Part 2: IT compliance in cooperation with the agency

The term "compliance" basically refers to the observance of and adherence to specifications and rules. IT compliance means that a company's IT demonstrably complies with all rules and laws imposed on it, both technically and organizationally. Regardless of whether the IT services are provided exclusively within the company or by external service providers ("external service providers" also includes development, hosting and outsourcing contracts).

The IT of any company is generally subject to the Federal Data Protection Act (BDSG), which regulates the collection, processing and use of data of natural persons.

If a company uses an IT-based system to support its accounting, all activities in this regard are subject to the Principles of Proper Computerized Accounting Systems (GoBS).

Internal company regulations

In addition to laws, there are also various internal and external regulations that companies should comply with in this context. These include DIN and ISO standards, among others:

With regard to IT, for example, ITIL (IT Infrastructure Library) or the ISO 27001 standard (IT security) can be regarded as external regulations. By following these sets of rules, companies meet the standards of their industry and thus create a prerequisite for their business activity and competitiveness.

Internal rules and regulations relating to IT are regarded as internal rules and regulations. These include, for example, requirements for handling passwords, e-mail guidelines, and basic IT security regulations.

1. Information protection to maintain confidentiality (§9 BDSG, German version)
2. Protection of data integrity
3. Stability and security of IT processes
4. Guarantee of physical security
5. Data retention and archiving
6. Employee management with regard to IT security
7. Effective IT management through all stages
8. Supervision of outsourced areas
9. Material data protection

In order to comply with legal and internal company regulations, constant monitoring of the implemented measures is necessary.
For this purpose, we permanently monitor all levels of our IT infrastructure.

These measures include:

• High security standards for access to our colocation area (access system based on badge cards and biometric palm scanner)
• Complex password policies
• Use of user and group policies
• Regular data backups
• Disaster recovery concepts
• Monitoring of application and system logs
• Personalization of access accounts

First and foremost, the principles of IT compliance are intended to protect companies from the economic disadvantages resulting from a violation of the law. Obligations to pay damages, fines, penalties, and increased tax payments can have a lasting impact on a company's ability to compete and survive, and are therefore to be avoided by the specifications and guidelines. In addition, affected companies face immense damage to their image if problems arise or, in the worst case, customer data is in fact misused.

If the measures are implemented and enforced, however, companies can expect enormous benefits:

• Higher quality of IT processes
• Overall higher IT security
• Long-term cost savings
• Increased company value

By implementing a specific IT compliance strategy for your company, you are taking the first step towards complying with the regulations of the new IT security law.

In the third and final part, we will tell you how to correctly implement the new regulations of the IT Security Act and integrate them into your company!