VdS 3473

from Wikipedia, the free encyclopedia

The guidelines VdS 3473 - Cyber-Security for small and medium-sized enterprises (KMU) of VdS Schadenverhütung GmbH are the first VdS guidelines for the topic of information security and were replaced in 2018 by its successor VdS 10000 . They contain guidelines and assistance for the implementation of an information security management system as well as specific measures for the organizational and technical protection of IT infrastructures. They are specially designed for SMEs as well as for small and medium-sized organizations with the aim of ensuring an appropriate level of protection without overburdening them organizationally or financially. The creation of VdS 3473 was initiated by the Association of the German Insurance Industry .

Mark

The VdS 3473 are upwardly compatible with ISO / IEC 27001 and with the IT-Grundschutz . They are 38 pages long, 26 of which contain specific guidelines. They have a clear language regulation for the binding nature of specifications (“must” / “must not” / “should” / “should not” / “can”). In order to minimize the analysis effort, VdS 3473 differentiates only between "non-critical" and "critical" IT resources. In addition, the criteria that lead to the classification of an IT resource as "critical" are very high. A simple basic protection is defined for the non-critical IT resources, which - if technically possible - must be implemented. If the implementing organization decides against the implementation of individual measures, it must carry out an appropriate risk analysis and treatment in order to record and deal with the resulting risks. For critical IT resources, VdS 3473 require extended security measures as well as individual risk analysis and handling.

VdS 3473 recommends the implementation of established standards from the areas of business continuity management , physical IT security , quality and risk management for various topics (identification of critical IT resources, environment, data backup and archiving, procedures and risk management) . However, companies can define their own procedures. However, these have to implement a few key aspects of the established standards. Part of VdS 3473 is the establishment of a security guideline , appropriate guidelines and procedures as well as the establishment of a continuous improvement process .

Development history

The VdS 3473 was created by a project team of VdS and external experts from December 15, 2014 with public participation. The work steps carried out were published during the entire development phase at short intervals, giving interested parties the opportunity to introduce their own optimizations and change requests. The VdS guidelines have been in version 1.0 since July 1, 2015 and are available to the public free of charge.

On April 24, 2017, the VdS published a draft guideline for the interpretation and implementation of VdS 3473 for industrial automation systems .

VdS 3473 was revised in 2018 and replaced by VdS 10000 .

Relationship to VdS 10010

VdS 3473 served as a template for VdS 10010 ("VdS guidelines for implementing the GDPR") published on December 15, 2017 . So are z. B. Chapters 1 to 8 of both directives are almost identical.

Supportive measures

A VdS certificate can be obtained for the implementation of VdS 3473 . In order to make it easier for organizations that want to have their information security certified on the basis of VdS 3473, VdS has developed two upstream instruments.

  • In a web-based self-assessment, companies can gain an initial overview of the current status of their information security and clarify any need for action. The self-assessment consists of 39 questions on the fields of organization, technology, prevention and management. It concludes with a brief analysis including a traffic light system and a detailed status report on the information security of the filling company. A quick check following the same system especially for process automation technology has also been online since CeBIT 2016.
  • In an optional second step, companies can have an audit carried out on the results of the self-assessment. The usually one-day audit is carried out on site by an auditor from VdS Schadenverhütung GmbH, who tests the status of the information security and, if necessary, identifies further improvement needs.

Awards

In 2016, VdS 3473 received the “Security Innovation Award” known as the “Industry Oscar” of the world's leading trade fair for loss prevention, the “Security” in Essen .

Web links

Individual evidence

  1. VdS Guideline 3473 Cyber ​​Security for Small and Medium-Sized Enterprises (SMEs) (PDF; 239K)
  2. VdS Guideline 3473-1 Cyber ​​Security for Small and Medium-Sized Enterprises (SMEs) - Guidelines for the interpretation and implementation of VdS 3473 for industrial automation systems (PDF; 460K)
  3. Website of the VdS-Quick-Check
  4. ^ Website of the VdS-Quick-Check for ICS
  5. ^ Website of the VdS Quick Audit
  6. Website of the "Security Innovation Award"