Protection with basic IT protection

The most important thing in brief:

• Comprehensive security measures: BSI's basic IT protection offers a structured compendium of over 100 components, which include technical, organizational, personnel and infrastructural protection measures for companies and authorities.
• ‍Four-stage safety concept: Basic IT protection standards are divided into four levels:
  • BSI standard 200-1: Information Security Management System (ISMS) requirements.
  • BSI standard 200-2: Definition of basic, standard, and core protections.
  • BSI standard 200-3: Risk management to carry out risk analyses.
  • BSI standard 200-4: Emergency management for time-critical business processes.
• ISO 27001 certification: Companies can prove their IT security through certification in accordance with ISO 27001 based on basic IT protection, which is checked by certified auditors.

IT managers and IT administrators are subject to constant pressure when it comes to the subject surety and Basic IT protection goes. New threats are circulating directly from the Internet almost every day. Even long-proven programs from major software providers are constantly being replaced by new Vulnerabilities on. Or new technologies, such as using the cloud, require more modern, but above all different, security measures. As a result, IT managers are already faced with very comprehensive tasks.

Despite all the experience, which in many cases is very high among long-established IT administrators, the IT administrator knows a constantly growing Threats from all areas compared to modern IT. You shouldn't necessarily rely on the luck of not having forgotten or ignored anything.

Basic IT protection “thinks” ahead

Where do the discarded workplace devices go? What happens to the old company cell phones? What happens to the data on defective hard drives in the event of a warranty claim? There are a lot of ways to get yourself pretty fast voids In an otherwise maybe good secure IT network can negotiate.

It is the same in disaster. Of course, many companies have central IT in the basement. However, it would be the fastest affected during floods. And what about the security settings in the employees off? Are all really permissions the way they should be? Even the “temporary” awards access rights to specific folders?

Many of sources of danger You only become aware of them when they occur. And even if as quickly as possible, just in case countermeasures It may have been too late. In order to cover the widest possible range of diverse Hazards and risks was developed by the Federal Ministry of Information Security of BSI IT basic protection put on.

BSI IT basic protection

The massive use of cutting-edge technologies in the IT network not only creates benefits for the company when operating them. Due to the enormous variety of devices and processes, new ones are constantly being created Risks or vulnerabilities, the one Risk for every company can represent. But it is not only the latest technologies that contain various pitfalls. Even proven technology is not always active and in the best possible way Threats, attacks, or sabotage protected. Often, those responsible are not even aware in detail of the risks that can exist from all sides for modern IT.

If you want to rely less on luck, but actually want to actively ensure that your own company is optimally protected from many dangers, you need to focus more on a coordinated approach leave. But that is IT Basic Protection Compendium from the BSI with a compilation of basic security measures for authorities and companies is a great help. In particular, the BSI IT Basic Protection aims at technical security measures and infrastructural, organizational and personnel protection measures.

The risk that important details will simply be forgotten or overlooked during the necessary safety measures cannot be ruled out. Who is the free BSI Basic Protection Compendium downloaded, will be amazed at the situations that individual companies can be confronted with.

While some measures are part of the standard repertoire of every well-trained IT administrators Belonging, the so-called “aha” effect creeps in on others. Especially when it comes to the point Sabotage options works, can probably be found very quickly and quite a few weak points in countless companies.

Information Security Management System (ISMS)

Without offering detailed solutions, the BSI IT basic protection when setting up a tailor-made ISMS (Information Security Management System). From the over 100 building blocks, which are included in basic IT protection, users can specifically Basic protection components Identify those that are relevant to their current security issues.

This is not just about building a ISM systems, but also to maintain the standards introduced. BSI IT Basic Protection has several standards and is divided into four levels.

BSI Standard 200-1 — ISMS Compendium

Here, the compendium explains what a Information Security Management System (ISMS) must contain and which requirements must be met. In particular, the tasks of Management level explained, because they usually also carry the Overall responsibility in the company.
BSI Standard 200-2 — Definition of Safeguards

• Basic insurance
• Standard protection
• Core protection

Die Basic insurance can largely be made possible with low personnel, financial and time expenditure.
Standard protection is based on basic protection and enables the implementation of a comprehensive ISMS.
Core protection is a special form of protection for particularly important areas in the company.

