+Organisation and Personnel
---+ORP.1 Organisation
------+ORP.1.G1. Insufficient Rules
------+ORP.1.G2. Non-Compliance with Regulations
------+ORP.1.G3. Inadequate or Incompatible Resources
------+ORP.1.G4. Threats from Outside the Organisation
------+ORP.1.A1 Specification of Responsibilities and Provisions [Top Management]
------+ORP.1.A2 Assigning Responsibilities [Top Management] (B)
------+ORP.1.A3 Supervising or Escorting External Individuals [Employee] (B)
------+ORP.1.A4 Separation of Roles Between Incompatible Tasks (B)
------+ORP.1.A15 Contact Persons for Information Security Issues (B)
------+ORP.1.A8 Managing Resources and Devices [IT Operation Department] (S)
------+ORP.1.A13 Security During Relocation [IT Operation Department, Building Services] (S)
------+ORP.1.A16 Policy for Secure IT Use [User] (S)
---+ORP.2 Personnel
------+ORP.2.G1. Shortage of Personnel
------+ORP.2.G2. Insufficient Knowledge of Rules and Procedures
------+ORP.2.G3. Carelessness in Handling Information
------+ORP.2.G4. Insufficient Employee Qualifications
------+ORP.2.A1 Well-Regulated Orientation of New Employees [Supervisor] (B)
------+ORP.2.A2 Regulated Procedure for Employees Leaving the Organisation [Supervisor, IT Operation Department] (B)
------+ORP.2.A3 Defining Deputising Rules [Supervisor] (B)
------+ORP.2.A4 Defining Procedures for Using Third-Party Personnel (B)
------+ORP.2.A5 Confidentiality Agreements for Third-Party Personnel (B)
------+ORP.2.A14 Tasks and Responsibilities of Employees [Supervisor] (B)
------+ORP.2.A15 Qualifications of Personnel [Supervisor] (B)
------+ORP.2.A7 Verifying the Trustworthiness of Employees (S)
------+ORP.2.A13 Security Vetting (H)
---+ORP.3 Awareness and Training in Information Security
------+ORP.3.G1. Insufficient Knowledge of Rules and Procedures
------+ORP.3.G2. Insufficient Awareness of Information Security
------+ORP.3.G3. Ineffective Awareness and Training Activities
------+ORP.3.G4. Insufficient Employee Training Regarding Security Functions
------+ORP.3.G5. Undetected Security Incidents
------+ORP.3.G6. Non-Compliance with Security Safeguards
------+ORP.3.G7. Carelessness in Handling Information
------+ORP.3.G8. Lack of Acceptance of Information Security Policies
------+ORP.3.G9. Social Engineering
------+ORP.3.A1 Top Management Awareness of Information Security Issues [Supervisor, Top Management] (B)
------+ORP.3.A3 Training Employees in the Secure Handling of IT [Supervisor, Human Resources Department, IT Operation Department] (B)
------+ORP.3.A4 Designing and Planning an Information Security Awareness and Training Program (S)
------+ORP.3.A6 Implementation of Information Security Awareness and Training Measures (S)
------+ORP.3.A7 Training in the IT-Grundschutz Methodology (S)
------+ORP.3.A8 Measurement and Evaluation of Training Success [Human Resources Department] (S)
------+ORP.3.A9 Special Training for Exposed Persons and Organisations (H)
---+ORP.4 Identity and Access Management
------+ORP.4.G1. Insufficient Processes in Identity and Access Management
------+ORP.4.G2. No Central Means of Disabling User Access Authorisations
------+ORP.4.G3. Incorrect Administration of Site, System, and Data Access Rights
------+ORP.4.A1 Regulation for Creating and Deleting Users and User Groups [IT Operation Department] (B)
------+ORP.4.A2 Creating, Changing, and Revoking Authorisations [IT Operation Department] (B)
------+ORP.4.A3 Documentation of User IDs and Rights Profiles [IT Operation Department] (B)
------+ORP.4.A4 Distribution of Tasks and Separation of Roles [IT Operation Department] (B)
------+ORP.4.A5 Assignment of Site Access Rights [IT Operation Department] (B)
------+ORP.4.A6 Assignment of System Access Rights [IT Operation Department] (B)
------+ORP.4.A7 Assignment of Data Access Rights [IT Operation Department] (B)
------+ORP.4.A8 Provisions Governing the Use of Passwords [User, IT Operation Department] (B)
------+ORP.4.A9 Identification and Authentication [IT Operation Department] (B)
------+ORP.4.A24 Dual Control for Administrative Activities [IT Operation Department] (H)
------+ORP.4.A23 Regulating Password-Processing Applications and IT Systems [IT Operation Department] (B)
------+ORP.4.A10 Protection of User IDs with Wide-Ranging Authorisations [IT Operation Department] (S)
------+ORP.4.A11 Resetting Passwords [IT Operation Department] (S)
------+ORP.4.A12 Developing an Authentication Concept for IT Systems and Applications [IT Operation Department] (S)
------+ORP.4.A13 Selection of Suitable Authentication Mechanisms [IT Operation Department] (S)
------+ORP.4.A14 Checking the Effectiveness of User Separation in IT Systems or Applications [IT Operation Department] (S)
------+ORP.4.A15 Approach and Design of Identity and Access Management Processes [IT Operation Department] (S)
