ORP.1 Organisation
Every institution requires a responsible department to manage and regulate general operations and to plan, organise, and carry out administrative services...
Description
Introduction
Every institution requires a responsible department to manage and regulate general operations and to plan, organise, and carry out administrative services. Most institutions have an organisational unit that coordinates the interplay of the various roles and units with the corresponding business processes and resources. Information security aspects must be incorporated and bindingly defined at this overarching level.
Objective
This building block sets out general and cross-cutting requirements in the area of organisation that contribute to raising and maintaining the level of information security. In this context, information flows, processes, role assignments, and both the organisational structure and operational procedures must be regulated.
Scope and Modeling
The building block ORP.1 Organisation MUST be applied at least once to the information network. If parts of the information network are assigned to a different organisational unit and are therefore subject to different framework conditions, the building block SHOULD be applied to each unit separately.
This building block forms the overarching basis for implementing information security within an institution. It does not address specific aspects relating to personnel, training of employees, management of identities and permissions, or requirements management. These aspects are covered in the building blocks ORP.2 Personal, ORP.3 Sensibilisierung und Schulung zur Informationssicherheit, ORP.4 Identitäts- und Berechtigungsmanagement and ORP.5 Compliance Management (Anforderungsmanagement)).
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance to the building block ORP.1 Organisation.
Missing or Inadequate Regulations
Missing regulations can lead to serious security gaps, for example when employees do not know how to respond to incidents. Problems can also arise when regulations are outdated, impractical, or poorly worded.
The importance of these overarching organisational regulations increases with the complexity of business processes and the scope of information processing, as well as with the protection needs of the information being processed.
Non-Compliance with Regulations
All employees must be informed of the applicable regulations and have access to them for reference. Experience shows that it is not sufficient merely to establish security rules. Communicating them to employees is of fundamental importance so that all those affected can apply the requirements in their day-to-day work.
If employees disregard regulations, the following security gaps may arise, for example:
- Confidential information is discussed within earshot of outsiders, for instance during breaks between meetings or over mobile phone calls in public environments.
- Documents are published on a web server without first verifying that they are actually intended and approved for publication.
- Due to incorrectly administered access rights, employees may modify data without being able to assess the severity of this integrity violation.
Missing, Unsuitable, or Incompatible Equipment
If required equipment is available in insufficient quantities or is not provided on time, disruptions may occur within the institution. It can also happen that unsuitable or even incompatible equipment is procured and consequently cannot be used.
Example: The storage capacity of hard disks in clients and servers, as well as removable media, is constantly increasing. It is often forgotten to procure IT components and storage media that offer sufficient capacity for regular data backups.
The operational readiness of the equipment in use must also be guaranteed. If maintenance is not carried out or is only carried out inadequately, significant damage can result.
Examples:
- The battery capacity of an uninterruptible power supply (UPS) was not checked in time. If the capacity or acid level is too low, the UPS can no longer bridge a power failure for a sufficient length of time.
- The fire extinguishers were not serviced in time and therefore no longer have sufficient pressure. Their extinguishing capacity is thus no longer guaranteed in the event of a fire.
Threats Posed by External Parties
It cannot generally be assumed that persons external to the institution will handle the information and information technology accessible to them in accordance with the institution’s requirements.
Visitors, cleaning staff, and external personnel can jeopardise internal information, business processes, and IT systems in various ways, ranging from improper handling of technical equipment and attempts to “play around” with IT systems to theft of documents or IT components.
Examples:
- Unaccompanied visitors may access documents and storage media, gain access to devices, damage them, or spy on sensitive information.
- Cleaning staff may inadvertently disconnect plugs, allow water to enter devices, misplace documents, or dispose of them with the rubbish.
Requirements
The following are the specific requirements of the building block ORP.1 Organisation. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and reviewed in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These SHOULD be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | Central Administration |
| Additional responsibilities | Employees, Users, IT Operations, Facility Management, Top Management |
Exactly one role SHOULD hold Primary responsibility. There may also be Additional responsibilities. If one of these additional roles holds primary responsibility for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not indicate how many people are intended to fill these roles.
Basic Requirements
The following requirements MUST be fulfilled with priority for this building block.
