+IT-Grundschutz-Compendium
---+G 0.1 Fire
---+G 0.2 Unfavourable Climatic Conditions
---+G 0.3 Water
---+G 0.4 Pollution, Dust, Corrosion
---+G 0.5 Natural Disasters
---+G 0.6 Catastrophes in the Vicinity
---+G 0.7 Major Events in the Vicinity
---+G 0.8 Failure or Disruption of the Power Supply
---+G 0.9 Failure or Disruption of Communication Networks
---+G 0.10 Failure or Disruption of Supply Networks
---+G 0.11 Failure or Disruption of Service Providers
---+G 0.12 Electromagnetic Interference
---+G 0.13 Interception of Compromising Interference Signals
---+G 0.14 Interception of Information / Espionage
---+G 0.15 Eavesdropping
---+G 0.16 Theft of Devices, Storage Media and Documents
---+G 0.17 Loss of Devices, Storage Media and Documents
---+G 0.18 Poor Planning or Lack of Adaptation
---+G 0.19 Disclosure of Sensitive Information
---+G 0.20 Information or Products from an Unreliable Source
---+G 0.21 Manipulation with Hardware or Software
---+G 0.22 Manipulation of Information
---+G 0.23 Unauthorised Access to IT Systems
---+G 0.24 Destruction of Devices or Storage Media
---+G 0.25 Failure of Devices or Systems
---+G 0.26 Malfunction of Devices or Systems
---+G 0.27 Lack of Resources
---+G 0.28 Software Vulnerabilities or Errors
---+G 0.29 Violations of Laws or Regulations
---+G 0.30 Unauthorised Use or Administration of Devices and Systems
---+G 0.31 Incorrect Use or Administration of Devices and Systems
---+G 0.32 Misuse of Authorisation
---+G 0.33 Shortage of Personnel
---+G 0.34 Assault
---+G 0.35 Coercion, Blackmail or Corruption
---+G 0.36 Identity theft
---+G 0.37 Repudiation of Actions
---+G 0.38 Misuse of Personal Information
---+G 0.39 Malware
---+G 0.40 Denial of Service
---+G 0.41 Sabotage
---+G 0.42 Social Engineering
---+G 0.43 Attack with Specially Crafted Messages
---+G 0.44 Unauthorised Entry to Premises
---+G 0.45 Data Loss
---+G 0.46 Loss of Integrity of Sensitive Information
---+G 0.47 Harmful Side Effects of IT_x0002_Supported Attack
---+Security Management
------+ISMS.1 Security Management
---------+ISMS.1.G1. Lack of Personal Responsibility in the Security Process
---------+ISMS.1.G2. Lack of Support from Top Management
---------+ISMS.1.G3. Inadequate Strategic and Conceptual Specifications
---------+ISMS.1.G4. Inadequate or Misdirected Investments
---------+ISMS.1.G5. Inadequate Enforcement of Security Safeguards
---------+ISMS.1.G6. Failure to Update the Security Process
---------+ISMS.1.G7. Violation of Statutory Regulations and Contractual Agreements
---------+ISMS.1.G8. Business Process Disruptions due to Security Incidents
---------+ISMS.1.G9. Uneconomical Use of Resources due to Inadequate Security Management
---------+ISMS.1.A1 Acceptance of Overall Responsibility for Information Security by Top Management [Top Management] (B)
---------+ISMS.1.A2 Defining Security Objectives and Strategy [Top Management] (B)
---------+ISMS.1.A3 Drawing Up an Information Security Policy [Top Management] (B)
---------+ISMS.1.A4 Appointment of a Chief Information Security Officer [Top Management] (B)
---------+ISMS.1.A5 Contract Design When Appointing an External Chief Information Security Officer [Top Management] (B)
---------+ISMS.1.A6 Establishment of a Suitable Organisational Structure for Information Security [Top Management] (B)
---------+ISMS.1.A7 Definition of Security Safeguards (B)
---------+ISMS.1.A8 Integration of Employees into the Security Process [Supervisor] (B)
---------+ISMS.1.A9 Integrating Information Security into Organisation-Wide Procedures and Processes [Top Management] (B)
---------+ISMS.1.A10 Drawing Up a Security Concept (S)
---------+ISMS.1.A11 Continuity of Information Security (S)
---------+ISMS.1.A12 Management Reports on Information Security [Top Management] (S)
---------+ISMS.1.A13 Documentation of the Security Process (S)
---------+ISMS.1.A15 Cost-Effective Use of Resources for Information Security (S)
---------+ISMS.1.A16 Creating Target-Group-Orientated Security Policies (H)
---------+ISMS.1.A17 Taking Out Insurance (H)
---+Organisation and Personnel
------+ORP.1 Organisation
---------+ORP.1.G1. Insufficient Rules
---------+ORP.1.G2. Non-Compliance with Regulations
---------+ORP.1.G3. Inadequate or Incompatible Resources
