Holger Schildt, head of the section “BSI Standards and IT Baseline Protection” has already climbed several rungs of the career ladder at the German Federal Office for Information Security (BSI). As a student, the IT graduate applied for an internship at the BSI and he liked it so much there that he ended up staying. That was 15 years ago. Today he heads the IT Baseline Protection Section, where his responsibilities include the BSI standards and IT baseline protection modules. From his own experience he highly recommends the BSI as an employer, as he is convinced it offers ideal career opportunities. In this interview, he explains how the security of mobile devices such as smartphones or laptops can be improved with the IT baseline protection system.
Mr Schildt, what is special or characteristic about the BSI’s IT baseline protection system?
The IT baseline protection system (IT Grundschutz in German) is an integrated approach to establishing and optimising information security. It is not about taking just a few technical measures like virus protection but also covers the necessary organisational, personnel and infrastructure-related measures to ensure IT security across the board. Individual special solutions cannot do this. Or to be more precise, it’s actually not just about IT security but about information security, which has a much greater scope. The best information is not much use, for example, if it is left behind on a printer in the hallway. Due to the high level of complexity involved, an information security management system (ISMS) is recommended to implement information security. The IT baseline protection compendium comprises 94 modules meanwhile, with new modules being added all the time. From printers to telephones, everything is covered and protected.
What is the best way to become familiar with the IT baseline protection system?
There are introductory guides that show how best to get started with the IT baseline protection system. We modernised it comprehensively in 2017, so now it is even easier to use. Among other things, we offer three approaches – basic, core and standard protection – to enable users to address individual needs and security requirements with the IT baseline protection system. The modules have been shortened and given an improved layout, while the content has been streamlined overall and is easier to update.
What we want to do is to show how an institution can protect itself without necessarily getting a consultant on board. However, if a suitable IT baseline protection consultant is necessary, the BSI has developed a qualification procedure. If you implement IT baseline protection in its entirety, certification to ISO-27001 based on the IT baseline protection system is no longer an obstacle. You could get an external auditor to come to your company to prepare a report for submission to the BSI.
What are currently the greatest risks for mobile devices?
A classic example is the loss of a device at airports, on a train or other places. Many people also forget that using your phone in public can reveal unprotected information. And there is always a potential risk if IT devices are used outside a protected environment. Another typical problem is out-of-date software, especially in smartphones.
Can you describe the most important protective measures for mobile devices?
An integrated approach is necessary for this issue as well. There is not much point in protecting an individual device if the servers I use to access it are not protected. When choosing devices it is imperative to ensure that updates will be available over the entire service life of the device. Otherwise the usual measures are involved, like installing patches and making backups etc. In addition, any protective measures should be integrated into an existing ISMS and not considered as stand-alone solutions. The protection of mobile devices needs to be a good fit for the company’s security concept.
How do you achieve an integrated approach for protecting mobile IT devices?
Firstly, it depends on the size of the company. The IT baseline protection system contains specific measures and requirements. Larger institutions can use a mobile device management system (MDMS), for example. This allows smartphones or tablets to be centrally monitored and configured. Smaller companies will tend to manage their devices manually, e.g. installing patches and updates or backing data. An MDM takes up personnel and financial resources, so it has to suit the target group. In our IT baseline protection system we provide appropriate recommendations including help with choosing an MDM. If you are already using an MDM, refer to Module SYS.3.2.2 Mobile Device Management (MDM) to find out how to secure it.
Are there specific distinctions for mobile devices?
We have special modules for iOS and Android, for example. We always distinguish between basic requirements, i.e. the most important steps that need to be implemented as a priority, and the standard requirements that then build on them. In the case of tablets, the basic requirements include installing a screen lock and regularly updating software, for example. This must be done to start with. The standard requirements, on the other hand, include encrypting the device memory or biometric procedures. However, in the case of biometric processes you first need to check if they really are secure. Some devices can be unlocked by simply holding a photo of the owner in front of the camera. In addition, voice assistants should only be activated when they are needed.
Does the IT baseline protection system also take account of the data privacy issues often associated with mobile devices?
Other agencies are responsible for data privacy in Germany, so unfortunately we cannot address this issue in the necessary depth. But of course companies using mobile devices have to deal with data privacy issues.
In the case of mobile devices do you distinguish between variants and types like laptops and smartphones?
We have separate IT baseline protection modules e.g. for laptops and smartphones, because their priorities differ. In the case of laptops, virus protection and data security are a major issue, especially for laptops not permanently connected to the network. It is different for smartphones which are not used to write long texts. Laptops work on file servers and that is another area where they differ from smartphones. You probably always have your smartphone on you, while you only take a laptop with you when you need it; otherwise it may be lying around unprotected in a hotel room. All of these factors result in different security requirements.
It is very important when using mobile devices to not just focus security measures on the technology, but to also think about organisational aspects like theft protection or user training. We offer an online course on our website where you can learn how IT baseline protection works and how to choose the appropriate modules. All of our information is available free of charge.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.