IT security concept – living data protection

Every company that attaches importance to a modern IT infrastructure needs an IT security concept. And this has not only been the case since the EU General Data Protection Regulation came into force in 2016. Even in a company's very own interest, well-thought-out concepts for IT-security and data protection are an absolute must.

That's why IT security plays such an important role 

The term IT security describes techniques that secure information processing systems in the protection goals of availability, confidentiality and integrity. The primary aim is to protect against attack scenarios, to avoid economic damage and to minimize risks. Encryption of transmission paths and data storage, firewalls, protection against viruses and Trojans, ensuring availability (or protection against system failures) - all these things are considered to be part of IT security.

Hacker attacks on IT systems threaten both from the outside and the inside. The primary aim is to gain access to data in an unlawful way in order to gain economic advantages. Whereas in earlier times viruses only destroyed hard drive contents, identity theft is now at the top of the list of cybercrime. This particularly affects private individuals whose e-mail accounts or accounts of online shops have been hijacked. The field of industrial espionage also belongs in this area. Here it is important to prevent intruders into company networks by means of suitable firewall technologies.

Often underestimated is the threat from within through weaknesses in the system. Time and again software errors are exploited by hackers to gain access to IT systems. Manufacturers of user programs and operating systems are constantly striving to provide updates to close these security gaps. But even the personnel of your own company can pose a threat to information security. Former employees who still have access to business-critical data can cause damage, as can the misuse of Internet access within the company, where the distribution of copyrighted material by means of file sharing can result in warnings (Stoererhaftung).

Hackers can also easily gain access to data and IT infrastructures using social engineering methods. Here, every single employee of a company represents a danger through unconscious actions. A phone call from an alleged employee of the IT department is often enough to ask for passwords. Here it is important to sensitize every single user of the company network to scenarios of this kind.

>>> To avoid attacks of this kind, it is important to sensitize your own employees accordingly. Above all, however, the software solution used must be designed to ensure the maximum possible level of IT security.

Dangers do not only threaten from the outside in the form of natural disasters or hacker attacks and data theft, but also from the inside. Every single employee in the company - whether through unintentional operating errors or deliberate manipulation - as well as every hardware component represents a potential source of danger. This also includes natural disasters or technical failures.
At the latest when a customer or contractual partner asks for a documented IT security concept, it is time to think about such a concept. Contracts often contain clauses, in which the client is obliged to submit an IT security concept. After all, the customer wants his data to be in trustworthy hands.

IT security concepts are central and important components of the IT security management or Information Security Management Systems (ISMS). They describe defined security goals with the help of which risks are identified and evaluated. On this basis, countermeasures to protect your company and customer data can be defined in the IT security concept. An IT security concept is initiated by the company management or a data protection officer of the company. The data protection officer is responsible for implementing the concept. The measures of a consistently applied security concept minimize internal weak points and counteract threats to the IT infrastructure and its interfaces.

Measures and aims within the IT security concept

In order to prevent possible data mishaps, system failures, as well as virus and hacker-attacks, measures to optimize the IT security are constantly needed. IT security is defined by escalation regulations, emergency management as well organizational and technical measures. The latter include access control mechanisms, encryption technologies, firewall systems and last but not least the sensitization of employees through regular training courses.

he goal of the IT security concept is to achieve a certain level of security. The mentioned aspects should be summarized in a company-wide IT security manual or in form of an IT security policy.

How does an IT security concept work?

For Information Security Management Systems (ISMSe) and for IT security concepts, there is the international standard ISO/IEC 27001. This standard provides a good basis for creating your own concepts and serves as a basis for evaluation by auditors. Companies that are ISO27001-certified, like DRACOON, can prove their compliance with this standard and thus also meet legal and regulatory requirements.

Essentially, an IT security concept is structured in four sections:

• Inventory analysis
  Make a note of what is worth protecting in your company.
  
  
• Structural analysis
  Enter all components of an information processing process in a structured way.
  
  
• Determination of protection requirements
  Determine the protection requirements of the individual objects.
• Modeling
  Visualize the previous steps.

Try to honestly answer the following questions:

• Does our security concept really meet the requirements?
• Are our IT security standards really “state of the art” and do they meet the current requirements?
• Is the IT security policy being accepted and supported by the employees?
• Are outsiders able to gain access to sensitive data?
• Could the data possibly be manipulated or even stolen?

You should repeatedly ask yourself these questions, as attack scenarios and risks can change at any time. An inventory of all safety measures can only act as a snapshot: If the entire system was recently updated to a secure state by eliminating vulnerabilities and security holes, it can constantly become vulnerable again through new security holes.

Emergency concept: Measures that are implemented after a security incident

In addition to the IT concept, an emergency concept is needed.This is put into action, as soon as business processes are interrupted by security threats that could endanger the company’s goals or even the company’s continued existence. An emergency concept contains plans and measures to enable the quickest possible restart and the resumption of critical business processes, after the security incident has occurred.

Legal aspects of the IT security concept

With an IT security concept, you create additional trust with your customers and suppliers, as you can document the security of your data. According to §109 of the Telekommunikationsgesetz (German telecommunications law), as a business man, you are even obliged to take precautions and measures against the violation of the protection of personal data.