S 3.49 Training the IT-Grundschutz methodology
Initiation responsibility: IT Security Officer
Implementation responsibility: Supervisor, IT Security Officer
The persons responsible for security must be familiar with the IT-Grundschutz methodology in order to be able to apply it. There are various ways to familiarise with the approach according to IT-Grundschutz:
- self-study
- the BSI web course as an introduction to the IT-Grundschutz approach
- IT-Grundschutz courses offered by external training providers (A list of training providers for IT-Grundschutz can be found on the BSI websites. However, the BSI did not provide any evaluation of the training quality or the training contents.)
- development of proprietary IT-Grundschutz training measures
When planning a new IT-Grundschutz training measure or evaluating training measures offered by external providers, the following topics should be included:
- Raising IT security awareness
- What is an Information Security Management System (ISMS)? How is a functioning security process established?
- Overview of the IT-Grundschutz concept (philosophy, field of application, structure)
- Drawing up of an information security policy
- definition of the information security objectives
- definition of the information system
- Information security management
- organisational structures (presentation of suitable organisational structures for information security management)
- roles (IT Security Officer, Security Management Team, etc.)
- responsibilities
- Security concept: typical structure and contents
- Structure analysis
- forming groups
- documenting the applications and related information
- creating a network plan
- survey of the IT systems
- documenting the rooms
- Protection requirements determination
- approach
- definition of the protection requirements categories including adaptation of the evaluation tables to the organisation
- damage scenarios
- protection requirements determination for applications, IT systems, communication connections, and rooms
- Modelling according to IT-Grundschutz
- overview of the IT-Grundschutz modules
- layer model
- general aspects of information security
- security of the infrastructure
- security of the IT systems
- security in the network
- security of applications
- completeness check
- life cycle model of the safeguards
- Basic security check
- presentation of the procedure
- implementation status
- Supplementary security analysis: risk analysis based on IT-Grundschutz
- Implementation of the security measures
- overview of all missing safeguards
- consolidating the safeguards
- estimation of the time and expense required (budgeting)
- implementation of the safeguards (order of implementation, persons responsible, implementation plan)
- Resources for working with the IT-Grundschutz Catalogues
The BSI provides various resources to facilitate the use of the IT-Grundschutz Catalogues in practice. The following should be introduced to the users: -
- the guideline as motivation for information security
- web course as an introduction to the IT-Grundschutz methodology
- tables and forms as implementation aids
- sample policies and profiles as examples of their use
- tools used to create, manage, and further develop security concepts based on IT-Grundschutz. The BSI offers the GSTOOL for this purpose.
- ISO 27001 certification on the basis of IT-Grundschutz: overview of the certification scheme
In a comprehensive IT-Grundschutz training measure, the participants should also have an opportunity to practice the approach taught based on examples.
A set of transparencies for designing new IT-Grundschutz training measures can be found in the Resources for IT-Grundschutz section at the BSI websites. It can be used as a model for designing proprietary training measures. All contents are described briefly in overviews and structure diagrams. The descriptions point out the required contents of a training measure designed as an introduction to the IT-Grundschutz approach and to the application of the IT-Grundschutz Catalogues.
Review questions:
- Are the persons responsible for security familiar with the IT -Grundschutz methodology?
- Are the training topics defined before planning an IT-Grundschutz training measure?
- Is the approach also exercised based on examples during the IT-Grundschutz training measure?