With the further development of the BSI 200 standards as part of the basic IT protection, the German Federal Office for Information Security (BSI) wants to help companies follow uniform specifications in IT security. Companies that want to sustainably improve their IT security should promptly address the requirements of the updated BSI standards.
What the BSI Standards 200 mean for companies
The BSI’s IT-Grundschutz is a guide that helps organizations establish and expand a reliable concept for IT protection. It shows, step by step, which components are part of effective threat prevention and how the concept is transferred from theory to practice.
The advice given in IT-Grundschutz is based on the standards of the ISO 27000 series. The aim of IT-Grundschutz is therefore to guide companies on how they can easily comply with the requirements of the relevant ISO standards. To this end, it refers to numerous practical examples and provides useful background information.
Conversely, this means: As soon as a company complies with IT-Grundschutz, it automatically complies with the ISO 27000 series.
The BSI standards
In the course of IT-Grundschutz, the valid standards from BSI-200-1 to -4 are subdivided according to topics:
- BSI-200-1 defines the general requirements for an information security management system (ISMS). The standard is compatible with ISO standard 27001, which equally defines the requirements for ISMS.
- BSI-200-2 is quite similar to -1 and provides approaches to how an ISMS can be initiated, completed, or extended. The standard is intended to help managers implement an ISMS in their organization.
- BSI-200-3 is a collection of work steps for risk analysis in IT-Grundschutz. It enables organizations to manage and assess their IT security threats.
- BSI-200-4 will be released in the near future and will introduce a step model to help get started with a business continuity model (BCM). Interested users will be guided by the standard from entry to an established BCM, which will also ensure compatibility with ISO standard 22301.
While BSI-200-1 and -2 thus serve the basic establishment of an ISMS, the third guide represents an extension for organizations that already have such a system in place and now want to assess risks threatening them.
Bringing your own IT security in line with the BSI standards
Companies that want to improve their IT security in the long term should get to grips with the requirements of the BSI standards. An important step in the right direction in securing the company’s own network infrastructures, as their functioning is crucial for business operations and they are therefore often targeted by criminals.
One solution approach is an intelligent, automated security policy management system. Once such a solution has been implemented, the network and all associated protection measures, such as firewalls, routers, and cloud backups, can be continuously monitored, i.e., the risk in relation to IT baseline protection can be examined and assessed before any change is made – and this regardless of whether the IT environment is implemented as a cloud, hybrid or on-premise solution.
In addition, such a system makes it possible to assess risks that may arise when configuring the firewall and helps to integrate new business applications seamlessly into existing firewall environments.
To ensure the highest possible level of compliance with IT-Grundschutz, the solution should also have the ability to automatically generate reports on the degree of this compliance for the entire network. These should also list which areas still require improvement. Ideally, the solution itself will provide the means to remediate the affected areas or advise what actions would need to be taken to ensure a high level of compliance with the standard.
However, establishing effective IT protection is not a one-time affair; rather, it requires continuous efforts to constantly maintain a high level of protection. That is why changes to configurations, as they can occur daily in network environments, should be constantly monitored and then – in terms of IT baseline protection – flagged as permissible or a violation.
At the same time, such a system with flexible reporting and dashboard capabilities automatically provides documentation of all change actions performed, saving companies a lot of time and effort in terms of internal or external audits.
IT-Grundschutz, including the BSI standards, represents a very good guide for all companies that want to set up their IT security from scratch or expand an existing one. An important part of this ‘collection of formulas’ is securing one’s own network infrastructure, where dedicated firewall policy management solutions make the crucial contribution. When selecting such a solution, decision-makers in companies should pay particular attention to the fact that it automatically compares the status of their own policies with the requirements of IT-Grundschutz and immediately reports any discrepancies.
In summary, the following points can be noted that a security policy management solution must have in order to comply with the BSI requirements:
- Showing all security-related devices on the network and including their level of compliance with BSI standards. In the best case, this takes place at the push of a button, without requiring in-depth IT knowledge.
- Generate reports on the current compliance of the entire IT environment with BSI 200-1 to -4.
Issuing alerts if devices or policies in the network prevent compliance with the standards and thus represent security gaps. Ideally along with recommendations on how to close these gaps.
- Continuously reviewing all changes within the network security. This ensures that compliance is not one-time, but ongoing.
- With the right solution, BSI standards of basic protection can then be met and the work of IT security departments can be simplified, allowing them to focus on more important matters of corporate protection.