IT compliance
In corporate management, IT compliance describes adherence to legal, internal and contractual regulations in the area of the IT landscape. IT compliance should be seen in connection with IT governance , which extends the topic to include controlling , business processes and management . The focus of IT compliance as a sub-area is on those aspects of compliance requirements that affect a company's IT systems. The compliance requirements in IT mainly include information security , availability , data retention and data protection . Businesses are subject to numerous legal obligations, non-compliance with which can result in heavy fines and liability obligations. EU directives , international conventions, internal company conventions and trade customs add further rules.
legal framework
In the following, important national and international regulations relating to IT compliance are listed.
European Union
- General Data Protection Regulation (EU GDPR)
- Capital Requirements Directive and Capital Adequacy Regulation - Requirements from the Basel III framework for the banking sector
- Directive 2014/65 / EU on markets in financial instruments (financial market directive )
Germany
- Federal Data Protection Act (BDSG)
- Law on control and transparency in the corporate sector
- Principles for the proper management and storage of books, records and documents in electronic form as well as for data access (digital tax audit) (GoBD)
- Minimum requirements for risk management (BA) (MaRisk (BA) for short) - requirements of the Federal Financial Supervisory Authority (BaFin) for the banking sector
- Telecommunications Act for Germany
Austria
United States
The Sarbanes-Oxley Act (SOX) also applies in particular to European companies if they are listed on the US stock exchange.
International
Other international regulations are, for example, HIPAA , International Financial Reporting Standards (IFRS) and Payment Card Industry Data Security Standard (PCI-DSS).
aims
The aim of IT compliance is comprehensive and permanent compliance with the requirements of the legislature and the company. This results in u. a. Advantages in company valuation and higher IT security.
Affected areas are for example:
- GDPdU-compliant archiving of bank data
- Email archive
- Document management system
- Process History Management
In the event that people leave the company, there must be clear rules for dealing with incoming e-mails. There is a fine line between archiving and personal protection.
activities
The core task consists of the documentation and the corresponding adaptation of IT resources and the analysis and evaluation of the corresponding problem or hazard potential (also: risk analysis ). The resources include hardware , software , IT infrastructure (buildings, networks), services (e.g. web services ) and the roles and rights of software users. It is important here that the implementation of compliance is viewed as a permanent process and not as a short-term measure.
Example: license management
- Have all commercially used software products been purchased?
- Are the respective licenses such as GPL observed with open source ?
- Are there old licenses that can be used for updates?
The Federal Office for Information Security (BSI) offers extensive instructions with the basic protection catalogs.
Who Needs IT Compliance?
Stock corporations (AG) and GmbHs are essentially affected, as the managing directors and board members can be made personally liable for compliance with the legal regulations. If they are not observed, civil and criminal penalties may be imposed. The Federal Data Protection Act provides for a prison sentence of up to two years or a fine for violations ( Section 44 BDSG). Since Basel II has prescribed extensive audits to financial institutions at the latest, there has been a need for action to implement IT compliance.
Web links
Information security
- Federal Office for Security in Information Technology
- IT basic protection of the BSI
- Further links to authorities and committees of the Center for Interactive Media eV
Related Links
- Balancing act compliance - IT security or a satisfied auditor?
- COMPAS - EU research project for the implementation of compliance in an SOA
- Free download of the PDF document: Potential benefits of regulatory requirements for business optimization - IT infrastructure compliance maturity model for management, compliance and IT managers (German, English)
- IT and Compliance - The Secret of Choosing the Right Words