BSI Standard 200-3 — Risk Management

To a specific Safety level To achieve, this standard provides a simplified procedure to achieve a Risk analysis in companies to carry out. It also includes all risk-related work steps in Implementation of basic IT protection.

BSI Standard 200-4 — The Emergency

With emergencies Is it important to have a functioning emergency management to have established. This allows them to time-critical business processes be resumed as quickly as possible after a failure. This standard shows a systematic approach, a Emergency management for authorities or companies build up.

Certification in accordance with BSI IT Basic Protection?

Basic IT protection certification can be carried out in accordance with the internationally recognized ISO standard 27001take place.
ISO 27001 certification based on basic IT protection is possible both for standard protection and for core protection. The BSI offers a certificate to prove successful implementation of basic insurance.

Prerequisite for awarding a ISO 27001 certificate On the basis of basic IT protection, an audit is carried out by a BSI certified ISO 27001 Basic Protection Auditor. The duties of an ISO 27001 basic protection auditor include a review of the institution's preparation reference documents, carrying out an on-site audit and preparing an audit report. In order to issue an ISO 27001 certificate, this audit report must be submitted to the BSI for review. On the basis of the audit report, the BSI reports on Issuing a certificate decided.

To learn more about ISO 2700x certification, please refer to our blog post on this topic.

IT documentation as a basis for basic IT protection

The basis for any basic protection or certification in accordance with ISO 2700x is always based on a basic IT documentation. Without knowing the exact and current status of devices or software, certification cannot be carried out nor a minimum of security can be guaranteed. Because in the software sector in particular, several times a week, from a wide variety of manufacturers, security patches on. Some of them even fix Flammable gaps, which were previously unknown.

Unfortunately, with conventional methods, the current patch levels cannot be identified at a glance on the individual computers or servers. Also important firmware updates Hardware components must first be read out and compared with the current status before measures can be taken. And of course, you shouldn't take too much time with this — certifications or basic IT protection. If a gap has been announced, there is a extremely high riskthat this is already being exploited.

But it is not just the one-time inventory and documentation that poses a problem for many IT managers. As part of the certifications, one thing is required: Regular reporting to those responsible for the company — in other words, to the management.

Da Managing Director or company management Being able to present their heads on a silver platter in an emergency is not only good form to regularly present the current status and any upcoming measures to the management team.

IT documentation without automation makes little sense

In order to do nails with heads right away, you should start with a professional IT documentation, such as Docusnap, can be set. This allows not only the Basic requirements for BSI basic IT protection , but also for desired certifications such as ISO 2700x or the TISAX standard relevant to the automotive industry.

It is not just about the inventorying all devices in the IT network. This is because they are generally significantly less affected by innovations or “updates” than the software installed there. Especially in server area Are many security patches classified as critical and can a serious risk to the company mean.

One professional documentation software During fully automated scanning processes, it not only records the devices, but above all all the software installed on the devices. And because the name of the software alone is useless, it is also up to date installed version including patch status included in the documentation.

This is the only way to identify weaknesses and eradicate them on the basis of regular reports or targeted searches. This Control and safety function is irreplaceable for basic IT security. Manual reconciliation with sufficient manpower and, above all, sufficient time resources may help in extreme cases; this is not a practicable path in the long run.

At the latest when the Regular reporting to the management pending, the data must be as up-to-date as possible.

Making IT security easier

A good IT documentation software can not only collect data, but also offers extensive reporting functions and granular user management. Because it is often necessary to include at least part of the documentation to make available to other people or departments.

Because printed versions of Emergency manuals or network plans subject to natural aging and unable to update themselves, they are useless after just a short period of time. With good user management, you give selected people the access they need.

At the Implementation of BSI basic IT protection or one ISO 27001 certification Is professional IT documentation worth its weight in gold. Since all data is immediately available in the latest version during an audit, this basic work is made enormously easier. Or is in many cases made possible in the first place.