---------+ORP.1.G4. Threats from Outside the Organisation
---------+ORP.1.A1 Specification of Responsibilities and Provisions [Top Management]
---------+ORP.1.A2 Assigning Responsibilities [Top Management] (B)
---------+ORP.1.A3 Supervising or Escorting External Individuals [Employee] (B)
---------+ORP.1.A4 Separation of Roles Between Incompatible Tasks (B)
---------+ORP.1.A15 Contact Persons for Information Security Issues (B)
---------+ORP.1.A8 Managing Resources and Devices [IT Operation Department] (S)
---------+ORP.1.A13 Security During Relocation [IT Operation Department, Building Services] (S)
---------+ORP.1.A16 Policy for Secure IT Use [User] (S)
------+ORP.2 Personnel
---------+ORP.2.G1. Shortage of Personnel
---------+ORP.2.G2. Insufficient Knowledge of Rules and Procedures
---------+ORP.2.G3. Carelessness in Handling Information
---------+ORP.2.G4. Insufficient Employee Qualifications
---------+ORP.2.A1 Well-Regulated Orientation of New Employees [Supervisor] (B)
---------+ORP.2.A2 Regulated Procedure for Employees Leaving the Organisation [Supervisor, IT Operation Department] (B)
---------+ORP.2.A3 Defining Deputising Rules [Supervisor] (B)
---------+ORP.2.A4 Defining Procedures for Using Third-Party Personnel (B)
---------+ORP.2.A5 Confidentiality Agreements for Third-Party Personnel (B)
---------+ORP.2.A14 Tasks and Responsibilities of Employees [Supervisor] (B)
---------+ORP.2.A15 Qualifications of Personnel [Supervisor] (B)
---------+ORP.2.A7 Verifying the Trustworthiness of Employees (S)
---------+ORP.2.A13 Security Vetting (H)
------+ORP.3 Awareness and Training in Information Security
---------+ORP.3.G1. Insufficient Knowledge of Rules and Procedures
---------+ORP.3.G2. Insufficient Awareness of Information Security
---------+ORP.3.G3. Ineffective Awareness and Training Activities
---------+ORP.3.G4. Insufficient Employee Training Regarding Security Functions
---------+ORP.3.G5. Undetected Security Incidents
---------+ORP.3.G6. Non-Compliance with Security Safeguards
---------+ORP.3.G7. Carelessness in Handling Information
---------+ORP.3.G8. Lack of Acceptance of Information Security Policies
---------+ORP.3.G9. Social Engineering
---------+ORP.3.A1 Top Management Awareness of Information Security Issues [Supervisor, Top Management] (B)
---------+ORP.3.A3 Training Employees in the Secure Handling of IT [Supervisor, Human Resources Department, IT Operation Department] (B)
---------+ORP.3.A4 Designing and Planning an Information Security Awareness and Training Program (S)
---------+ORP.3.A6 Implementation of Information Security Awareness and Training Measures (S)
---------+ORP.3.A7 Training in the IT-Grundschutz Methodology (S)
---------+ORP.3.A8 Measurement and Evaluation of Training Success [Human Resources Department] (S)
---------+ORP.3.A9 Special Training for Exposed Persons and Organisations (H)
------+ORP.4 Identity and Access Management
---------+ORP.4.G1. Insufficient Processes in Identity and Access Management
---------+ORP.4.G2. No Central Means of Disabling User Access Authorisations
---------+ORP.4.G3. Incorrect Administration of Site, System, and Data Access Rights
---------+ORP.4.A1 Regulation for Creating and Deleting Users and User Groups [IT Operation Department] (B)
---------+ORP.4.A2 Creating, Changing, and Revoking Authorisations [IT Operation Department] (B)
---------+ORP.4.A3 Documentation of User IDs and Rights Profiles [IT Operation Department] (B)
---------+ORP.4.A4 Distribution of Tasks and Separation of Roles [IT Operation Department] (B)
---------+ORP.4.A5 Assignment of Site Access Rights [IT Operation Department] (B)
---------+ORP.4.A6 Assignment of System Access Rights [IT Operation Department] (B)
---------+ORP.4.A7 Assignment of Data Access Rights [IT Operation Department] (B)
---------+ORP.4.A8 Provisions Governing the Use of Passwords [User, IT Operation Department] (B)
---------+ORP.4.A9 Identification and Authentication [IT Operation Department] (B)
---------+ORP.4.A24 Dual Control for Administrative Activities [IT Operation Department] (H)
---------+ORP.4.A23 Regulating Password-Processing Applications and IT Systems [IT Operation Department] (B)
---------+ORP.4.A10 Protection of User IDs with Wide-Ranging Authorisations [IT Operation Department] (S)
