BSI Offers Free IT Baseline Protection Manual, Solicits Comments

by Carsten Schulz, BSI

The BSI (German Information Security Agency) was founded in 1990. One of its tasks is the counseling and support of governmental agencies, companies etc in all IT security relevant questions, especially how to write IT security concepts (which in our terminology means documents describing how to select safeguards and implement IT security for the IT systems considered).

These activities also include the task of performing and improving the methods to develop such IT security concepts. Up to now, risk analysis was used for this purpose mainly. As one can imagine, performing a risk analysis is a very time-consuming task, but yields appropriate results being suitable for the IT systems considered.

These detailed results are only necessary in case of high protection requirements. The idea, that the realisation of standard security safeguards is sufficient for 'normal', medium protection requirements, seems obvious. You may have come across this idea under the term 'baseline security safeguards'. The combination of risk analysis (for high protection requirements) and baseline security safeguards (for low up to medium protection requirements) allows to minimize efforts and to optimize results. This combined method has been continuously developed in Germany throughout the last years and is considered to be a de facto standard by now. It is also recommended by various Technical Reports developed in ISO/IEC JTC1/SC27/WG1.

BSI published the first version of the IT Baseline Protection Manual in 1994. This manual recommends IT security safeguards for typical IT systems which are adequate and sufficient for medium-level protection requirements. For the identification of these safeguards, BSI assumed typical threats applicable for the IT systems; their decription can be found in a threat catalogue attached. A detailed description of the safeguard recommended can also be found in the Manual. Each year, the Manual is updated and extended by components dealing with most recent technical developments.

Threats and recommended security safeguards are listed in superordinate components, like organisation, personell, contingency planning, data protection, infrastructure, cabling as well as in IT specific components, like:

The selected safeguards are economical and easy to implement. Furthermore, the descriptions of safeguards contain advice concerning responsibilities, implementation and audit. When applying the IT Baseline Protection Manual, real IT systems can be modulated by a combination of appropriate components to select recommended safeguards.

As in the last year, the IT Baseline Protection Manual is also published on CD-ROM (German/English: html format, German/English: Winword2 format).

In case you are interested in this manual, please contact us (E-mail contact address as below). We are looking forward to hearing from you. In order to send the manual to you successfully, we need at least the following information: name, first name, company and your position in the company, E-mail address, postal address.

Please tell us your opinion, criticisms, corrections, and suggestions for improvements. The manual only can be improved by your suggestions.

In case you want to use the Manual on a Unix platform, please mention this explicitly in your mail, since you then need an additional Unix-compatible version!

Please contact: Carsten Schulz