To reach this goal the BSI recommends "well-proven technical, organizational, personnel, and infrastructural safeguards".
For example: The foundation of an IT baseline protection concept is initially not a detailed risk analysis.
Based on these, appropriate personnel, technical, organizational and infrastructural security measures are selected from the IT Baseline Protection Catalogs.
Besides probability of occurrence and potential damage extents, implementation costs are also considered.
By using the Baseline Protection Catalogs, costly security analyses requiring expert knowledge are dispensed with, since overall hazards are worked with in the beginning.
The following steps are taken pursuant to the baseline protection process during structure analysis and protection needs analysis: Creation occurs in the following steps: An IT network includes the totality of infrastructural, organizational, personnel, and technical components serving the fulfillment of a task in a particular information processing application area.
It is necessary to analyze and document the information technological structure in question to generate an IT security concept and especially to apply the IT Baseline Protection Catalogs.
In this connection, the damage to each application and the processed information, which could result from a breach of confidentiality, integrity or availability, is considered.
Heavily networked IT systems typically characterize information technology in government and business these days.
Detailed documentation about its structure is prerequisite for the use of the IT Baseline Protection Catalogs on an IT network.
The result is a catalog in which the implementation status "dispensable", "yes", "partly", or "no" is entered for each relevant measure.
By identifying not yet, or only partially, implemented measures, improvement options for the security of the information technology in question are highlighted.
The baseline security check gives information about measures, which are still missing (nominal vs. actual comparison).
Conversely, it is conceivable that an IT application with great protection needs does not automatically transfer this to the IT system.