeguards must be documented.

Since information security is a continuous process, it is not enough just to perform the initial implementation of the security safeguards. Instead, it is necessary to continuously improve information security. For this reason, the security process must be able to react to new developments in technology. Vulnerabilities as well as newly discovered security gaps must be taken into account. The security process therefore needs to be reviewed and updated regularly, and all changes made to it must be documented. Important procedures for reviewing the security process are the generation of regular reports (see S 2.200 Management reports on information security) and introduction of report processes.

Certification of the security process documents that an organisation follows a defined procedure and can be integrated into the security process as an independent review procedure.

The security concept is often used in practice to examine specific security safeguards in terms of their implementation or to check if they are up to date. For this reason, the security concept should be structured so that the following apply:

• It is possible to find specific sections quickly, and
• it is possible to update it with a minimum of effort (a tool can be used for this purpose).

In addition, the individual security safeguards must be described in adequate detail so that a substitute can take over the security-related tasks when necessary.

A security concept can contain confidential information such as information on vulnerabilities that have not been eliminated yet or on measures that could be used to bypass or overcome the safeguards, for example. Such confidential information may only be disclosed to authorised personnel. For this reason, the security concept should be organised so that the sections applying to a wide audience can be separated from those that apply only to a limited number of people.

It is important to establish a common ground of understanding for information security in an organisation. This also includes clear and uniform use of terminology. For this reason, a glossary containing the most important terms relating to information security should be created early on. This glossary is an aid during the development of all security-related documents. It can be published in the security concept or published separately.

Review questions:

• Is the scope specified (information system) covered by an adequate security concept?
• Are there structured descriptions of the information and business processes that were examined?
• Is it possible to understand how the protection requirements specified were determined?
• Are the security safeguards determined to be required adequate, realisable, and efficient?
• Is there a clear implementation plan for the safeguards that still need to be implemented?
• Is the security concept up to date?
• Has every employee at least been informed of the parts of the security concept that apply to them?