What actually is IT compliance?

G DATA Guidebook

Even if the word sounds highly technical and complicated, put simply, acting “compliant” means nothing more than adhering to the applicable laws, customary industry standards, or voluntary commitments – in other words, acting “in accordance with the rules.” The term compliance is used across all economic sectors, which is why we talk about “IT compliance” in the IT world in order to clarify the context. Compliance is often neglected in daily business operations, and corresponding rules are usually only in place in larger companies. In the event of a data leak, for example, business owners may face severe penalties if the incident can be attributed to non-compliant practices.

Why is IT compliance important?

Companies that store and process customer data are subject to strict regulations on how this data is to be secured and in what context it may be used and passed on. As is the case in all areas of jurisprudence, ignorance is no excuse. The problem is that compliance with the law must be ensured throughout the entire company and embraced by all employees: after all, a chain is only as strong as its weakest link. In order to avoid legal trouble and warnings, companies should draw up IT compliance guidelines (policies) that are binding for all employees. Subsequently, it is important to monitor and enforce their compliance within the company. This is the only way to successfully protect IT and maintain an adequate level of data security.

The legal provisions are very extensive and vary according to country, industry, and type of company. Telecommunications providers, for example, must not only take appropriate measures to contain the spread of malware, but they also have an obligation to report attacks on their infrastructure. If they do not comply with the obligation to report these attacks due to a lack of early warning systems in place, in Germany, for example, they may be subject to a fine of €50,000 in accordance with Section 43 (1) of the German Federal Data Protection Act (Bundesdatenschutzgesetz).

All companies that collect, store, and process the personal data of their customers must adopt technical measures to prevent unauthorized access to their telecommunications and data processing systems. If customer data enters the wrong hands due to missing or insufficient IT compliance measures or is misused for unintended purposes without the consent of the persons affected, the German Federal Data Protection Act stipulates penalties of up to €300,000 for cases of negligence. In addition, the affected customers may be entitled to compensation.

Who needs to pay attention to IT compliance policies?

In principle, company management is required to monitor compliance with legal regulations within their company. Of course, it can also delegate this responsibility to someone who knows the industry regulations and what technical measures are necessary and appropriate. Therefore, if available, the IT department or administrator is often assigned these tasks and then develops the IT compliance policies in coordination with company management. A policy management scheme is then put into place to monitor compliance with these policies. It is often difficult for companies to determine which laws specifically apply to their industry and line of business. Professional IT security service providers – such as G DATA – can help align your own compliance requirements with the relevant laws and requirements.

These industries belong to the “critical infrastructures”
“Critical infrastructures” (CRITIS), in particular, must meet strict requirements. In Germany, the “Ordinance on the Identification of Critical Infrastructures” (BSI-KritisV) specifies which sectors this includes.

The most important laws, regulations, and standards in the IT sector

German Federal Data Protection Act (BDSG) 

In Germany, e.g., the handling of personal data is regulated in the BDSG to protect the privacy of citizens. It is considered one of the strictest data protection laws in the world and essentially prohibits the collection, processing, or use of personal data, for example. Of course, exceptions to this rule exist and can be granted – for example, with the consent of the user. But these exceptions are strictly regulated. In other words, a “principle of prohibition with the reservation of permission” applies.

The German IT Security Act (IT-Sicherheitsgesetz)

The German IT Security Act sets out the requirements to which operators of “critical infrastructures” (CRITIS) are subject in the area of IT security in Germany. This includes, for example, electricity and water network operators, telecommunications providers, and hospitals. These companies are subject to particularly strict legal requirements in terms of IT compliance. For example, they are required to report attacks on their systems to the BSI at an early stage and must operate an “Information Security Management System” (ISMS). The associated “Ordinance on the Identification of Critical Infrastructures” (BSI-KritisV) specifies which industries fall under the IT Security Act.

EU General Data Protection Regulation (EU GDPR)

The EU GDPR came into force in all EU countries on 25 May 2018. The aim of this Regulation is to harmonize the processing of personal data by private companies within the EU.

ISO 19600

This international standard defines how management systems designed to detect employee misconduct are to be operated. ISO 19600 certification provides evidence that a company has taken sufficient measures to assure compliance.

How do I monitor IT compliance?

Policy management solutions that regulate, among other things, which rights employees have on the network or on their PCs and mobile devices can be extremely helpful in enforcing compliance requirements. An IT administrator could use policy management to specify, for example, that no USB storage media may be used on laptops or that the database containing customer data may only be viewed by certain user groups and only on the company’s internal network. Personal devices that employees use at the company (“Bring Your Own Device” or “BYOD”) must also be considered when implementing IT compliance. Effective mobile device management represents one way of properly addressing this issue. In the event a smartphone with internal company data is lost, for example, all data on the affected device can be deleted remotely.

Another potential useful solution is ISO 19600 certification in conjunction with introducing a compliance management system. In the event of an incident, a company has proof that sufficient measures have been taken to avert damage.

What features should a policy management solution provide?

In order to effectively enforce your company’s policies, a policy management solution should enable device control, for example. This allows IT administrators to prevent employees from using USB sticks or other external drives on company computers. It prevents threats such as a network penetration caused by a malware USB sticks placed on the company premises by an attacker. It also prevents sensitive company data from being copied from endpoints that are deliberately isolated from the network.

Another important component of policy management is application control by means of blacklisting or whitelisting. This allows you to specify which applications employees are allowed to install or launch on company computers. This prevents information from being smuggled out of the network unnoticed via instant messengers, for example.

Policy management should also make it possible for individual websites to be blocked for employees to ensure endpoint security. Finally, a solid policy management solution should allow administrators to specify how long individual users or groups may use the Internet.

What challenges can arise when implementing IT compliance policies?

When enforcing IT compliance requirements, care must be taken not to violate the rights of employees. For example, employee devices may not be searched indiscriminately for company data if this carries the risk of disclosing personal information. In addition, employees themselves should contribute to IT compliance by being made aware of data protection.

Care should also be taken when selecting IT resources for ensuring IT compliance. It is advisable to choose a security solution that reliably prevents third parties, such as foreign intelligence services, from gaining access. The software products of G DATA are strictly researched and developed in Germany. That is why the security solutions comply with the stringent laws governing data protection in Germany and the EU and do not contain any backdoors for secret service agencies.

 

More on G DATA Endpoint Protection

Bosses can see what employees are doing on the computer
The rights of employees must be taken into account when implementing compliance requirements.