IT compliance

In corporate management, IT compliance describes adherence to legal, internal and contractual regulations in the area of the IT landscape. IT compliance should be seen in connection with IT governance , which extends the topic to include controlling , business processes and management . The focus of IT compliance as a sub-area is on those aspects of compliance requirements that affect a company's IT systems. The compliance requirements in IT mainly include information security , availability , data retention and data protection . Businesses are subject to numerous legal obligations, non-compliance with which can result in heavy fines and liability obligations. EU directives , international conventions, internal company conventions and trade customs add further rules.

legal framework

In the following, important national and international regulations relating to IT compliance are listed.

European Union

General Data Protection Regulation (EU GDPR)

Capital Requirements Directive and Capital Adequacy Regulation - Requirements from the Basel III framework for the banking sector

Directive 2014/65 / EU on markets in financial instruments (financial market directive )

Germany

Federal Data Protection Act (BDSG)

Law on control and transparency in the corporate sector

Principles for the proper management and storage of books, records and documents in electronic form as well as for data access (digital tax audit) (GoBD)

Minimum requirements for risk management (BA) (MaRisk (BA) for short) - requirements of the Federal Financial Supervisory Authority (BaFin) for the banking sector

Telecommunications Act for Germany

Austria

Telecommunications Act for Austria

United States

The Sarbanes-Oxley Act (SOX) also applies in particular to European companies if they are listed on the US stock exchange.

International

Other international regulations are, for example, HIPAA , International Financial Reporting Standards (IFRS) and Payment Card Industry Data Security Standard (PCI-DSS).

aims

The aim of IT compliance is comprehensive and permanent compliance with the requirements of the legislature and the company. This results in u. a. Advantages in company valuation and higher IT security.

Affected areas are for example:

GDPdU-compliant archiving of bank data
Email archive
Document management system
Process History Management

In the event that people leave the company, there must be clear rules for dealing with incoming e-mails. There is a fine line between archiving and personal protection.

activities

The core task consists of the documentation and the corresponding adaptation of IT resources and the analysis and evaluation of the corresponding problem or hazard potential (also: risk analysis ). The resources include hardware , software , IT infrastructure (buildings, networks), services (e.g. web services ) and the roles and rights of software users. It is important here that the implementation of compliance is viewed as a permanent process and not as a short-term measure.

Example: license management

Have all commercially used software products been purchased?

Are the respective licenses such as GPL observed with open source ?

Are there old licenses that can be used for updates?

The Federal Office for Information Security (BSI) offers extensive instructions with the basic protection catalogs.

Who Needs IT Compliance?

Stock corporations (AG) and GmbHs are essentially affected, as the managing directors and board members can be made personally liable for compliance with the legal regulations. If they are not observed, civil and criminal penalties may be imposed. The Federal Data Protection Act provides for a prison sentence of up to two years or a fine for violations ( Section 44 BDSG). Since Basel II has prescribed extensive audits to financial institutions at the latest, there has been a need for action to implement IT compliance.

Web links

Information security

Individual evidence

^ Austrian Telecommunications Act

[1] Austrian Telecommunications Act