ITGC

Bundesamt für Sicherheiter in der Informationstechnik - IT-Grundschutzkompendium Stand 2022

Vorgänge
Standard IT-Grundschutz-Compendium

IT-Grundschutz-Compendium

Vorgänge
+ IT-Grundschutz-Compendium
---+ G 0.1 Fire
---+ G 0.2 Unfavourable Climatic Conditions
---+ G 0.3 Water
---+ G 0.4 Pollution, Dust, Corrosion
---+ G 0.5 Natural Disasters
---+ G 0.6 Catastrophes in the Vicinity
---+ G 0.7 Major Events in the Vicinity
---+ G 0.8 Failure or Disruption of the Power Supply
---+ G 0.9 Failure or Disruption of Communication Networks
---+ G 0.10 Failure or Disruption of Supply Networks
---+ G 0.11 Failure or Disruption of Service Providers
---+ G 0.12 Electromagnetic Interference
---+ G 0.13 Interception of Compromising Interference Signals
---+ G 0.14 Interception of Information / Espionage
---+ G 0.15 Eavesdropping
---+ G 0.16 Theft of Devices, Storage Media and Documents
---+ G 0.17 Loss of Devices, Storage Media and Documents
---+ G 0.18 Poor Planning or Lack of Adaptation
---+ G 0.19 Disclosure of Sensitive Information
---+ G 0.20 Information or Products from an Unreliable Source
---+ G 0.21 Manipulation with Hardware or Software
---+ G 0.22 Manipulation of Information
---+ G 0.23 Unauthorised Access to IT Systems
---+ G 0.24 Destruction of Devices or Storage Media
---+ G 0.25 Failure of Devices or Systems
---+ G 0.26 Malfunction of Devices or Systems
---+ G 0.27 Lack of Resources
---+ G 0.28 Software Vulnerabilities or Errors
---+ G 0.29 Violations of Laws or Regulations
---+ G 0.30 Unauthorised Use or Administration of Devices and Systems
---+ G 0.31 Incorrect Use or Administration of Devices and Systems
---+ G 0.32 Misuse of Authorisation
---+ G 0.33 Shortage of Personnel
---+ G 0.34 Assault
---+ G 0.35 Coercion, Blackmail or Corruption
---+ G 0.36 Identity theft
---+ G 0.37 Repudiation of Actions
---+ G 0.38 Misuse of Personal Information
---+ G 0.39 Malware
---+ G 0.40 Denial of Service
---+ G 0.41 Sabotage
---+ G 0.42 Social Engineering
---+ G 0.43 Attack with Specially Crafted Messages
---+ G 0.44 Unauthorised Entry to Premises
---+ G 0.45 Data Loss
---+ G 0.46 Loss of Integrity of Sensitive Information
---+ G 0.47 Harmful Side Effects of IT_x0002_Supported Attack
---+ Security Management
------+ ISMS.1 Security Management
---------+ ISMS.1.G1. Lack of Personal Responsibility in the Security Process
---------+ ISMS.1.G2. Lack of Support from Top Management
---------+ ISMS.1.G3. Inadequate Strategic and Conceptual Specifications
---------+ ISMS.1.G4. Inadequate or Misdirected Investments
---------+ ISMS.1.G5. Inadequate Enforcement of Security Safeguards
---------+ ISMS.1.G6. Failure to Update the Security Process
---------+ ISMS.1.G7. Violation of Statutory Regulations and Contractual Agreements
---------+ ISMS.1.G8. Business Process Disruptions due to Security Incidents
---------+ ISMS.1.G9. Uneconomical Use of Resources due to Inadequate Security Management
---------+ ISMS.1.A1 Acceptance of Overall Responsibility for Information Security by Top Management [Top Management] (B)
---------+ ISMS.1.A2 Defining Security Objectives and Strategy [Top Management] (B)
---------+ ISMS.1.A3 Drawing Up an Information Security Policy [Top Management] (B)
---------+ ISMS.1.A4 Appointment of a Chief Information Security Officer [Top Management] (B)
---------+ ISMS.1.A5 Contract Design When Appointing an External Chief Information Security Officer [Top Management] (B)
---------+ ISMS.1.A6 Establishment of a Suitable Organisational Structure for Information Security [Top Management] (B)
---------+ ISMS.1.A7 Definition of Security Safeguards (B)
---------+ ISMS.1.A8 Integration of Employees into the Security Process [Supervisor] (B)
---------+ ISMS.1.A9 Integrating Information Security into Organisation-Wide Procedures and Processes [Top Management] (B)
---------+ ISMS.1.A10 Drawing Up a Security Concept (S)
---------+ ISMS.1.A11 Continuity of Information Security (S)
---------+ ISMS.1.A12 Management Reports on Information Security [Top Management] (S)
---------+ ISMS.1.A13 Documentation of the Security Process (S)
---------+ ISMS.1.A15 Cost-Effective Use of Resources for Information Security (S)
---------+ ISMS.1.A16 Creating Target-Group-Orientated Security Policies (H)
---------+ ISMS.1.A17 Taking Out Insurance (H)
---+ Organisation and Personnel
------+ ORP.1 Organisation
---------+ ORP.1.G1. Insufficient Rules
---------+ ORP.1.G2. Non-Compliance with Regulations
---------+ ORP.1.G3. Inadequate or Incompatible Resources
---------+ ORP.1.G4. Threats from Outside the Organisation
---------+ ORP.1.A1 Specification of Responsibilities and Provisions [Top Management]
---------+ ORP.1.A2 Assigning Responsibilities [Top Management] (B)
---------+ ORP.1.A3 Supervising or Escorting External Individuals [Employee] (B)
---------+ ORP.1.A4 Separation of Roles Between Incompatible Tasks (B)
---------+ ORP.1.A15 Contact Persons for Information Security Issues (B)
---------+ ORP.1.A8 Managing Resources and Devices [IT Operation Department] (S)
---------+ ORP.1.A13 Security During Relocation [IT Operation Department, Building Services] (S)
