Jens Westphal, expert for information security at msg, explains in this interview with BusinessIQ how companies successfully implement basic IT protection - and why templates alone are not enough.
First of all: What needs to be considered in the newly revised IT Basic Protection, published this year by the Federal Office for Information Security (BSI)?
The BSI has fundamentally revised and further developed the IT Basic Protection on the basis of many years of application practice. The methodology of the new IT Basic Protection version can now be applied much more easily and its entry levels facilitate the introduction and design in organisations. The conversion of the basic protection catalogues to the basic protection compendium streamlines and structurally improves the contents. However, the user now needs a deeper understanding of the connections between hazards, risks and measures.
Especially for the needs of small and medium-sized organizations, the new IT Basic Protection is now a tried and tested means to quickly and effectively achieve basic protection.
Large companies and corporations have already invested immensely in their IT security. Some have even hired their own Chief Information Security Officer (CISO). The CISO exclusively takes care of the security of the running information systems. Can these companies still draw new information from basic protection at all? In bold terms: Is IT security only possible with the basic protection of the BSI - or are we possibly dealing here with old wine in new tubes?
The topic of "information security" is not rigid and unchangeable, but is linked to the goal of adequately protecting the information assets and processes of organizations. For this reason, it must adapt flexibly to the respective requirements. In addition to an interpretation of standards, the underlying standards must also be further developed. This has recently happened with the new edition of the BSI Basic Protection.
The same also applies to the other standards for information security. ISO 27001, for example, has been updated approximately every three years since its first edition in 2005. The CISOs or IT sibes of the organizations are therefore well advised to take a close look at the respective changes to the standards.
In the same context, they should also inform themselves about current attack scenarios as well as technical and organizational protective measures. This is because the increasing digitalization and networking of all business processes increases the dependency on IT and thus also the danger that IT threat scenarios become real risks.
A good example of this is the potential threat to personal rights posed by unauthorized processing of personal data. In order to counter this problem, the European General Data Protection Regulation was created. In order to make it technically effective, the Regulation relies on information security measures. So it is not about old wine in new bottles, although of course the issue of 'safeguarding values present in organisations' has remained the same. Rather, the new IT basic protection is an appropriate response to an increasingly complex requirement and threat situation to which companies and public authorities are exposed with all their business processes.
The table of contents of the IT Basic Protection alone counts four pages. The entire document comprises 840 pages and is updated annually. How do companies approach this Sisyphos' task without despairing?
When setting up an information security process, it is important to get started. For this, the management of companies must also support this process and financial resources must be available.
If these prerequisites are fulfilled, the first step towards setting up an information security management system (ISMS) should not be too big. In the old basic protection, whose total work comprised a length of more than 5,000 pages, the entry was very difficult and protracted. With the new basic protection version, this hurdle has now been removed due to cleverly chosen entry levels.
It is not necessary to deal with the 840 pages of the complete document mentioned by you, but organizations can first concentrate on the aspects that are essential for them. Once the basic structures of an ISMS have been established, it will be much easier to achieve the desired security level during system operation and in the course of further development - without being deterred by the overall scope of basic IT protection.
Let's say my company is already ISO 270001 certified and renewal is imminent. How useful is it to prepare yourself with IT Basic Protection?
If an existing ISO 27001 certification is due for renewal, then it is only rarely sensible to prepare yourself with IT Basic Protection.
Companies should rather know the contents of the standard to be used for certification well and implement them in the individual aspects in a verifiable manner.
If a certification already exists, a change between ISO 27001 and IT Basic Protection is often not recommended. However, it makes sense to combine good aspects from both standards. Thus, the measures formulated in the IT Basic Protection are often used to fulfill the ISO 27001 controls.
What do you do at msg when you advise a company on how to set up an effective IT basic protection system?
The first and most important step is to understand and correctly classify the security needs of an organization. For this purpose, we conduct a workshop with executives, specialists and stakeholders of the organization concerned at the beginning of our activities.
On the basis of these findings, the essential framework conditions for the design and structure of the ISMS are determined. We then draw up a project and implementation plan.
The project steps depend on the type, sequence and scope of the time targets to be achieved, the need for protection of the assets to be protected, the desired form of protection (basis, core, standard), the need for further risk analyses and, of course, the type and size of the organisation.
In this respect, information security projects are always very individual. However, they can be implemented relatively quickly and slimly if existing basic protection profiles are used.
In general, our approach is based on the guidelines issued by the BSI in order to achieve the desired level of security. The components are always a modelling according to IT Basic Protection, the determination of concrete measures to be implemented and the execution of the IT Basic Protection Check. In the further course, the measures are implemented and the ISMS is put into effect. The subsequent further development and demand-oriented design of the measures then depend on the desired security level and the corresponding prioritization of the project steps.
Thank you very much for answering the questions, Mr. Westphal!
Jens Westphal is responsible for information security in the public sector at msg. He has more than 20 years of cross-industry experience in consulting organizations and is a proven specialist for setting up and operating information security management systems according to ISO 27001 or IT Basic Protection.