------+ORP.4.A16 Policies for Data and System Access Control [IT Operation Department] (S)
------+ORP.4.A17 Suitable Selection of Identity and Access Management Systems [IT Operation Department] (S)
------+ORP.4.A18 Using a Central Authentication Service [IT Operation Department] (S)
------+ORP.4.A19 Instruction of All Employees in the Handling of Authentication Methods and Mechanisms [User, Head of IT] (S)
------+ORP.4.A20 Contingency Planning for the Identity and Access Management System [IT Operation Department] (H)
------+ORP.4.A21 Multi-Factor Authentication [IT Operation Department] (H)
|
1. Overview
Organisation and Personnel
The ORP layer addresses organisational and personnel security aspects. This layer includes, for example, the modules Organisation and Personnel.
| Summary |
Standard |
|
ORP.1 Organisation
|
1. Description
1.1. Introduction
Every organisation needs a service that is responsible for controlling and regulating general operations and planning, organising, and implementing administrative services. For these purposes, most organisations have an organisational unit which controls the interaction of various roles and units with the corresponding business processes and resources. At this overarching level, aspects of information security must be incorporated and defined in a binding manner.
1.2. Objective
This module lists general and overarching requirements in the area of organisation which help to increase and maintain information security. To achieve this, information flows, processes, the distribution of roles, and structural and procedural organisation must be regulated.
1.3. Scoping and Modelling
Module ORP.1 Organisation must be applied at least once to the entire information domain under consideration. If parts of the information domain are assigned to another organisational unit and are therefore subject to different general conditions, this module should be applied separately to each unit.
The module forms an overarching basis for implementing information security in an organisation. It does not deal with specific aspects of personnel, employee training, the administration of identities and authorisations, or compliance management. These aspects are covered in the modules ORP.2 Personnel, ORP.3 Awareness and Training in Information Security, ORP.4 Identity and Access Management, and ORP.5 Compliance Management.
|
|
ORP.2 Personnel
|
1. Description
1.1. Introduction
The staff of a company or public authority are crucial to its success or failure. In particular, employees have an important task in implementing information security. Even the most elaborate security precautions can come to nothing if they are not put into active use. The fundamental importance of information security to an organisation and its business processes must therefore be transparent and comprehensible to its staff.
1.2. Objective
The aim of this module is to highlight the security safeguards HR departments and supervisors must take to ensure that employees handle their organisation's information responsibly and behave in accordance with the relevant guidelines.
1.3. Scoping and Modelling
Module ORP.2 Personnel must be applied once to the entire information domain under consideration.
The module covers the requirements which must be observed and fulfilled by the human resources department and supervisors of an organisation. Personnel requirements linked to a specific role, such as the appointment of a system administrator for a LAN, are provided in the modules on the corresponding topics. Module ORP.2 Personnel does not deal with specific aspects of employee training or the management of identities and permissions. These aspects are covered in the modules ORP.3 Awareness and Training in Information Security and ORP.4 Identity and Access Management.
4. Additional Information
4.1. Useful Resources
The International Organization for Standardization (ISO) provides guidelines for handling security incidents in annex A.7 (“Human Resource Security”) of ISO/IEC 27001:2013, “Information Technology – Security Techniques – Information Security Management Systems – Requirements”.
“The Standard of Good Practice for Information Security” published by the Information Security Forum (ISF) provides guidelines for HR security under "PM: People Management".
|
|
ORP.3 Awareness and Training in Information Security
|
1. Description
1.1. Introduction
Employees are a crucial factor in ensuring a high level of information security in an organisation. It is therefore important that each and every one of them know their organisation's security objectives, understand the corresponding security safeguards, and be willing to implement them. This requires security awareness within the organisation in question. Furthermore, a culture of security should be established that forms an active part of employees' everyday work.