---------+ ORP.1.A16 Policy for Secure IT Use [User] (S)
------+ ORP.2 Personnel
---------+ ORP.2.G1. Shortage of Personnel
---------+ ORP.2.G2. Insufficient Knowledge of Rules and Procedures
---------+ ORP.2.G3. Carelessness in Handling Information
---------+ ORP.2.G4. Insufficient Employee Qualifications
---------+ ORP.2.A1 Well-Regulated Orientation of New Employees [Supervisor] (B)
---------+ ORP.2.A2 Regulated Procedure for Employees Leaving the Organisation [Supervisor, IT Operation Department] (B)
---------+ ORP.2.A3 Defining Deputising Rules [Supervisor] (B)
---------+ ORP.2.A4 Defining Procedures for Using Third-Party Personnel (B)
---------+ ORP.2.A5 Confidentiality Agreements for Third-Party Personnel (B)
---------+ ORP.2.A14 Tasks and Responsibilities of Employees [Supervisor] (B)
---------+ ORP.2.A15 Qualifications of Personnel [Supervisor] (B)
---------+ ORP.2.A7 Verifying the Trustworthiness of Employees (S)
---------+ ORP.2.A13 Security Vetting (H)
------+ ORP.3 Awareness and Training in Information Security
---------+ ORP.3.G1. Insufficient Knowledge of Rules and Procedures
---------+ ORP.3.G2. Insufficient Awareness of Information Security
---------+ ORP.3.G3. Ineffective Awareness and Training Activities
---------+ ORP.3.G4. Insufficient Employee Training Regarding Security Functions
---------+ ORP.3.G5. Undetected Security Incidents
---------+ ORP.3.G6. Non-Compliance with Security Safeguards
---------+ ORP.3.G7. Carelessness in Handling Information
---------+ ORP.3.G8. Lack of Acceptance of Information Security Policies
---------+ ORP.3.G9. Social Engineering
---------+ ORP.3.A1 Top Management Awareness of Information Security Issues [Supervisor, Top Management] (B)
---------+ ORP.3.A3 Training Employees in the Secure Handling of IT [Supervisor, Human Resources Department, IT Operation Department] (B)
---------+ ORP.3.A4 Designing and Planning an Information Security Awareness and Training Program (S)
---------+ ORP.3.A6 Implementation of Information Security Awareness and Training Measures (S)
---------+ ORP.3.A7 Training in the IT-Grundschutz Methodology (S)
---------+ ORP.3.A8 Measurement and Evaluation of Training Success [Human Resources Department] (S)
---------+ ORP.3.A9 Special Training for Exposed Persons and Organisations (H)
------+ ORP.4 Identity and Access Management
---------+ ORP.4.G1. Insufficient Processes in Identity and Access Management
---------+ ORP.4.G2. No Central Means of Disabling User Access Authorisations
---------+ ORP.4.G3. Incorrect Administration of Site, System, and Data Access Rights
---------+ ORP.4.A1 Regulation for Creating and Deleting Users and User Groups [IT Operation Department] (B)
---------+ ORP.4.A2 Creating, Changing, and Revoking Authorisations [IT Operation Department] (B)
---------+ ORP.4.A3 Documentation of User IDs and Rights Profiles [IT Operation Department] (B)
---------+ ORP.4.A4 Distribution of Tasks and Separation of Roles [IT Operation Department] (B)
---------+ ORP.4.A5 Assignment of Site Access Rights [IT Operation Department] (B)
---------+ ORP.4.A6 Assignment of System Access Rights [IT Operation Department] (B)
---------+ ORP.4.A7 Assignment of Data Access Rights [IT Operation Department] (B)
---------+ ORP.4.A8 Provisions Governing the Use of Passwords [User, IT Operation Department] (B)
---------+ ORP.4.A9 Identification and Authentication [IT Operation Department] (B)
---------+ ORP.4.A24 Dual Control for Administrative Activities [IT Operation Department] (H)
---------+ ORP.4.A23 Regulating Password-Processing Applications and IT Systems [IT Operation Department] (B)
---------+ ORP.4.A10 Protection of User IDs with Wide-Ranging Authorisations [IT Operation Department] (S)
---------+ ORP.4.A11 Resetting Passwords [IT Operation Department] (S)
---------+ ORP.4.A12 Developing an Authentication Concept for IT Systems and Applications [IT Operation Department] (S)
---------+ ORP.4.A13 Selection of Suitable Authentication Mechanisms [IT Operation Department] (S)
---------+ ORP.4.A14 Checking the Effectiveness of User Separation in IT Systems or Applications [IT Operation Department] (S)
---------+ ORP.4.A15 Approach and Design of Identity and Access Management Processes [IT Operation Department] (S)
---------+ ORP.4.A16 Policies for Data and System Access Control [IT Operation Department] (S)
---------+ ORP.4.A17 Suitable Selection of Identity and Access Management Systems [IT Operation Department] (S)
---------+ ORP.4.A18 Using a Central Authentication Service [IT Operation Department] (S)
---------+ ORP.4.A19 Instruction of All Employees in the Handling of Authentication Methods and Mechanisms [User, Head of IT] (S)
---------+ ORP.4.A20 Contingency Planning for the Identity and Access Management System [IT Operation Department] (H)
---------+ ORP.4.A21 Multi-Factor Authentication [IT Operation Department] (H)
---+ concepts and methodologies
---+ operational
---+ Detect and Response
---+ Application
---+ Systems
---+ Individual
---+ Network
---+ Infrastrucuture

Impressum