How does protection need propagate ("inherit") through the layers of an IT landscape?
Top-down inheritance: business processes → data → applications → IT systems → rooms and communication links.
* Top-down Vererbung of Schutzbedarf — business processes → data → applications → systems → rooms and links (Maximumprinzip). *
The protection need originates in the business processes (how critical is this process for the organization?) and is passed down:
Geschäftsprozesse (business processes)
↓
Daten (data)
↓
IT-Anwendungen (applications)
↓
IT-Systeme (systems)
↓ ↘
IT-Räume Kommunikationsverbindungen
(rooms) (communication links)
Each lower layer inherits from everything that depends on it above — combined via the maximum principle (and corrected by cumulation/distribution effects where applicable).
This is why a protection needs assessment never starts with "how important is this server?" — the server has no intrinsic importance; it borrows all of it from the applications and data it carries.
Tip: Like load-bearing walls: the foundation (room/system) must carry the maximum load of whatever is stacked on top of it.