S 3.49 Training the IT-Grundschutz methodology

Initiation responsibility: IT Security Officer

Implementation responsibility: Supervisor, IT Security Officer

The persons responsible for security must be familiar with the IT-Grundschutz methodology in order to be able to apply it. There are various ways to familiarise with the approach according to IT-Grundschutz:

• self-study
• the BSI web course as an introduction to the IT-Grundschutz approach
• IT-Grundschutz courses offered by external training providers (A list of training providers for IT-Grundschutz can be found on the BSI websites. However, the BSI did not provide any evaluation of the training quality or the training contents.)
• development of proprietary IT-Grundschutz training measures

When planning a new IT-Grundschutz training measure or evaluating training measures offered by external providers, the following topics should be included:

• Raising IT security awareness
• What is an Information Security Management System (ISMS)? How is a functioning security process established?
• Overview of the IT-Grundschutz concept (philosophy, field of application, structure)
• Drawing up of an information security policy
  • definition of the information security objectives
  • definition of the information system
• Information security management
  • organisational structures (presentation of suitable organisational structures for information security management)
  • roles (IT Security Officer, Security Management Team, etc.)
  • responsibilities
• Security concept: typical structure and contents
• Structure analysis
  • forming groups
  • documenting the applications and related information
  • creating a network plan
  • survey of the IT systems
  • documenting the rooms
• Protection requirements determination
  • approach
  • definition of the protection requirements categories including adaptation of the evaluation tables to the organisation
  • damage scenarios
  • protection requirements determination for applications, IT systems, communication connections, and rooms
• Modelling according to IT-Grundschutz
  • overview of the IT-Grundschutz modules
  • layer model
    • general aspects of information security
    • security of the infrastructure
    • security of the IT systems
    • security in the network
    • security of applications
  • completeness check
  • life cycle model of the safeguards
• Basic security check
  • presentation of the procedure
  • implementation status
• Supplementary security analysis: risk analysis based on IT-Grundschutz
• Implementation of the security measures
  • overview of all missing safeguards
  • consolidating the safeguards
  • estimation of the time and expense required (budgeting)
  • implementation of the safeguards (order of implementation, persons responsible, implementation plan)
• Resources for working with the IT-Grundschutz Catalogues
  The BSI provides various resources to facilitate the use of the IT-Grundschutz Catalogues in practice. The following should be introduced to the users:
• • the guideline as motivation for information security
  • web course as an introduction to the IT-Grundschutz methodology
  • tables and forms as implementation aids
  • sample policies and profiles as examples of their use
  • tools used to create, manage, and further develop security concepts based on IT-Grundschutz. The BSI offers the GSTOOL for this purpose.

• ISO 27001 certification on the basis of IT-Grundschutz: overview of the certification scheme

In a comprehensive IT-Grundschutz training measure, the participants should also have an opportunity to practice the approach taught based on examples.

A set of transparencies for designing new IT-Grundschutz training measures can be found in the Resources for IT-Grundschutz section at the BSI websites. It can be used as a model for designing proprietary training measures. All contents are described briefly in overviews and structure diagrams. The descriptions point out the required contents of a training measure designed as an introduction to the IT-Grundschutz approach and to the application of the IT-Grundschutz Catalogues.

Review questions:

• Are the persons responsible for security familiar with the IT -Grundschutz methodology?
• Are the training topics defined before planning an IT-Grundschutz training measure?
• Is the approach also exercised based on examples during the IT-Grundschutz training measure?