IT security act: corporate IT security
Each day we hear or read about the risks resulting from insufficient IT security. However, especially in the case of targeted cyber espionage attacks, several months may pass before the attack is discovered. In order to reduce the risk of becoming a victim to such an attack and mitigate the consequences of such an attack, the legislative authorities have now become active: they have prepared an IT security bill with a view to prescribing the necessary IT security for critical infrastructures by law. Critical infrastructures exist in the energy, information technology and telecommunications, transport and traffic, health care, water, food, finance and insurance industries. Compared to the proposal for a European Network and Information Security (NIS) Directive, the German legislative authorities thus define a broader scope of application. Especially information technology providers are now expressly covered by the scope of application. As a consequence, they are affected by the new act in more than just one respect: as service providers that offer services to companies from the relevant industries, they must – based on the contractual agreements with their customers – fulfil the industry-specific requirements, e.g., in the area of energy or finance. At the same time, they are classified as operators of critical infrastructures (CI Operators) and, as such, must implement the industry-specific requirements for IT service providers.
Further details about the scope of application and the group of addressees will be stipulated in delegated legislation. In the explanatory memorandum in relation to the act it is stated that the delegated legislation will classify certain types of services as critical and, in addition, determine threshold values. The act will impose the obligation on companies to introduce a minimum standard in terms of IT security measures. What exactly this minimum standard will be is not yet clear. The minimum standard is to be determined subsequently by an expert committee. Currently, there is much to suggest that the minimum standard will be based on the requirements determined by the ISO 27001 family. The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) will have to be provided periodically with evidence that the minimum standard is being complied with. The bill further provides for an obligation to report cyber security incidents. Already a potential risk to a critical infrastructure will give rise to an obligation to notify the BSI, even though without the obligation to provide the name of the CI Operator. If, however, the critical infrastructure is actually affected, the CI Operator’s name will have to be stated.
Numerous regulatory IT compliance and IT security requirements already exist. These requirements can, however, be reduced to some basic IT security measures by introducing an information security management system (ISMS) which, if implemented consistently, will ensure a high level of compliance. But what do companies actually have to do until the bill is passed? In this respect, it may be worthwhile also for private-sector companies to use the so-called “Basic Cyber Security Measures” issued by the BSI as a guideline. The 11-page paper contains a checklist, which, while probably seeming trivial to most IT security experts, will hardly be understood by managers without the assistance of experts. This is why it is important to establish a multi-disciplinary team to achieve the required IT compliance and IT security. Managers who follow this advice can be sure they have done the right thing to protect their company.
Important cornerstones of IT security and IT compliance
- Protecting information to maintain confidentiality (in particular, access protection, see Sec. 9 German Federal Data Protection Act (BDSG))
- Ensuring technical and organisational availability (in particular, emergency planning and redundant systems that can take over in the event of a failure)
- Protecting the integrity of data (programme integrity through change management and measures to maintain the integrity of data, e.g., anti-virus protection)
- Ensuring stable and secure IT processes
- Ensuring physical security
- Storing and archiving data
- Staff management with regard to IT security (awareness)
- Efficient IT management throughout all phases (Plan-Do-Check-Act)
- Monitoring the outsourced activities (outsourcing)
- Technical data protection
Downloads and links relating to the subject of IT security
Product information / key data:
- Eckpunkte IT-Sicherheitsgesetz | (excerpt)
- Das neue IT-Sicherheitsgesetz | Management Circle
- Das geplante IT-Sicherheitsgesetz und seine Folgen | 04.03.2015, Computerwoche.de
- Certified ISO/IEC 27001 Lead Auditor | Dr. Michael Rath