IT Security Law

The German IT Security law came into force on 25 July 2015.

The statutory orders are not published and valid yet, which designates the enterprises and basic conditions, which fall explicitly under the IT security law. The first draft is now out since February 2016.

But the material reference to safety occurrences is more up-to-date ever. Beside that last admits become attack on VTech and the network of the German Bundestag in 2015. Also the attacks with the Loki Virus or its predecessors on central IT infrastructures show the dangers on the IT today with suitable means, co-ordinated processes and a good IT organization to meet must. And many small and medium-sized enterprises did not still perhaps even notice it that you are already concerned or were.

The kind of the attacks is various, it comes from the outside and also from the inside, of own employee, consciously as also unconscious. And it is still underestimated by many enterprises, those in statements: as we are nevertheless much too uninteresting, me it will not meet, we will already not have a virus protection a software, etc. will express nevertheless.

But each enterprise can be concerned. An example is the fact that also still today negligent employees from open private email the appendix and would drive a file out which with the enterprise codes all important data on the server. Recognized after 4 days will the encoding and the not coded backups could be rewound. 5 days work were lost. This to do over again took then still more than further 5 days.

It shows this simple example that Cyber attacks from the Internet are not an abstract risk scenario, but a material existing threat with potential to the disaster.

The IT safety law is to protect and sensitize the German critical infrastructures. Also many other enterprises are no longer functional today without a functioning IT or survivable. Not only the operability of the IT is to be ensured, but also the other data, z. Ex. their customer data, the data of your employee data, developments, patents or it SOURCE code is to be protected access or manipulation not authorized forwards.

Which enterprises belong to KRITIS?

„Critical infrastructures (KRITIS) are organizations or facilities with important meaning for the national community, when whose loss or impairment effectively working bottlenecks, substantial disturbances of public safety or other dramatic consequences would enter. “
Quotation of the Federal Office for population protection and disaster relief

Enterprises from the sectors energy, health, IT and telecommunications, transport and traffic (ÖPNV, SPNV, aviation, navigation, logistics), water, nutrition as well as the financial and insurance are defined. Today one proceeds from approx. 2,000 enterprises, which will be affected by the IT-Sicherheitsgesetz.

What are enterprises concerned to do?

In accordance with the law remains for the enterprises after the entry into force of the regulation two years time up to the conversion of the requirements. This is from our experiences quite little time, depending on like the enterprises set up is.  From there we recommend to start with it the own status quo now concerning the conversion of IT security to check and with it begin of repairing if necessary problems and deficits. It is to be optimized surely more meaningfully in small steps the IT security and increased, instead of daring a large throw, which is to convert everything to the end in one. Think thereby also of your employees, who are to convert and advance all this further. It is necessarily technology to bring organization and processes in agreement and shrinks from you also not at it with pragmatic steps to begin itself.

So far the enterprises announced in each case the incidents, to you „“were convenient and IT security to their own standard converted. IT security belongs in each enterprise into qualified hands. In addition IT must be employees qualified and well trained.

Thus the law created the possibility of expressing penalties. IT-Sicherheitsvorfälle, which let explain by omissions with the realization and structuring of IT-security measures, can be occupied now with up to 100,000 euros penalty. Besides the BSI can call in as the conversion and removal of the flaws.

We are however the opinion that gives the sensitization, the information and support during the conversion substantially more success than only simple penalties. But there are also voices, which say, only by the grasp to „the purse “can necessary measures be realized.

The structure of a ISMS (IT Security management system) and the necessary reporting structures will place the federation and the enterprises concerned surely before substantial financial and personnel challenges. The enterprises fear competitive disadvantages instead of this as opportunity to understand effectively in the market to position themselves and by a proven information security a competitive advantage provide.

And which comes to it?

To what extent IT-security can improve by critical infrastructures effectively, the future will show. But missing bases must be now converted and the time of 2 years for it are nevertheless quite scarcely be measured.

But it must go through still another pragmatic and nevertheless safe approach to a ISMS without equivalent the whole BSI basic protection catalog and have to work on. Ask us.