IT-Grundschutz
IT-Grundschutz (IT Baseline Protection Manual)
Product identity card
General information
Basic information to identify the product
Method or tool name : IT-Grundschutz (Former English name: IT Baseline Protection Manual)
Vendor name : Federal Office for Information Security (BSI)
Country of origin : Germany
Level of reference of the product
Details about the type of initiator of the product
National Standardization body : BSI (Germany)
Identification
Specify the phases this method supports and a short description
R.A. Method phases supported
-
Risk identification : Each IT-Grundschutz module contains a list of typical threats. Threats are also classified in 5 threat catalogues. Identification of additional threats takes place during the supplementary risk analysis.
Risk characterization is the result of the assessment of protection requirements. For this purpose, protection requirement categories are defined and potential damage scenarios are assigned to these protection requirement categories. A further risk characterization is provided within the supplementary risk analysis, where risks are characterized with the help of the assigned decision of how to handle them (see Risk Analysis based on IT-Grundschutz, chapter 6, “Handling threats”). -
Risk analysis : To each threat, contained in a module, a detailed description of the thread is provided.
-
Risk evaluation : An exposure assessment is made within the assessment of the protection requirements with the help of damage scenarios. For threats identified within the scope of a supplementary risk analysis, the exposure assessment takes place during the phase of threats assessment.
R.M. Method phases supported
-
Risk assessment: See RA method phases
-
Risk treatment : Catalogues of recommended safeguards. Detailed description of safeguards assigned to each IT-Grundschutz module. Assignment of safeguards to the threats considered (cross reference tables). Risk treatment alternatives, see Risk Analysis based on IT-Grundschutz, chapter 6, "Handling threats" in part C.
-
Risk acceptance : Risk analysis based on IT-Grundschutz, "Handling threats" in part C.
-
Risk communication : Risk communication is part of the module "IT security management" and especially handled within the safeguards S 2.191 "Drawing up of an Information Security Policy" and S 2.200 "Preparation of management reports on IT security"
Brief description of the product
-
IT-Grundschutz provides a method for an organization to establish an Information Security Management System (ISMS). It comprises both generic IT security recommendations for establishing an applicable IT security process and detailed technical recommendations to achieve the necessary IT security level for a specific domain. The IT security process suggested by IT-Grundschutz consists of the following steps:
- Initialization of the process:
- Definition of IT security goals and business environment
- Establishment of an organizational structure for IT security
- Provision of necessary resources
- Creation of the IT Security Concept:
- IT-Structure Analysis
- Assessment of protection requirements
- Modeling
- IT Security Check
- Supplementary Security Analysis
- Implementation planning and fulfillment
- Maintenance, monitoring and improvement of the process
- IT-Grundschutz Certification (optional)
Lifecycle
Date of the first edition, date and number of actual version
Date of first release : 1994
Date and identification of the last version : 2005
Useful links
Link for further information
Official web site : http://www.bsi.de/gshb/
User group web site : N/A
Relevant web site : http://www.bsi.de/english/gshb/
Languages
List the available languages that the tool supports
Availability in European languages : German, English
Price
Specify the price for the method
-
Free
Scope
Target organisations
Defines the most appropriate type of organisations the product aims at
-
Government, agencies
-
Large companies
-
SME
-
Commercial CIEs
-
Non commercial CIEs
Specific sector : N/A
Geographical spread
Information concerning the spread of this tool
Used in EU member states : Many
Used in non-EU member states : N/A
Level of detail
Specify the target kind of users
-
Management
-
Operational
-
Technical
License and certification scheme
Specify the licensing and certification schemes available for this method
Recognized licensing scheme : Yes
Existing certification scheme : Yes
Users viewpoint
Skills needed
Specify the level of skills needed to use and maintain the solution
-
To introduce : Standard
-
To use : Standard
-
To maintain : Standard
Consultancy support
Specify the kind of support available
Consultancy : Open market & Company specific
Regulatory compliance
There is a given compliance of the product with international regulations
-
KonTraG (German Act on Control and Transparency in Businesses)
-
Basel II
-
TKG (German Telecommunications Act)
-
BDSG (German Federal Data Protection Act)
Compliance to IT standards
There is a compliance with a national or international standard
Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.
Availability : Product is free
Maturity level of the Information system
The product gives a means of measurement for the maturity of the information system security
It is possible to measure the I.S.S. maturity level : Yes (three levels)
Tools supporting the method
List of tools that support the product
Non commercial tools
Commercial tools
-
HiSolutions AG HiScout SME
-
INFODAS GmbH - SAVe
-
inovationtec - IGSDoku
-
Kronsoft e.K. - Secu-Max
-
Swiss Infosec AG - Baseline-Tool
-
WCK - PC-Checkheft
Technical integration of available tools
Particular supporting tools (see C-7) can be integrated with other tools
Tools can be integrated with other tools : No
Organisation processes integration
The method provides interfaces to existing processes within the organisation
Method provides interfaces to other organisational processes : Quality management, IT revision, Data Protection, SLA management, Project management
Flexible knowledge databases
It is possible to adapt a knowledge database specific to the activity domain of the company.
Method allows use of sector adapted databases : Yes