Employees should be made aware of relevant risks and know how they may affect their organisation. They must know what is expected of them in terms of information security and how they should respond in situations critical to security.
1.2. Objective
This module describes how to establish and maintain an effective program for raising awareness and conducting training on information security. The aim of the program is to raise employees' awareness of security risks and provide them with the knowledge and skills required to act in a security-conscious manner.
1.3. Scoping and Modelling
Module ORP.3 Awareness and Training in Information Security must be applied once to the entire information domain under consideration.
This module formulates requirements for information security awareness and training which relate to the working environment not only within an organisation, but in teleworking and mobile working settings, as well.
Module ORP.3 Awareness and Training in Information Security describes process-related, technical, methodological, and organisational requirements for information security awareness and training. An organisation's human resources department or training management department typically plans, manages, and implements other training topics, as well.
Specific training content for these topics is covered in many of the other IT-Grundschutz modules. This module deals with how a planned approach can be efficiently structured with regard to information security awareness and training.
4. Additional Information
4.1. Useful Resources
The International Organization for Standardization (ISO) provides requirements for training employees and raising their awareness in the ISO/IEC 27001:2013 standard, section 7.2.
The Information Security Forum (ISF) defines various requirements for training employees and raising their awareness in "The Standard of Good Practice for Information Security", section PM2.
The BSI offers an online course on IT-Grundschutz at https://www.bsi.bund.de/grundschutzkurs, which introduces the methodology of IT-Grundschutz.
The BSI offers a two-stage training concept on the subject of IT-Grundschutz. In this training concept, participants can acquire an IT-Grundschutz practitioner certificate and be further certified as an IT-Grundschutz consultant by the BSI.
A list of training providers that offer BSI training to become an IT-Grundschutz practitioner and an IT-Grundschutz consultant can be found at https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzSchulung/ITGrundschutzBerater/itgrundschutzberater_node.html.
|
|
ORP.4 Identity and Access Management
|
1. Description
1.1. Introduction
Access to sensitive resources in an organisation must be restricted to authorised users and authorised IT components. Users and IT components must be identified and authenticated with certainty. The management of the information this requires is referred to as "identity management".
Access management, meanwhile, defines whether and how users or IT components may access and use information or services (i.e. whether they are granted or refused site, system, and data access based on their user profile). Access management includes the processes that are required to assign, withdraw, and control rights.
Since these two terms are closely connected, the term "identity and access management" (IAM) will be used from now on in this module. For better comprehensibility, the term "user ID" or "ID" is used synonymously with "user account", "login", and "account" in this module. The term "password" is used here as a general term for "passphrase", "PIN", or "passcode".
1.2. Objective
The objective of this module is to ensure that users and IT components can access only the IT resources and information that are required for their work and for which they are authorised, and that no access is granted to unauthorised users and IT components. To this end, it formulates requirements to be followed by organisations in establishing secure identity and access management.
1.3. Scoping and Modelling
Module ORP.4 Identity and Access Management must be applied once to the entire information domain under consideration.
This module describes fundamental requirements for implementing identity and access management.
Requirements that relate to components of identity and access management such as operating systems or directory services can be found in the corresponding modules (e.g. SYS.1.3 Unix Server, SYS.1.2.2 Windows Server 2012, APP.2.1 General Directory Service, APP.2.2 Active Directory).
4. Additional Information
4.1. Useful Resources
The International Organization for Standardization (ISO) provides guidelines for identity and access management in annex A.9 ("Access Control") of ISO/IEC 27001:2013, “Information Technology – Security Techniques – Information Security Management Systems – Requirements”.
The International Organization for Standardization (ISO) provides specifications for identity and access management in the standard ISO/IEC 29146:2016, “Information Technology – Security Techniques – A Framework for Access Management”.
The Information Security Forum (ISF) provides specifications on identity and access management in chapter TS1.4 (“Identity and Access Management”) of “The Standard of Good Practice for Information Security”.
The National Institute of Standards and Technology (NIST) provides guidance on identity and access management in NIST Special Publication 800-53A, specifically in areas AC and IA.
|
1.1 References
1.2 Identified Requirements
1.2 Related Regulation
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Regulations
Regulations
| Source |
Regulation |
|