What is an IT Security Concept?
The IT security concept is a document that translates the basics of information security into operational catalogs of measures by describing information security risks and how to deal with them. Examples of risks include
- disaster and other effects of force majeure,
- Consciously or unconsciously caused serious disruptions to IT operations (attacks from outside or inside, accident and carelessness)
- technical failure
Classification of an IT security concept
The IT security concept is often part of the Information Security Management System (ISMS), which in turn is derived from the data protection and data security regulations. It is one of the most obvious tools of the ISMS to describe, publicize and train security-relevant IT standards in an organization. It describes specific risks and measures that employees may be confronted with in their everyday work.
Goals of the IT security concept
The goals for the development and implementation of an IT security concept are primarily to reduce information security risks to a calculable level. These are often defined using the general protection goals of confidentiality, availability, and integrity.
At its core, IT security is about identifying and evaluating risks in terms of these protection goals to define measures to protect customer and company data on this basis (technical and organizational measures / TOMs).
Scope of an IT security concept
In short, the IT security concept applies to all organizations and organizational areas that operate or set up an information security management system. This mainly applies to those areas that store or process personal data in accordance with the EU GDPR. In addition, an IT security concept is almost mandatory for all organizations whose business success is based to a critical extent on data availability and data consistency.
Legal framework of an IT security concept
In general, however, there is no explicit legal obligation to set up and maintain an IT security concept. However, obligations can be derived from different standards and (German) laws that suggest the use of an IT security concept. Examples are
- the regulations of the BSI ,
- the EU GDPR
- certain ISO, e.g. ISO 27001
- Basel IV, Solvency II,
- MaSi and MaRisk,
What is an IT security concept according to ISO 27001?
The ISO 27001 writes only in general terms and with minimal technical depth, an information security management system from detected with the aid of risks and should be evaluated. Companies have the option of certifying their ISMS according to the international standard ISO/IEC 27001, for example, in order to document generally recognized information protection. More specific are the regulations of the German Federal Office for Information Security (BSI), which includes ISO 27001 but goes much further.
What is an IT security concept according to BSI?
In its BSI standard BSI 200, the Federal Office for Information Security (BSI) provides comparatively specific information and suggestions on the structure of an ISMS, on protection methods and generally on risk management in information security.
In previous practice, these recommendations often form the basis for an IT security concept, which can also be certified according to German BSI (BSI basic protection certificate).
The BSI not only makes recommendations, but also clear specifications for the providers of critical infrastructures (KRITIS). These must minimize their risks to information security in accordance with the German BSI Act (§8A BSIG) and provide concrete evidence that their IT security is guaranteed.
Requirements for an IT security concept from DSVGO
Even the European General Data Protection Regulation (EU GDPR), which has been much cited in recent years, does not require an explicit IT security concept. However, from the requirements of Articles 30 (list of all processing activities and a general description of the technical and organizational measures) and 32 (obligations to implement and operate risk-oriented technical and organizational measures), what is commonly described as an IT security concept can be derived almost directly.
Components of an IT security concept
An IT security concept usually describes the specific protection goals that can be used to identify and assess risks, as well as the general measures for handling customer and company data.
The technical and organizational measures are derived from this and are another main component of the IT security concept. The organization tries to avoid critical information security risks such as system failures, external attacks, or data breaches – or to react to them when a risk occurs.
Contents of an IT security concept
In general, the IT security concept describes which information types and processes are to be secured against risks. Depending on the industry, there are different expectations of the IT security concept. Companies from the KRITIS environment are evaluated differently than other sectors, since risks that have occurred in KRITIS companies can often have large-scale effects.
Increased requirements also apply specifically to companies in the healthcare or financial sectors, as well as authorities, all of which handle particularly sensitive personal data that is therefore worthy of protection.
Process of an IT security concept
The creation and maintenance of an IT security concept usually consists of several phases, which are repeated with every relevant change in the infrastructure or in the organizational processes:
- The “status analysis” or “definition of the scope” describes the areas and objects of a company for which the IT security concept should apply.
- The “structural analysis” collects all current types of information, processes and technical systems that serve as the basis for the IT security concept.
- The “determination of the protection requirements” in turn assigns protection classes to the structures mentioned above
- The “modeling phase” results in concrete security measures for each structural element.
- The “basic security check” checks existing protective mechanisms for suitability
- The “supplementary security analysis” shows the remaining gaps
- The “risk analysis” shows measures to reduce existing risks to an acceptable level.
Implementation of an IT security concept
As a rule, the company management has the greatest interest in operating an effective and efficient Information Security Management System (ISMS). The reason for this is not only potential penalties for the company if risks occur, but also personal liability and the personal and company-related loss of image in the event of incidents that must be reported. In the recent past, however, organizations have also had their IT managers trained as Information Security Officers (ISO) or Chief Information Security Officers (CISO) and transferred the topic of ISMS to them.
The specific creation and maintenance of an IT security concept derived from the ISMS is often the responsibility of a project team made up of IT management, information security officers and data protection officers. Application managers, department managers and/or key users are often called in for additional technical input from the operational areas.
In daily practice, project teams are supplemented or managed by external consultants, such as those available at Firnkorn and Stortz for managed companies. Together with concepts and templates, you bring in full-time expertise in the creation, introduction, and permanent maintenance of an IT security concept in a controlling or accompanying form. They often supplement this with industry-specific best practice experience in the areas of information security and cyber security. As part of a consultation, tailor-made solutions and support are offered and the needs of the customer are determined in detail. Not only can you ensure rapid progress in the development and implementation of an IT security concept, but you can also ensure robust and sustainable results.
Also, read more on related topics
Your contact person at Firnkorn & Stortz on the subject of IT security concepts
Firnkorn + Stortz GmbH
Thomas Firnkorn