What is "Strukturanalyse" (Structure Analysis) in IT-Grundschutz?
The foundational step for any security concept. It involves gaining precise knowledge of an organization's information assets, their importance to business processes and applications, and the organizational/technical environments they are used in.
What are the key sub-steps of "Strukturanalyse"?
Recording business processes, applications, and information within the scope.
Network planning.
Recording IT systems.
Recording rooms and physical locations.
What is the purpose of "Modellierung" (Modeling) in IT-Grundschutz?
To determine which IT-Grundschutz modules are applicable to the selected target objects of an information network. The result is an IT-Grundschutz model, which can serve as a development concept or an audit plan.
What is an "IT-Grundschutz-Check"?
An initial assessment conducted before a risk analysis to determine if the basic and standard requirements of the IT-Grundschutz Compendium are met for specific target objects (e.g., entire information network, Office products, Windows clients).
Who is typically responsible for IT-Grundschutz implementation and verification?
The Information Security Officer (ISB) is involved in strategic decisions and responsible for ensuring and verifying that all requirements of the established security concept are met.
What information should be documented for an IT-Grundschutz-Check?
Information about the review process itself (e.g., interviewer, interviewees, date/time of interview), in addition to the assessment results for each requirement.
Requirement: Einschränken von Aktiven Inhalten (Restricting Active Content)
Restrict or disable active content (e.g., macros, ActiveX controls) in Office products to prevent the execution of malicious code.
Sicheres Öffnen von Dokumenten aus externen Quellen (Secure Opening of Documents from External Sources)
Implement policies or technical controls to ensure that documents from untrusted external sources are opened in a secure, isolated environment (e.g., Protected View).
Requirement: Sensibilisierung zu spezifischen Office-Eigenschaften (Sensitization to Specific Office Properties)
Users must be sensitized and trained on the security implications of specific Office features (e.g., macros, linked objects, external content) and how to handle them securely.
Requirement: Sicherheitstechnische Anforderungen an den Telearbeitsrechner (Security Requirements for the Telework Computer)
Define and implement specific technical security requirements for computers used for telework (e.g., encryption, firewall, antivirus, secure configuration).
Requirement: Sensibilisierung und Schulung der Mitarbeiter (Sensitization and Training of Employees)
Provide regular sensitization and training to employees on security aspects specific to telework, including safe handling of data and systems outside the office.
Requirement: Sichere Benutzerauthentisierung (Secure User Authentication)
Implement strong authentication mechanisms for client access, such as complex passwords, multi-factor authentication, or smart cards.
Requirement: Einsatz von Schutzprogrammen gegen Schadsoftware (Use of Anti-Malware Programs)
Deploy and maintain up-to-date anti-malware software on all client systems to detect and prevent malware infections.
Requirement: Updates und Patches für Firmware, Betriebssystem und Anwendungen (Updates and Patches for Firmware, OS, and Applications)
Regularly apply security updates and patches for the client's firmware, operating system, and all installed applications to address known vulnerabilities.
Requirement: Auswahl geeigneter Kryptoverfahren für WLAN (Selection of Suitable Crypto Methods for WLAN)
Use strong and current encryption protocols (e.g., WPA3) for WLAN operation to protect data confidentiality and integrity over the wireless network.
Requirement: Sichere Basis-Konfiguration der Access Points (Secure Basic Configuration of Access Points)
Ensure Access Points are configured securely by changing default passwords, disabling unnecessary services, and implementing strong administrative access controls.
Requirement: Sichere Anbindung von WLANs an ein LAN (Secure Connection of WLANs to a LAN)
Implement proper network segmentation and firewall rules to securely isolate the WLAN from the wired Local Area Network (LAN) and control traffic flow.
Requirement: Sichern von dienstlichen Unterlagen am häuslichen Arbeitsplatz (Securing Official Documents at the Home Office)
Implement measures to securely store physical and digital official documents at the home office, preventing unauthorized access (e.g., locked cabinets, encrypted drives).
Requirement: Entsorgung von vertraulichen Informationen am häuslichen Arbeitsplatz (Disposal of Confidential Information at the Home Office)
Ensure that confidential information (physical and digital) is disposed of securely at the home office (e.g., shredding paper, secure deletion of digital files) to prevent data leakage.
Requirement: Schutz vor unbefugtem Zutritt am häuslichen Arbeitsplatz (Protection Against Unauthorized Access at the Home Office)
Take steps to prevent unauthorized individuals (e.g., family members, visitors) from accessing official equipment or sensitive information in the home office.
Zuletzt geändertvor 2 Tagen