The most important thing in brief:
- Increased safety requirements for KRITIS operators: The BSI KRITIS Ordinance and the IT Security Act oblige companies from critical infrastructures to higher security standards and regular audits to ensure security of supply in Germany.
- Strict compliance requirements: Affected organizations must provide detailed documentation of their IT systems, processes and security measures in order to meet legal requirements and avoid sanctions.
- Prevention instead of response: Up-to-date and comprehensive IT documentation, which can be created with tools such as Docusnap, not only supports compliance with legal requirements, but also minimizes the risks of cyber attacks through better transparency and optimization of IT security measures.
Everyone who has IT responsibility in a company or organization has at least heard of the IT Security Act of the Federal Office for Information Security (BSI). In this context, terms such as KRITIS and “Critical infrastructures.”
If there is an IT security law, who does it apply to? And what needs to be considered? And must private companies also stick to this? Or does it also make sense for private companies to comply with the BSI IT Security Act?
Let's take a look at BSI IT Security Act With the latest revision from 2021, to what extent companies and organizations are affected by it or can even benefit from it.
The price of digitization
It's becoming more digital. Everything around us is increasingly being digitalized. Documents, information and, above all, personal data are no longer stored in thick file folders by companies and organizations, but are sent to digital processing on the computer. It's been around for a long time.
Current and relatively new threats are the constant threats that have become a constant companion of everyday digital life, especially as a result of the Internet. As in all areas of life, dangers are often ignored until you are affected by them yourself.
That is just as true in the world of IT as when hiking or driving. Not everyone is aware of the dangers that have long been knocking harshly on the door. In the IT world, it is enough if the equipment or the IT network is connected to the Internet.
In IT, the courage to take risks often comes from a number of reasons. For one thing, security measures are expensive. This can really put pressure on the already hard-won IT budget. If there is then no awareness or understanding of the current threats from the Internet at decision-making level, the elaborately developed security concept can quickly fail due to the supervisor's sanctus.
On the other hand, they are changing Types of threats so fast that even long-established IT administrators are no longer constantly up to date. Especially when the network hasn't changed significantly for quite some time and an adequate security standard was introduced “back then”. As already said: The dangers and threats, particularly from or on the Internet, change almost daily.
Who is the IT Security Act valid for?
Mandatory are the sections of the BSI IT Security Act for Critical Infrastructures. However, other companies and organizers can use the basic framework to upgrade their own safety equipment to a current level of safety. In doing so, many aspects are considered that could otherwise be lost or overlooked under certain circumstances.
What is meant by “critical facilities”?
Since May 28, 2021 is the IT Security Act 2.0 in force. In this Act, the Federal Office for Information Security requires operators of critical infrastructures and, in future, other companies in the particular public interest to implement state of the art IT security measures. The aim of the BSI is to close security gaps in IT systems as quickly as possible at any time.
Critical facilities or infrastructure Are after the KRITIS strategy from 2009 divided into the following nine sectors.
Source: BSI — KRITIS and regulated companies/Critical infrastructures/General information about KRITIS
- energy
- Information technology and telecommunications
- Transport and traffic
- health
- water (drinking and waste water)
- sustenance
- Finance and insurance
- State and administration
- Media and culture
Critical infrastructures (all sectors mentioned except government and administration as well as media and culture) are the same Attack targets per cyber attacks as well as other companies. However, they have a particularly high potential for damage to society. Securing IT systems used by KRITIS operators is highly complex. This is compounded by the fact that information infrastructure systems sometimes have a long life cycle and often cannot be provided with security updates or cannot be provided promptly.
From when a Infrastructure as a critical facility counts, is from a threshold (number of people to be cared for) fixed. Since such specific provisions and definitions in particular are welcome to change, we also refer you directly to the BSI information page on this topic: BSI — Critical Infrastructures/KRITIS FAQ
Guidance and support
All relevant information on the subject of IT Security Act 2.0 can be found on the BSI website: Federal Office for Information Security website
As is often the case, implementing IT security requirements is no trivial task. In particular, compliance with the BSI IT Security Act is required with an audit certificate in accordance with Section 8a (3) BSIG in the form of regular audits. This not only means that the implementation must be carried out, but that the review must also be carried out again at regular intervals. This is defined in Section 8f (1), which states that a self-declaration on IT security must be submitted to the Federal Office at least every two years.
Implementation in practice
Similar to other companies, IT has also grown strongly in the areas of critical facilities in recent years. From the clear, small network from back then, an almost unmanageable construct was created that is subject to constant change. This is almost impossible to overcome with manual means. That is why professionally managed IT departments rely on precise Documentation and inventory of all IT systems used.
The first step is to determine which devices are used in your own IT network (and also in the individual locations). It is only with this information that seamless IT security is possible in the first place. If the IT department uses professional documentation software such as Docusnap for this purpose, this can be easily read out using a report. Thanks to automatic inventory, Docusnap always has the latest data from all accessible devices in the network. Not only is device information such as name and IP address stored there, but also information about software and patch levels or, for example, the firmware used, that is important for IT security. This is the only way to check your own IT network and all its components for outdated versions or necessary patches.
In any case, comprehensive documentation is important during implementation. It is not only the existing devices that are important, but also many other aspects of IT. This will necessarily include the following points:
- Operational and emergency documents
- Network and communication plans
- license management
- Permission analysis
Basis for implementation with documentation software
Basic requirement for a good documentation software are:
- Regular and complete inventory
- Automating inventory and documentation tasks
- Central data storage
- User-specific access to data
- Individual adaptability to display data, plans and lists
Only when all relevant data is available can audits, as required by the BSI IT Security Act under §8, be carried out.
How can Docusnap help
With Docusnap All relevant information from the network is automatically collected. In addition, other important information can also be added manually. This means that not only are the devices stored in a central database, but can also, for example, be assigned the required licenses. With professional documentation software, implementing the BSI Security Act is not child's play either. However, it solves fundamental problems in obtaining information about your own IT systems. Once the basis is known, implementation can begin in accordance with the BSI IT Security Act.
Docusnap is just as helpful when IT service provider should take over the administration and development of their own IT landscape. They too benefit from the centrally collected data, which provides a quick overview of the IT used.
Even though an implementation in accordance with the BSI IT Security Act has been successfully implemented, Docusnap continues to perform an important task. Since both structures and equipment in networks change over time, Docusnap always uses an automatic network scan to supply the database with the latest data. This makes recurring audits extremely easy, especially for recurring audits, as they can be generated relatively easily in report form (or as an Excel/word/PDF export) with the latest data.
conclusion
Is that true foundation No, the structure also becomes a shaky construct. Organizations following the BSI IT Security Act What is required is a comprehensive IT security strategy , need a solid foundation with all the information you need about your own IT. With the appropriate professional documentation solution, such as Docusnap, make life a lot for yourself and your own IT team lighter. And safer.
