From Carsten Schultz, of BSI:

IT Baseline Protection Manual 1996

GISA (the German Information Security Agency, also known as BSI, which is the German abbreviation) was founded in 1990. One of its tasks is the counselling and support of governmental agencies, companies, etc. about all questions of IT security, especially about how to develop IT security concepts.

The activities of counselling and support also include the task to develop and improve methods for the development of IT security concepts. For this, up to now, mainly the method of detailed risk analysis is used. Performing a detailed risk analysis has the advantage that the safeguards selected following such a review are appropriate for the security requirements of the IT system considered. The disadvantage of this approach is that it is very time-consuming, and needs a lot of expertise to obtain best results.

But these detailed considerations and results are really necessary only in case of high protection requirements. For all other cases, i.e. IT systems with low or medium protection requirements, the implementation of standard security safeguards are very often sufficient. This idea is known as baseline protection or as the application of codes of practice. The combination of using a detailed risk analysis where necessary, and a baseline approach where appropriate offers the chance to minimise efforts and to achieve optimal results. This combined approach is also recommended in the 'Guidelines for the Management of IT Security' developed in ISO/IEC JTC1/SC27/WG1, and is used within companies and federal agencies.

To realise these baseline ideas within Germany, GISA published a first version of the IT Baseline Protection Manual in 1994. This manual recommends IT security safeguards which are adequate and sufficient for medium-level protection requirements. For developing this manual, GISA estimated the risks on the basis of known threats and vulnerabilities and recommended countermeasures against these risks. The threats and safeguards are described in detail in attached catalogues. This serves to compare the actual security status with the recommended baseline safeguards.

Threats and recommended security safeguards are summarised in generally applicable components, like organisation, personnel, contingency planning, data protection, infrastructure, cabling, server room, storage media archives, as well as in IT specific modules, like DOS personal computer, UNIX system, Laptop PC, server-based PC network, UNIX Network, data transmission systems, telecommunications system, firewalls, etc. For the version to be published 1997, modules about Windows NT (stand alone, client-server, and peer-to-peer), Novell-Netware, and Windows 95 are being developed.

The recommended safeguards are economic and easy to implement. Furthermore, the description of each safeguard contained in the catalogues gives advice concerning responsibilities, implementation and audits.

When using the IT Baseline Protection Manual, existing IT systems can be described by a combination of appropriate modules (contained in the chapters of the manual), which contain the recommended safeguards. Hence, the selection of safeguards can be accomplished by a simple comparison between already existing and recommended safeguards.

This year, the IT Baseline Protection Manual is published on CD-ROM (German: html format, English: Winword2 format). It is planned to publish the English version also in HTML format in 1997.

Maybe, you would like to know more about the IT Baseline Protection Manual or to use it yourself. Fortunately, we can offer cost-free CDs at the moment, as long as stocks last. The IT Baseline Protection Manual is mainly written to be used by industry, governmental organisations, and anybody else having a professional interest in IT security. If you would like to order a CD, please send a short mail to the address given below. We will reply by sending you a registration form to be filled and sent back. After receiving the form, we will deliver the CD.

We would like to ask all users of the IT Baseline Protection Manual to tell us their opinion, criticism, and suggestions for improvement and corrections. These suggestions will help the future development of the manual.

Please contact:
Carsten Schulz

Bundesamt fuer Sicherheit in der Informationstechnik
Abt. VI --- Beratungsdienst
Tel.: 0228 / 9582-316 Fax: 0228 / 9582-405 e-mail: