Information security

from Wikipedia, the free encyclopedia

As information security refers to properties of information processing and -lagernden (technical or non-technical) systems, the protection targets confidentiality , availability and integrity sure. Information security serves to protect against dangers or threats , to avoid economic damage and to minimize risks .

In practice, information security in the context of IT security management is based, among other things, on the international ISO / IEC 27000 series . In German-speaking countries, an IT-Grundschutz approach is widespread. The ISO / IEC 15408 ( Common Criteria ) standard is often used in the evaluation and certification of IT products and systems .

Another important series of standards in information security is IEC 62443 , which deals with the cybersecurity of "Industrial Automation and Control Systems" (IACS), pursuing a holistic approach for operators, integrators and manufacturers and, in the future, an ever stronger one in Industry 4.0 gaining importance.

Descriptions of terms

Many of the following terms are interpreted differently depending on the author and the linguistic environment.

For the abbreviation IT, the term information technology is used synonymously with information technology . The technical processing and transmission of information is in the foreground in IT.

In English, the German term IT security has two different expressions. The property of functional safety (English: safety ) ensures a system that conforms to the expected functionality behaves. It works the way it should. Information Security (English: Security ) refers to the protection of technological processing of information and is a property of a functionally reliable system. It is intended to prevent unauthorized data manipulation or disclosure of information from taking place.

The term information security often refers to global information security in which the number of possible harmful scenarios is reduced in summary or the effort to compromise for the operator is in an unfavorable relationship to the expected information gain. From this point of view, information security is an economic variable that must be expected in companies and organizations, for example. The term also relates to security under a specific scenario . In this sense, information security is present when an attack on the system is no longer possible via an already known route. One speaks of a binary quantity because the information can be either certain or not certain when using this particular method.

The following aspects are included in the comprehensive term information security (protection of the processed information):

IT security

IT security plays a key role in the security of socio-technical systems . IT or ICT systems are part of the socio-technical systems. The tasks of IT security include the protection of the ICT systems of organizations (e.g. companies) against threats. Among other things, this is intended to prevent economic damage.

IT security is part of information security . In contrast to IT security , information security includes not only the security of the IT systems and the data stored therein, but also the security of information that is not electronically processed; An example: The "principles of information security" can also be applied to recipes of a restaurant that are hand-written on paper (since the confidentiality, integrity and availability of the recipes can be extremely important for the restaurant, even if this restaurant is completely without the use of any IT system is operated).

Computer security

Computer security : the security of a computer system before failure (this is called unplanned or planned downtime, Eng. Downtime ) and manipulation (data security), as well as against unauthorized access.

Data security

Data security is a term that is often associated with data protection and must be differentiated from it: data security has the technical goal of protecting data of all kinds against loss, manipulation and other threats. Adequate data security is a prerequisite for effective data protection. The BDSG only mentions the term data security in Section 9a in connection with the “ data protection audit ”, which is also not defined in more detail .

There is an approach called data -centric security, in which the security of the data itself is in the foreground and not the security of networks , servers or applications.

data backup

Data backup is (dt. Synonymous with the English-language "Backup" backup ), it was the original legal term for data security.


Data protection is not about protecting general data from damage, but about protecting personal data from misuse (“data protection is personal protection”). The protection of personal data is based on the principle of informational self-determination . This was laid down in the BVerfG judgment on the census . The privacy must be protected, i. H. Personality data and anonymity must be preserved. In addition to data security, data protection requires the exclusion of access to data with unauthorized reading by unauthorized third parties. The German Federal Data Protection Act ( BDSG ) describes in § 1 only requirements for the handling of personal data. The GDPR and the BDSG do not define the difference between the terms data protection and data security. Only if suitable protective measures are taken can it be assumed that confidential or personal data will not get into the hands of unauthorized persons. Here, one usually speaks of technical and organizational measures for data protection, which are described in particular in Art. 32 GDPR, the BDSG and in the state data protection laws .

Information security motivation and goals

Information (or data) are goods worth protecting. Access to these should be limited and controlled. Only authorized users or programs are allowed to access the information. Protection goals are defined to achieve or maintain information security and thus to protect the data from intended attacks by IT systems:

  • General protection goals:
    • Confidentiality (English: confidentiality ): Data may be read or modified only by authorized users, this applies to both the access to stored data, as well as during data transfer .
    • Integrity (English: integrity ): Data may not be changed unnoticed. All changes must be traceable.
    • Availability (English: availability ): prevention of system failures; Access to data must be guaranteed within an agreed time frame.
  • Further protection goals of information security:
    • Authenticity (English: authenticity ) designates the properties of fastness, testability and reliability of an object.
    • Liability / non-repudiation (English: non repudiation ): It requires that "no illegal denial performed acts" is possible. Among other things, it is important when concluding contracts electronically. It can be reached, for example, through electronic signatures .
    • Accountability (English: accountability ): "A study carried out action can be clearly assigned to a communications partner."
    • in a certain context (for example on the Internet) also anonymity
  • Special protection goal in the course of the GDPR :
    • Resilience (English: resilience ): resistance / resilience to Ausspähungen, erroneous or deliberate interference or deliberate damage (sabotage)

Every IT system, no matter how well planned and implemented, can have weak points . If certain attacks are possible to circumvent the existing security precautions, the system is vulnerable . Uses an attacker a weakness or vulnerability to intrusion into an IT system, confidentiality, data integrity and availability are threatened (English: threat ). For companies, attacks on the protection goals mean attacks on real company values, usually the tapping or changing of internal company information. Any threat is a risk (English: risk ) for the company. Enterprises are trying through the use of risk management (English: risk management ) the probability of occurrence of damage and the resulting amount of damages to be determined.

After a risk analysis and evaluation of the company-specific IT systems, appropriate protection goals can be defined. This is followed by the selection of IT security measures for the respective business processes of a company. This process is one of the activities of IT security management. A standardized procedure is made possible through the use of IT standards.

As part of IT security management, the appropriate IT security standards are selected and implemented . For this purpose, there are various standards in the area of ​​IT security management. With the help of the ISO / IEC 27001 or the IT-Grundschutz standard, an attempt is made to use recognized rules to reduce the complexity of socio-technical systems for the area of ​​IT security management and to find a suitable level of information security.

Importance of information security

In the early childhood of the ( personal ) computer , computer security was understood to mean ensuring the correct functionality of hardware (failure of, for example, tape drives or other mechanical components) and software (correct installation and maintenance of programs). Over time, the demands on computers ( Internet , storage media ) changed; computer security tasks had to be designed differently. Thus the concept of computer security remains changeable.

Private and public companies today are dependent on IT systems in all areas of their business activity, and private individuals in most matters of daily life. Since, in addition to the dependency, the risks for IT systems in companies are usually greater than for computers and networks in private households, information security is predominantly the responsibility of companies.

Corresponding obligations can be derived from the various laws on company law, liability law, data protection, banking law, etc. in the entire German-speaking region. Information security is a component of risk management there . Internationally, regulations such as Basel II and the Sarbanes-Oxley Act play an important role.


burnt laptop

Different scenarios of an attack can be imagined in IT security. A manipulation of the data of a website via a so-called SQL injection is an example. Some attacks, targets and causes are described below:

Attacks and Protection

An attack on data protection or data security (represented by, for example, a computer system) is understood to mean any process whose result or goal is a loss of data protection or data security. Technical failure is also considered an attack in this sense.

Statistical security : A system is considered to be secure if the attacker has more effort to break into the system than the resulting benefit. It is therefore important to set the barriers to a successful break-in as high as possible and thus reduce the risk .

Absolute security : A system is absolutely secure if it can withstand every conceivable attack. Absolute security can only be achieved under special conditions that often considerably restrict the system's ability to work (isolated systems, few and highly qualified access authorized persons).

The lack of computer security is a complex threat that can only be answered by sophisticated defenses. The purchase and installation of software is not a substitute for a careful analysis of the risks, possible losses, defense and security regulations.

Once the security of a system has been breached, it must be viewed as compromised , which requires measures to prevent further damage and, if necessary, to recover data.

Effects or goals

  • Technical system failure
  • System abuse, through illegitimate use of resources, changes to published content, etc.
  • sabotage
  • espionage
  • Fraud and theft

Causes or means

The Federal Office for Information Security (BSI) classifies the different attack methods and means into:

  • Malicious software or malware , which includes computer viruses , Trojans and worms ,
  • Ransomware , a special form of malware that restricts access to data and systems and only releases its resources against payment of a ransom,
  • Social engineering ,
  • Advanced Persistent Threats (APT), in which the attacker carefully selects his target.
  • Unwanted emails ( spam ), which in turn are divided into classic spam, malware spam and phishing ,
  • Botnets ,
  • Distributed Denial of Service (DDoS) attacks,
  • Drive-by exploits and exploit kits that exploit vulnerabilities in browsers, browser plugins or operating systems,
  • Identity theft, such as spoofing , phishing , pharming or vishing ,
  • Side-channel attacks - i.e. attacks that observe side effects (runtime behavior, energy consumption) and thus draw conclusions about the data; this is especially used for key material.

In addition, the above effects can also be achieved

Viruses, worms, Trojan horses

While the whole range of computer security issues is considered in the corporate environment, many private users associate the term primarily with protection against viruses and worms or spyware such as Trojan horses.

The first computer viruses were still quite harmless and only served to point out various weak points in computer systems. But it was soon realized that viruses are capable of much more. A rapid further development of the malware began and the expansion of its capabilities - from simply deleting files to spying on data (for example passwords) to opening the computer for remote users ( backdoor ).

There are now various construction kits on the Internet that not only provide instructions but also all of the necessary components for simple programming of viruses. Last but not least, criminal organizations smuggle viruses into PCs in order to use them for their own purposes ( UBE / UCE , DoS attacks, etc.). This has already resulted in huge botnets that are also illegally rented out.


The measures must be adapted to the value of the company values ​​to be protected as part of the creation of a security concept . Too many measures mean excessive financial, organizational or personnel expenses. Acceptance problems arise when employees are not sufficiently involved in the IT security process. If too few measures are implemented, useful security gaps remain open for attackers.


Information security is basically a task for the management of an organization or a company and should be organized according to a top-down approach. In particular, the adoption of information protection and security guidelines is the task of top management. Another management task can be the introduction and operation of an information security management system (ISMS) . This is responsible for the operational implementation and control of the security policy. These measures are intended to create suitable organizational and management structures for protecting corporate values. Further information can be found in the article IT security management .

Operational measures

Measures include physical or spatial security of data, access controls , the setting up of fault-tolerant systems and measures for data security and encryption . The security of the processing systems is an important prerequisite. However, in addition to technical measures, an effective security concept also takes organizational and personnel measures into account.

The security measures that can be taken for information security by anyone responsible for information security in companies , but above all by private users of computers and networks, include the following points.

Access control

Authorized access to computer systems and application software must be guaranteed through reliable and secure access control . This can be implemented with individual user names and sufficiently complex passwords and in particular with further factors (see also two-factor authentication ), such as transaction numbers or security tokens .

Use restricted user accounts

The system administrator is allowed to make profound changes to a computer. This requires an appropriate knowledge of the dangers, and it is anything but advisable for normal users to surf the Internet , download files or e-mails with administrator rights . Modern operating systems therefore have the option of restricting user rights so that, for example, system files cannot be changed.

Restrictive configuration

The use restricted user accounts for daily work prevents the compromise of the operating system itself, the system configuration and the (protected) application installed and system programs, but will not protect against compromise of user data and user configuration: under restricted user accounts are any programs (to Shell scripts or batch files are also executable, although very few users even use this option.

Since users typically (only) use the programs supplied with the operating system and those installed by their administrator, it is possible to grant users the rights to execute files only where the operating system and the installed programs are stored (and cannot be written to) ), and to be withdrawn wherever you can write yourself. Malicious programs that are downloaded from an infected website, for example, and stored in the browser's cache as a so-called " drive-by download " unnoticed by the user , are thus rendered harmless.

Current versions of Microsoft Windows allow the implementation of this restriction with the so-called "software restriction guidelines" alias "SAFER".

The DEP current operating systems applies the same restriction in virtual memory on.

Keep software up to date

Updates are (regularly) offered for many programs . These not only offer changed or improved functionality, but often also fix security gaps and program errors . Programs that communicate with the Internet via networks , such as operating systems , browsers , protection programs or e-mail programs, are particularly affected .

Security- relevant software updates should be installed as quickly as possible from verifiable and reliable sources on the relevant computer systems. Many Internet of Things devices and programs offer an automatic function that updates the software in the background without user intervention by downloading the updated software directly from the Internet.

Uninstall outdated, unsafe, and unused software

Software whose manufacturer has discontinued maintenance, so-called End of Life (EOL), which is unsafe or which is no longer used, must be uninstalled to ensure protection.

Make backup copies

At least one backup copy of each important file must be made on a separate storage medium . There is, for example, backup software that performs these tasks regularly and automatically. As part of recurring maintenance work, backup copies made must be checked for integrity, confidentiality and availability.

In the corporate sector, backup solutions with local distance, such as a second data center with redundant mirroring, and cloud solutions are possible. These solutions are often costly. Improving data security through backup copies is less costly in the private sector. Depending on the amount of data, smaller removable media such as DVD or Blu-ray as well as external (USB) hard drives or NAS systems can be used for backup.

Basically, the relevance of the data for business or private purposes should determine the type and frequency of the backup as well as the number of backup copies.

Use anti-virus software

When data is downloaded from the Internet or from mail servers , or copied from data storage media , there is always the possibility that malicious files may also be found among them. To avoid compromise, only files or attachments that you trust or that are recognized as harmless by an antivirus program should be opened; however, neither trust nor antivirus programs can protect against all malicious files: a trustworthy source can itself be infected, and antivirus programs cannot detect new or unknown malware. With this software, too, it is important to ensure that it is updated regularly (possibly even several times a day). Antivirus programs often have harmful side effects themselves: they (regularly) recognize harmless system files by mistake as "infected" and remove them, whereupon the operating system no longer works (correctly) or does not start at all. Like all computer programs, they themselves also have errors and security gaps, so that the computer system can be more insecure than before, or not become more secure, after installation. In addition, they lull the typical user into deceptive security with their advertising statements such as “offers comprehensive protection against all threats” and can lead them to behave more riskily. Malicious programs are usually aimed at special and often widespread operating systems or frequently used browsers .


Another measure to reduce the risks is the diversification of software, i.e. using software from different, not even market-leading providers. The attacks by crackers often target products from large suppliers, because they make the most profit in criminal attacks and otherwise achieve the greatest “fame”. In this respect, it can be advisable to use products from smaller and lesser-known companies or, for example, open source software.

Use firewalls

For attacks that threaten without the active intervention of the user, it is essential to install a network firewall or personal firewall . A lot of unwanted access to the computer and unintentional access from one's own computer, which are usually not even noticed by the user, can be prevented in this way. The configuration of a firewall is not trivial and requires a certain knowledge of the processes and dangers.


"Sandboxes" lock a potentially harmful program. In the worst case scenario, the program can only destroy the sandbox. For example, there is no reason why a PDF reader needs to access OpenOffice documents. The sandbox in this case would be “all PDF documents and nothing else”. Techniques like AppArmor and SELinux enable the construction of a sandpit.

Deactivate active content

When active content is functionality that will simplify the operation of a computer. The automatic opening or execution of downloaded files, however, harbors the risk that they execute malicious code and infect the computer . To avoid this, active content, such as ActiveX , Java or JavaScript , should be deactivated as far as possible.

Encrypt sensitive data

Data that should not get into the hands of third parties can be protected by suitable measures, for example with the GPG software or hard disk encryption (see also cryptography ). This applies not only to data that is in transit between two computers, but also to data that is stationary on mass storage devices . A typical example is the transmission of credit card numbers during online shopping, which are often protected via HTTPS . The content can only be accessed if one party has the correct key . Unencrypted, wireless networks such as open WLANs are particularly at risk . If no further protective measures have been taken, such as B. the use of a VPN , unauthorized persons have potentially unnoticed access to the transmitted data.

Data security is also an extremely sensitive issue for authorities and companies, especially with regard to data transport. Business processes repeatedly require the mobile availability of research, financial, customer or account data. When it comes to data storage and data transport, authorities and companies must be able to rely on the highest levels of security. If sensitive data gets into unauthorized hands, this usually results in irreparable damage, especially if the data is distributed or misused. In order to prevent this and to guarantee the highest level of data security for mobile data transport, criteria such as data integrity (see authentication ) and the key lifecycle must be observed in addition to the data encryption criterion .

The desired level of data security determines the recommended encryption methods and encryption strengths. For applications with symmetrical encryption, the BSI (Germany) recommends the AES encryption method with a key length of 128 bits or more. CCM , GCM , CBC and CTR are recommended as operating modes .

Passwords , personal identification numbers (PIN) and transaction numbers ( TAN) should not be saved or transmitted unencrypted.


Automatically generated protocols or log files can help to determine at a later point in time how damage to a computer system occurred.

Use secure development systems and runtime environments

For the generation and maintenance of secure software, it is very useful to program in a structured manner during software development and to use easily manageable and learnable tools that allow the narrowest possible visibility rules and encapsulated program modules with clearly defined interfaces . Restricted freedoms in programming, such as the restriction to simple inheritance or the prohibition of circular references or critical type conversions , usually also limit the potential for program errors . It is also sensible and helpful to reuse software that has already been tested by means of suitable measures, such as the use of procedures or object-oriented data structures .

Developers of software that is used for the secure exchange of data between computers have to use modern development systems and programming languages , since older systems often have security gaps and do not have the appropriate security functionality. Secure software can only run in appropriate, modern and secure runtime environments and should be created with development tools (such as compilers ) that offer the highest possible degree of inherent security, such as module security , type security or the avoidance of buffer overflows .

Even with devices that are not operated in a computer network or in the Internet of Things , information security can be increased through suitable development systems and runtime environments. Loss of data due to unreliable program code ( computer crash ) can be prevented, for example, by compiler- generated checking of indices of data fields , illegal pointers or, after the occurrence of program errors, by exception handling in the runtime environment. Furthermore, it is essential in object-oriented runtime environments and also safer in other systems to perform an automatic garbage collection so that storage space is not accidentally released.

Some developers rely on the verification of program code to improve the correctness of software . Furthermore, it is possible to check already implemented software by certain procedures, such as the use of proof-carrying code , only during the runtime and to prevent its execution if security guidelines are not observed .

Raising awareness and empowering employees

An important aspect in the implementation of security guidelines is addressing your own employees and creating so-called IT security awareness . Here, the first labor judges demand proof that employees have been sensitized in the event of a possible violation of company guidelines. This human side of information security also gains additional importance, since industrial espionage or targeted, economically motivated sabotage against companies is not carried out solely with technical means. In order to harm their victims or to steal information, the attackers use social engineering , for example , which can only be fended off if the employees are informed about possible tricks of the attacker and have learned how to deal with potential attacks. Employee awareness typically varies from company to company, from face-to - face events to web-based seminars to awareness campaigns.

The focus shifts now here from the pure awareness ( "awareness") towards the qualification ( " empowerment ") the user to take responsibility for greater safety in the handling of IT-based information to provide. In companies, the "information security empowerment" of executives is of particular importance, as they have a role model function for their department employees and are responsible for ensuring that the security guidelines of their area of ​​responsibility match the work processes there - an important prerequisite for acceptance.

Overview of standards, best practices and training

International standards exist for assessing and certifying the security of computer systems . Important standards in this context were the American TCSEC and the European ITSEC standards. Both were replaced by the newer Common Criteria standard in 1996 . The evaluation and certification of IT products and systems in Germany is usually carried out by the Federal Office for Information Security (BSI).

The task of IT security management is to systematically secure an information-processing IT network. Dangers to information security or threats to data protection of a company or organization should be prevented or averted. The selection and implementation of IT security standards is one of the tasks of IT security management. IT security management standards are, for example:

  • IT basic protection of the BSI
    • The IT-Grundschutz Catalogs define specific measures for the various aspects of an IT landscape that must be met to maintain security in the case of low and medium protection requirements ( washing slips ). For systems with high protection requirements, the basic protection catalogs provide a structured procedure to identify the necessary measures. The basic protection catalogs are primarily known in Germany, but are also available in English.
  • ISO / IEC 27001 : Standard for Information Security Management Systems (ISMS)
  • ISO / IEC 27002 : Guide to Information Security Management (formerly ISO / IEC17799: 2005)

The ISO / IEC 27001 standard is the most common worldwide.

Further standards can be found in the

In addition to the standards for information security, there are also standards for the training of security specialists. The most important are the certifications for Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA) of the ISACA , the certification for Certified Information Systems Security Professional (CISSP) of the International Information Systems Security Certification Consortium (ISC) ², the Certification as TeleTrusT Information Security Professional (TISP) from TeleTrusT - Bundesverband IT-Sicherheit e. V. as well as the GIAC certifications of the SANS Institute. The list of IT certificates provides an expanded overview .

Audits and Certifications

In order to guarantee a certain standard level of information security, the regular review of measures for risk minimization and decimation is mandatory. Here, too, organizational and technical aspects come to the fore.

Technical security can be achieved, for example, through measures such as regular penetration tests or complete security audits in order to identify and eliminate any security risks that may exist in the area of ​​information technology systems, applications and / or in the information technology infrastructure .

Organizational security can be achieved and checked through audits by the relevant specialist departments in an organization. For example, predefined test steps or control points of a process can be tested during an audit.

Measures for further risk minimization or decimation can be derived from the findings of the far-reaching inspection methods. A methodology as described in this paragraph is directly compliant with standards such as ISO / IEC 27001 , BS 7799 or legal regulations. Here, in most cases, a direct traceability of information security processes is required by demanding risk management from companies .

Implementation areas

There are several initiatives in Germany to raise awareness of the dangers in the area of ​​IT security and to identify possible countermeasures. These include the Cyber ​​Security Council Germany eV, the Association Germany Safe in the Net , the Alliance for Cyber ​​Security and the Cybercrime Security Cooperation .

Private households

Programming errors in almost every software make it virtually impossible to achieve security against any type of attack. By connecting computers with sensitive data ( e.g. home banking , processing the dissertation ) to the Internet , these vulnerabilities can also be used externally. The standard of IT security in private households is lower because hardly any measures are taken to secure the infrastructure ( e.g. uninterruptible power supply , protection against burglary).

But private households still have deficits in other areas as well.

Many private users have not yet understood that it is important to adapt the configuration of the software used to the respective needs. With many computers connected to the Internet, it is not necessary that server programs run on them . Server services are loaded by many operating systems in the standard installation; deactivating them closes a number of important points of attack.

Security aspects such as the establishment of access restrictions are also alien to many users. It is also important to find out about weaknesses in the software used and to regularly install updates.

Computer security not only includes the preventive use of technical tools such as firewalls , intrusion detection systems, etc., but also an organizational framework in the form of well thought-out principles (policy, strategy) that includes people as users of the tools in the system. All too often, hackers succeed in gaining access to sensitive data by exploiting a weak password or through so-called social engineering .

IT security at savings banks and banks

The results of Basel II , the regulations of BaFin and the KWG, as well as the individual audits of associations of the savings banks and banks have contributed to accelerating the process and emphasizing its importance . Both external and internal audits are increasingly geared towards this topic. At the same time, an extensive range of services was created to carry out various projects that are intended to establish an IT security process in companies. Providers can be found both within the respective corporate group and on the external market. For other financial services institutions, insurance companies and securities trading companies, the concept will generally be identical, although other laws may also play a role here, for example.

IT security at other companies

Even if the legislations and audits in other sectors of the economy make fewer specifications, IT security retains its high priority. Assistance grant free IT Baseline Protection Catalogs of the BSI .

Due to the increasing networking of different branches z. For example, in the case of company acquisitions, securing the IT systems becomes more important. The data transfer from an internal, closed network via an external, public connection to the other location creates risky situations.

The implications for companies include: a .:

  • Loss of data,
  • Manipulation of data,
  • unreliable reception of data,
  • late availability of data,
  • Decoupling of systems for operational business,
  • improper use of data,
  • Lack of development capability of the systems used.

But the danger is not only in internal company data exchange; applications are increasingly being transferred directly to users, or external employees or even outsourced service providers can access data stored in the company and edit and manage them. For their access authorization, authentication must also be possible, as well as documentation of the actions taken and changed.

Following this topic, new requirements arise for the existing security concepts. In addition, there are the legal requirements, which must also be integrated into the IT security concept. The relevant laws are checked by external and internal auditors. Since no methods have been defined to achieve these results, various "best practice" methods have been developed for the respective areas, such as ITIL , COBIT , ISO or Basel II .

The approach here is to manage and control a company in such a way that the relevant and possible risks are covered. The mandatory, i.e. laws ( HGB , AO , GOB) and expert reports ( Sarbanes-Oxley Act , 8th EU Audit Directive) and the supporting ones (“Best Practice Method”) are to be seen as the standard for so-called IT governance .

That means identifying, analyzing and evaluating these risks. To enable the creation of a holistic security concept based on this. This not only includes the technologies used, but also organizational measures such as defining responsibilities, authorizations, control bodies or conceptual aspects such as minimum requirements for certain security features.

So special requirements are now placed on the EDP:

  1. Prevention of tampering
  2. Evidence of interventions
  3. Installation of early warning systems
  4. Internal control systems

It should be noted that the automation data is saved in such a way that it can be read, traced and is consistent at all times. To do this, this data must be protected from manipulation and deletion. Any change should trigger a version management and the reports and statistics on the processes and their changes must be directly accessible centrally.

A remedy here can be highly developed automation solutions. Because less manual intervention is necessary, potential sources of danger are excluded. Data center automation thus covers the following areas:

  • Process flow as a risk factor
  • Risk factor resources
  • Technology as a risk factor
  • Time as a risk factor

IT security in public institutions and authorities

In this area, the BSI's IT-Grundschutz Catalogs are standard works. To a large extent, these offices receive the associated GSTOOL , which significantly simplifies implementation, free of charge.

Legal framework

Corporate governance can be seen as a framework for IT security. The term comes from strategic management and describes a process for controlling a private company. A balance between the various interest groups ( stakeholders ) is sought through rules and control mechanisms. The process serves to maintain the company and is subject to regular external reviews.

Corporate Governance Laws

The law on control and transparency in the corporate sector (KonTraG) came into force in May 1998 with the aim of better monitoring corporate management (corporate governance) and making it easier for foreign investors to access information about companies (transparency) . The core topic of the far-reaching changes in the Commercial Code (HGB) and the Stock Corporation Act (AktG) was the introduction of an early risk detection system to identify risks that could endanger the company's existence. Every capital market-oriented company had to set up such a system and publish the company's risks in the management report of the annual financial statements .

The Sarbanes-Oxley Act (SOX), which came into force in July 2002 , was aimed at restoring the lost confidence of investors in the published balance sheet data of American companies. Subsidiaries of American companies abroad and non-American companies that are traded on American stock exchanges are also subject to this regulation. The law does not explicitly prescribe precautions in the area of ​​IT security such as the introduction of an ISMS. Correct reporting of internal company data is only possible with reliable IT processes and adequate protection of the data used. A conformity with the SOX is therefore only possible with the help of IT security measures.

The European Eighth Directive 2006/43 / EC (also called “EuroSOX”) was created based on the American SOX law and came into force in June 2006. It describes the minimum requirements for a company for risk management and defines the duties of the auditor .

The German implementation of the European EuroSOX took place in the Accounting Law Modernization Act (BilMoG). It came into force in May 2009. For the purpose of harmonization with European law, the law changed some laws such as the HGB and the Stock Corporation Act . Among other things, corporations such as an AG or a GmbH are required according to Section 289 of the German Commercial Code (HGB), Paragraph 5, to present essential properties of their internal control system (ICS) in the management report of the annual financial statements.

In the European regulations, the Directive on Capital Requirements (Basel I) from 1988 and the Directive on Basic Solvency Capital Requirements from 1973 (updated in 2002; subsequently referred to as Solvency I), many individual laws were grouped under one heading. These regulations, which are important for credit institutions and insurance companies , contained many weaknesses. The new regulations Basel II for banks (EU-wide in force since January 2007) and Solvency II for insurers (in force since January 2016) contain more modern regulations for risk management. The Basel III succession plan has been in place since 2013 and should be fully implemented by 2019.

Data protection laws

The first version of the Federal Data Protection Act (BDSG) with the name of the law on the protection against misuse of personal data in data processing was issued on January 27, 1977 ( BGBl. I p. 201 ). In response to the so-called census ruling of 1983, the law on the further development of data processing and data protection of December 20, 1990, brought a new version of the BDSG into force on June 1, 1991 ( BGBl. 1990 I pp. 2954, 2955 ). One of the many changes to the law came into effect in August 2002. It served to adapt the law to EC Directive 95/46 / EC (data protection directive) .

In addition to the BDSG, there are other legal regulations in Germany that require the introduction and operation of an ISMS. These include the Telemedia Act (TMG) and the Telecommunications Act (TKG).

The protection of privacy has been regulated in Great Britain by the Data Protection Act (DPA) since 1984 . In its original version, this offered minimal data protection. The processing of personal data was replaced in 1998 by a new version of the DPA. This came into force in 2000 and brought British law into line with EC Directive 95/46 / EC. In Great Britain in 2001 the British government obliged all ministries to be compliant with BS 7799 . The implementation of an ISMS makes it easier for British companies to demonstrate compliance with the DPA.

The General Data Protection Regulation overrides Directive 95/46 / EC. It came into force on May 24, 2016 and will apply directly in all states of the European Union from May 25, 2018. The previous national regulations such as the English DPA and the German BDSG are being replaced or revised in order to fulfill the regulatory mandates of the ordinance to the national legislature.

IT security law

In the face of terrorist attacks and for military reasons, the protection of critical infrastructures against cyber attacks is becoming increasingly important in Germany and other countries. To this end, an article law to increase the security of information technology systems (IT Security Act, ITSiG) came into force on July 25, 2015 . The law assigns the Federal Office for Information Security to the central role in protecting critical infrastructures in Germany.

For this purpose, the BSI law was supplemented by security requirements for so-called "critical infrastructures". These are facilities, systems or parts thereof that

  • belong to the energy, information technology and telecommunications, transport and traffic, health, water, nutrition, and finance and insurance sectors and
  • are of great importance for the functioning of the community because their failure or impairment would result in considerable supply bottlenecks or threats to public safety.

In an associated regulation KRITIS regulation (BSI-KritisV) it is clarified which facilities, systems or parts thereof fall specifically under the requirements of the IT security law.

Critical infrastructures must meet industry-specific minimum standards, including in particular the introduction of an ISMS. Furthermore, they must report relevant incidents that affect IT security to the BSI.

The IT Security Act also introduced other laws such as B. the Energy Industry Act changed. The amendment to the Energy Industry Act obliges all electricity and gas network operators to implement the Federal Network Agency's IT security catalog and to introduce an ISMS.

On March 27, 2019, the Federal Ministry of the Interior also published the draft for an IT Security Act 2.0, which contains a holistic approach to IT security. Among other things, a consumer-friendly IT security label for commercial products is to be included, the competencies of the BSI are also being strengthened and cyber security criminal offenses and the associated investigative activities are being expanded. The draft law also expands the addressees of reporting obligations and implementation measures. Overall, the law is likely to result in a considerable additional economic burden for companies and authorities.

Criminal law aspects

Any unlawful modification, deletion, suppression or rendering unusable of third-party data fulfills the offense according to § 303a StGB ( data change ). In particularly serious cases, this is also punishable under Section 303b I No. 1 StGB (“ computer sabotage ”) and is punished with imprisonment of up to five years or a fine. The implementation of DDOS attacks has also represented computer sabotage since 2007, the same applies to any action that leads to damage to one information system that is of essential importance to another.

The spying of data (§ 202a of the Criminal Code), so gaining access to external data against this special protection shall be punished with imprisonment up to three years or a fine. The interception of third-party data in networks or from electromagnetic radiation has also been a criminal offense since 2007, unlike in Section 202a of the Criminal Code, special access security is not required here. Obtaining, creating, disseminating, making available to the public etc. of so-called "hacker tools" has also been a criminal offense since 2007 if it is used to prepare a criminal offense (Section 202c StGB).

According to § 202a Paragraph 2 in conjunction with Paragraph 1, however, data are only protected from being spied on if they are "specially secured" in order to prevent the facts from escalating. In other words, only when the user technically protects his data does he enjoy criminal protection. The earlier debate as to whether "hacking" without retrieving data was a criminal offense has lapsed since the wording of the standard was changed in 2007 in such a way that criminal liability already begins as soon as access to data is obtained. It is also controversial whether encryption counts for special security. It is very effective, but it is argued that the data are not backed up, but are only available in an “incomprehensible” or simply “different” form.

As computer fraud will be punished a Criminal Code by a fine or imprisonment of up to five years if data processing operations are manipulated to achieve a pecuniary gain by § 263rd Even creating, procuring, offering, keeping or letting suitable computer programs be punishable by law.