---------+ORP.4.A11 Resetting Passwords [IT Operation Department] (S)
---------+ORP.4.A12 Developing an Authentication Concept for IT Systems and Applications [IT Operation Department] (S)
---------+ORP.4.A13 Selection of Suitable Authentication Mechanisms [IT Operation Department] (S)
---------+ORP.4.A14 Checking the Effectiveness of User Separation in IT Systems or Applications [IT Operation Department] (S)
---------+ORP.4.A15 Approach and Design of Identity and Access Management Processes [IT Operation Department] (S)
---------+ORP.4.A16 Policies for Data and System Access Control [IT Operation Department] (S)
---------+ORP.4.A17 Suitable Selection of Identity and Access Management Systems [IT Operation Department] (S)
---------+ORP.4.A18 Using a Central Authentication Service [IT Operation Department] (S)
---------+ORP.4.A19 Instruction of All Employees in the Handling of Authentication Methods and Mechanisms [User, Head of IT] (S)
---------+ORP.4.A20 Contingency Planning for the Identity and Access Management System [IT Operation Department] (H)
---------+ORP.4.A21 Multi-Factor Authentication [IT Operation Department] (H)
---+concepts and methodologies
---+operational
---+Detect and Response
---+Application
---+Systems
---+Individual
---+Network
---+Infrastrucuture
|
1. Übersicht
IT-Grundschutz-Compendium
Final Draft, 1 February 2022
| Bezeichnung |
Standard |
|
Security Management
|
The ISMS layer includes the Security Management module as a basis for all further activities in the security process.
|
|
Organisation and Personnel
|
The ORP layer addresses organisational and personnel security aspects. This layer includes, for example, the modules Organisation and Personnel.
|
|
concepts and methodologies
|
The CON layer includes modules that deal with concepts and methodologies. Typical modules of the CON layer include Crypto Concept and Data Protection.
|
|
operational
|
The OPS layer comprises all security aspects of an operational nature. This particularly includes the security aspects of IT operations in both in-house environments and those that are run partially or completely by third parties. Furthermore, it includes the security aspects that are to be considered when running IT operations for third parties. Examples of modules in the OPS layer include Protection Against Malware and Outsourcing for Customers.
|
|
Detect and Response
|
The DER layer contains all the modules which are relevant for reviewing the implemented security safeguards, detecting security incidents and taking suitable action in response. Typical components of the DER layer are Security Incident Handling and Provisions for IT Forensics.
|
|
Application
|
The APP layer deals with the protection of applications and services in communications, directory services, network-based services and business and client applications, amongst other areas. Typical modules within the APP layer include General E-Mail Clients and Servers, Office Products, Web Servers and Relational Database Systems.
|
|
Systems
|
The SYS layer addresses the individual IT systems of a given information domain that may have been combined into groups. The security aspects of servers, desktop systems, mobile devices and other IT systems such as printers and telecommunication systems are addressed here. The SYS layer includes, for example, modules for specific operating systems, as well as General Smartphones and Tablets and Printers, Copiers, and All-in-One Devices.
|
|
Individual
|
The IND layer deals with the security aspects of industrial IT. This layer includes modules such as Process Control and Automation Technology, General ICS Components and Programmable Logic Controller (PLC).
|
|
Network
|
The NET layer examines the networking aspects not primarily related to specific IT systems, but to network connections and communication. It includes, for example, the modules Network Management, Firewall and WLAN Operation.
|
|
Infrastrucuture
|
The INF layer brings together different aspects of infrastructural security by addressing architectural and technical factors. It includes the modules Generic Building and Data Centre and Server Room.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
Linked Issues
|