Compliance covers every activity involving adherence to laws and directives within a company and is used for responsible company guidance on the part of the management team. IT security can make a significant contribution to compliance. External regulations such as the Federal Data Protection Act, the Corporate Sector Supervision and Transparency Act (KonTraG) and directives such as Sarbanes-Oxley or Basel II require companies to take their own steps to make data secure and detect risks in good time, including with regard to their IT. Besides external regulations, internal regulations such as in-house guidelines and operating instructions can also be of relevance for adhering to compliance measures.
When adhering to laws and regulations, the company management team implement both technical and organisational measures. This is because it is not always technology that is the cause of data loss of leakage; the human factor also plays a critical role.
Inexperience, a lack of understanding and inadequate awareness of responsibility among employees can lead to significant problems in this regard. IT security awareness measures educate and support both staff and managers, so that they recognise their responsibility and can meet this challenge. Training courses are also an ideal way of making employees aware of social engineering. This involves attackers using social contact to try to get hold of confidential information, ask for passwords or gain access to premises and networks.
In order to generate basic protection in terms of IT security that conforms with the law and the regulations, businesses can align themselves with basic IT security principles- a catalogue of measures that aggregates the IT measures required for basic security in the company. In addition to this, the German Federal Office for Information Security (BSI) consolidated these measures in ISO 27001,which is based on basic IT security catalogues.
Technical measures for adhering to compliance
The number of interfaces in the company through which information could potentially leak is huge, and comprehensive monitoring is resource-intensive. Data Loss prevention systems take another approach: instead of monitoring interfaces, the system puts the data itself in a position where it can monitor itself and report prohibited activities.
Even in small organisations, a complex network user hierarchy involving customers, partners and suppliers, for example, can quickly create confusion. Identity and access management provides an overview of all access permissions in companies and authorities and helps to control them. The transparency achieved offers protection against data misuse, enables fast response to changes and helps with adherence to compliance requirements.
Protecting personal data is one of the standard subjects in compliance. This includes not only employee data, but also for example customers’ account or credit card data - hence it is increasingly regarded as business-critical. secunet advises clients on how to handle data and ensures that company processes conform with modern data protection.