ORP.1.A1 Definition of Responsibilities and Regulations (B) [Top Management]
Within an institution, all relevant tasks and functions MUST be clearly defined and distinguished from one another. Binding regulations for information security MUST be established across the various operational aspects. Organisational structures and binding regulations MUST be revised on an ad-hoc basis when circumstances require it. All changes MUST be communicated to all employees.
ORP.1.A2 Assignment of Responsibilities (B) [Top Management]
For all business processes, applications, IT systems, rooms and buildings, and communication connections, it MUST be determined who is responsible for these and their security. All employees MUST be informed, in particular about what they are responsible for and what related tasks they are to carry out.
ORP.1.A3 Supervision or Accompaniment of External Persons (B) [Employees]
Persons external to the institution MUST be accompanied by employees to the relevant rooms. Employees of the institution MUST supervise external persons in sensitive areas. Employees SHOULD be instructed not to leave external persons unsupervised in the institution’s premises.
ORP.1.A4 Separation of Functions Between Incompatible Tasks (B)
Tasks and the roles and functions required for them MUST be structured so that incompatible tasks, such as operational and controlling functions, are distributed among different persons. A separation of functions MUST be defined and documented for incompatible functions. Deputies MUST also be subject to the separation of functions.
ORP.1.A5 DISCONTINUED (B)
This requirement has been discontinued.
ORP.1.A15 Point of Contact for Information Security Issues (B)
Every institution MUST have points of contact for security questions who can answer both apparently simple and complex or technical questions. These points of contact MUST be known to all employees of the institution. Relevant information MUST be available and easily accessible to everyone in the institution.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be fulfilled.
ORP.1.A6 DISCONTINUED (S)
This requirement has been discontinued.
ORP.1.A7 DISCONTINUED (S)
This requirement has been discontinued.
ORP.1.A8 Equipment and Device Management (S) [IT Operations]
All devices and equipment that have an impact on information security and that are required to fulfil tasks and comply with security requirements SHOULD be available in sufficient quantities. There SHOULD be appropriate inspection and approval procedures before devices and equipment are deployed. Devices and equipment SHOULD be listed in appropriate inventories. To prevent the misuse of data, the reliable deletion or disposal of devices and equipment SHOULD be regulated (see CON.6 Löschen und Vernichten).
ORP.1.A9 DISCONTINUED (S)
This requirement has been discontinued.
ORP.1.A10 DISCONTINUED (S)
This requirement has been discontinued.
ORP.1.A11 DISCONTINUED (S)
This requirement has been discontinued.
ORP.1.A12 DISCONTINUED (S)
This requirement has been discontinued.
ORP.1.A13 Security During Relocations (S) [IT Operations, Facility Management]
Security policies SHOULD be developed or updated at an early stage before a relocation. All employees SHOULD be informed about the security measures relevant before, during, and after the relocation. After the relocation, it SHOULD be verified that the transported items arrived complete, undamaged, and unaltered.
ORP.1.A16 Policy for Secure IT Use (S) [Users]
A policy SHOULD be created that transparently describes for all employees what framework conditions must be observed when using IT and what security measures are to be taken. The policy SHOULD cover the following points:
- Security objectives of the institution,
- important terminology,
- tasks and roles related to information security,
- points of contact for information security questions, and
- security measures to be implemented and observed by employees.
The policy SHOULD be brought to the attention of all users. Each new user SHOULD confirm in writing that they have taken note of and will observe the policy before they are permitted to use the information technology. Users SHOULD confirm the policy again at regular intervals or after major changes. The policy should be stored so that it is freely accessible to all employees for reference, for example in the intranet.
Requirements for High Protection Needs
The following are exemplary proposed requirements for this building block that go beyond the level of protection that represents the state of the art. The proposals SHOULD be considered in the case of high protection needs. The specific determination is made within the framework of an individual risk analysis.
ORP.1.A14 DISCONTINUED (H)
This requirement has been discontinued.
ORP.1.A17 Prohibition on Carrying Mobile Phones (H)
Mobile phones SHOULD NOT be carried to confidential meetings and conversations. If required, this SHOULD be verified using mobile phone detectors.
Additional Information
Good to Know
No additional information is available for the building block ORP.1 Organisation.