Secu­ri­ty + data pro­tec­tion concepts

SECURITY CONCEPT: SO TEST THEREFORE, WHO JOIN FOREVER

So test the­r­e­fo­re, who join fore­ver, if heart to heart be found tog­e­ther! Delu­si­on is short, remor­se is long.

Fried­rich Schil­ler alre­a­dy knew the methods of a con­side­red and struc­tu­red pro­ce­du­re befo­re ente­ring into a con­nec­tion. Exact­ly this con­side­ra­ti­on must also be made befo­re a new IT sys­tem estab­lishes connections.

A writ­ten secu­ri­ty con­cept (SiKo) is the con­ti­nua­tion of the struc­tu­red pro­ce­du­re of an ISMS.

The aim of a secu­ri­ty con­cept is to iden­ti­fy risks and thre­ats and to defi­ne appro­pria­te secu­ri­ty mea­su­res. The resi­du­al risks are deter­mi­ned and accept­ed by the respon­si­ble persons.

A secu­ri­ty con­cept defi­ned in wri­ting is the con­ti­nua­tion of the struc­tu­red pro­ce­du­re of an ISMS.

In the IT envi­ron­ment, a secu­ri­ty con­cept means clas­si­fy­ing the data pro­ces­sed on the sys­tem befo­re each new sys­tem is put into ope­ra­ti­on and then taking the neces­sa­ry mea­su­res. The scope of the con­cept depends stron­gly on the cri­ti­cal­i­ty of the pro­ces­sed data and the com­ple­xi­ty of the sys­tems used. Often, the SiKo is defi­ned direct­ly from the mini­mum secu­ri­ty mea­su­res for IT sys­tems, which may have to be exten­ded by hig­her-level secu­ri­ty measures.

A secu­ri­ty con­cept in its mini­mal form con­sists of:

• Inven­to­ry and struc­tu­ral ana­ly­sis of the pro­ces­sed data and invol­ved systems
• Imple­men­ta­ti­on of a pro­tec­tion needs assessment
• Recor­ding the hazards and eva­lua­ting them
• Defi­ni­ti­on of the neces­sa­ry measures
• Eva­lua­ti­on and docu­men­ta­ti­on of resi­du­al risks

The aim of the SiKo is to pro­tect the pro­ces­sed data and to ensu­re the tracea­bi­li­ty of the imple­men­ted tech­ni­cal and orga­niza­tio­nal mea­su­res. The requi­red level of secu­ri­ty should be main­tai­ned throug­hout the ser­vice life of a system.

SEC4YOU glad­ly sup­ports the crea­ti­on of secu­ri­ty con­cepts. During this pro­cess, all points of the mini­mal form are work­ed out and docu­men­ted in a struc­tu­red way.

The data pro­tec­tion con­cept in the con­text of the GDPR

A data pro­tec­tion con­cept (DSK) — even if it is cal­led a “pro­tec­tion” con­cept — will not pro­tect the pro­ces­sed data, but aims to pro­tect the rights of the data sub­jects. In the cour­se of the GDPR, the importance of crea­ting a DSK increa­ses, as this is the only way to ensu­re that the neces­sa­ry data pro­tec­tion mea­su­res are defi­ned and effec­ti­ve in all areas.

The respon­si­bi­li­ty for crea­ting a DSK lies with the ser­vice mana­ger and not with the data pro­tec­tion offi­cer, sin­ce the data pro­tec­tion offi­cer usual­ly only has to crea­te the struc­tures, but is not direct­ly respon­si­ble for all applications.

The fol­lo­wing spe­ci­fi­ca­ti­ons are defi­ned in a DSK:

• Defi­ni­ti­on of the spe­ci­fi­ca­ti­ons for the coll­ec­tion, pro­ces­sing and use of per­so­nal data
• Defi­ni­ti­on of the mea­su­res to pri­ma­ri­ly pre­vent the misu­se of per­so­nal data and to ensu­re com­pli­ance with the requi­re­ments of the data pro­tec­tion act

The DSK of an appli­ca­ti­on defi­nes the tar­get sta­te that is to be docu­men­ted in the cour­se of the DSGVO.

The aim of the DSK is to ful­fill the requi­re­ments of the Data Pro­tec­tion Act by pro­tec­ting the per­so­nal rights of the data sub­jects and to descri­be the tech­ni­cal and orga­niza­tio­nal mea­su­res requi­red for this purpose.

When imple­men­ting DSK, SEC4YOU uses the mea­su­res deve­lo­ped in the secu­ri­ty con­cept and extends them with spe­ci­fic data pro­tec­tion measures.