Federal IT structure: How minimum security requirements can be achieved
Fulfillment of the requirements from the IT-Grundschutz (IT-GS) is mandatory, among other things, for all federal IT protection objects as part of the security procedure. This ensures that the Confederation's IT infrastructure consistently meets the minimum security requirements or how these can be achieved. Version 5.0 of the IT-Grundschutz is valid from March 1, 2022, and thus replaces the previous version IKT-GS 4.6. In principle, the new version pursues the same goal, but has been adapted in places. These adjustments are explained in the blog in a practical manner in order to enable application managers in operations as well as ISDS managers (responsible for information security and data protection aspects in a project) and project managers in the context of HERMES projects a smooth introduction to IT-Grundschutz 5.0.
"The requirements that [...] are marked with an asterisk (*) are less risky from the perspective of IT security for the federal administration. Deviations are possible for them if they are justified and documented in the document Implementing measures for ICT basic protection or in the ISDS concept."
The practical interpretation of this: IT-Grundschutz 5.0 must cover a very broad, heterogeneous field of protection objects. Complete fulfillment of all requirements, as was previously communicated in parts (subject to the classification of requirements as "Not relevant"), is neither possible nor expedient for many objects of protection. The adaptations here bring the necessary flexibility to specifically process the rather general requirements on the objects of protection.
"For applications, the person responsible for the application in accordance with the role description of the federal government's IT processes (see reference to P000)."
For applications, the role owners of the protection object are generally on the benefit recipient (BP) side and are more operationally involved with the protection object. The inclusion of role owners who are more familiar with the protection object from an operational perspective is a welcome development, especially for the validation of documents that are initially created in projects, but then need to be managed in operations. In addition to (1) the ISBO, (2) the principal*, (3) the business process owner*, and (4) the PI owner or member of management, IT-GS 5.0 also adds (5) the protection object owner.
The new version of IT-Grundschutz consistently brings improvements without breaking with the fundamental principles and objectives. An update of the IT-Grundschutz must take place at the latest within the regular life cycle of the security documentation, which is a maximum of five years since approval. When migrating from ICT-GS 4.6 (or older) to IT-GS 5.0, a fundamental, "free" editing of the new IT-Grundschutz leads to faster and better results than if assessments are copied directly from ICT-GS 4.6 to IT-GS 5.0.
Extraordinary situations require a new mindset. This article discusses why the path to a zero-CO2 society is considered inevitable and why this aspect should be integrated into our daily thoughts and actions as soon as possible.
In recent years, numerous energy utilities have begun to optimize their business processes, diversify their revenue base and seek out new service areas. The transformation is in full swing.
We have compiled reports on our projects, interesting facts from the various competence and customer areas as well as information about our company for you here.
NCSC Homepage > Documentation > Federal IT Security Requirements > Security Procedures > Basic Protection.
Si001 - IT baseline protection in the federal administration - version 5.0 (PDF)
Si001 - Hi01: Implementation of measures for IT-Grundschutz in the Federal Administration - Version 5.0 (XLS)
BK Homepage > Digital Transformation and ICT Governance > Requirements > Processes and methods > P000 - IT processes in the federal administration
P041 - Protection requirements analysis - Version 4.5 (PDF, 344 kB, 19.04.2021)
BK Homepage > Digital Transformation and ICT Governance > Requirements > Processes and methods > P035 - Dealing with requirements and requirements for federal IT