“I believe that by 2017 we will see some catastrophic system failures more and more likely. More likely, we will have a horrific system failure because some critical system was connected to a non-critical one that was connected to the internet for anyone to get to MySpace - and that auxiliary system is infected by malware . "

- Marcus J. Ranum, IT security expert : quoted from Niels Boeing

See also


Web links

Individual evidence

  1. Stefan Loubichi: IEC 62443: IT security for industrial automation systems - an introduction to the systematics VGB PowerTech Journal, issue 6/2019, ISSN 1435-3199
  2. a b c d e f Claudia Eckert: IT security. Concepts - Procedures - Protocols. 7th, revised and expanded edition. Oldenbourg, 2012, ISBN 978-3-486-70687-1
  3. Simple representation of information security
  4. ^ R. Shirey: RFC 4949, Internet Security Glossary, Version 2 . IETF . P. 29. Retrieved on November 10, 2011: "The property of being genuine and able to be verified and be trusted."
  5. a b Carsten Bormann et al .: Lecture slides 0. (PDF; 718 kB) In: Lecture Information Security 1, SS 2005, University of Bremen. April 16, 2005, accessed August 30, 2008 . Slide 25.
  6. ^ Claudia Eckert : Lecture IT security, WS 2002/2003, TU Darmstadt. (PDF; 6.8 MB) Lecture slides Chap. 2, slide 17. (No longer available online.) TU Darmstadt FG Security in Information Technology, October 20, 2004, p. 26 , archived from the original on December 3, 2013 ; Retrieved November 19, 2010 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot /
  7. Federal Office for Information Security (Ed.): The situation of IT security in Germany 2016 . October 2016.
  8. See also ENISA Quarterly Vol. 2, No. 3, Oct 2006 , ENISA , accessed May 29, 2012
  9. Description of the software restriction policy in Windows XP , accessed on August 9, 2013.
  10. How To: Use Software Restriction Policies in Windows Server 2003 , accessed August 9, 2013.
  11. Using Software Restriction Policies to Protect Against Unauthorized Software , accessed August 9, 2013.
  12. Using Software Restriction Policies to Protect Against Unauthorized Software , accessed August 9, 2013.
  13. How Software Restriction Policies Work , accessed August 9, 2013.
  14. Detailed description of the Data Execution Prevention feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003 , accessed on August 9, 2013.
  15. W3 Tech's Usage of Default Protocol https for websites . Retrieved May 30, 2019.
  16. BSI TR-02102-1: Cryptographic procedures: Recommendations and key lengths , pages 22–23, Federal Office for Information Security , Bonn, February 22, 2019. Accessed May 30, 2019.
  17. ENISA Quarterly, Q4 2007, vol. 3, no. 4 , ENISA , accessed on May 29, 2012
  18. Urs E. Gattiker: Why information security awareness initiatives have failed and will continue to do so . (PDF; 279 kB) Presentation at the 2007 conference.
  19. Axel Tietz, Johannes Wiele: Awareness is just a beginning . In: Informationsdienst IT-Grundschutz , No. 5/6, May 2009, pp. 28–30, ( ISSN  1862-4375 )
  20. Frank van der Beek: What is the best way to teach IT security? An empirical study (PDF; 2.4 MB). P. 17.
  21. Michael Falk: IT compliance in corporate governance: requirements and implementation. Wiesbaden, Gabler Verlag, 2012, ISBN 3-8349-3988-9
  22. Thomas A. Martin: Fundamentals of risk management according to KonTraG: The risk management system for early crisis detection according to § 91 Abs. 2 AktG. Munich, Oldenbourg, 2002. ISBN 978-3-486-25876-9
  23. a b c d e J. Hofmann, W. Schmidt: Master course IT management: Basics, implementation and successful practice for students and practitioners. 2., act. and exp. Edition. Vieweg + Teubner, 2010, ISBN 978-3-8348-0842-4 .
  24. ^ Heinrich Kersten, Jürgen Reuter, Klaus-Werner Schröder, Klaus-Dieter Wolfenstetter: IT security management according to ISO 27001 and basic protection: The way to certification. 4th, act. u. exp. Edition. Springer, Wiesbaden 2013, ISBN 978-3-658-01723-1 .
  25. First Council Directive 73/239 / EEC of July 24, 1973 on the coordination of legal and administrative provisions relating to the taking up and pursuit of direct insurance activities (with the exception of life insurance) , accessed on January 9, 2014
  26. Law amending the Federal Data Protection Act and other laws of May 22, 2001 ( BGBl. I p. 904 )
  27. ^ MJ Kenning: Security Management Standard: ISO 17799 / BS 7799. In: BT Technology Journal , 19, 2001, No. 3, pp. 132-136.
  28. Law to increase the security of information technology systems of July 17, 2015 ( Federal Law Gazette I p. 1324 )
  29. Federal Ministry of Justice and Consumer Protection: KritisV. April 22, 2016. Retrieved July 22, 2016 .
  30. Federal Network Agency: IT security catalog. (PDF) Retrieved July 22, 2016 .
  31. IT Security Act (IT-SiG) 2.0 - a quick overview of the most important changes to the draft bill | beck community. Retrieved April 3, 2019 .
  32. Marcus J. Ranum (website)
  33. Niels Boeing: Lightning and Thunder in the Matrix (" Technology Review ", German edition, January 25, 2008)