"State of the art" in IT Security
In light of deficiencies in IT security in many European countries and the General Data Protection Regulation (EU) 2016/679 (GDPR) TeleTrusT - IT Security Association Germany has d...
In light of deficiencies in IT security in many European countries and the General Data Protection Regulation (EU) 2016/679 (GDPR) TeleTrusT - IT Security Association Germany has developed guidelines with detailed information and recommendations on how to improve IT security.
The guidelines will be published in English in cooperation with the European Union Agency for Network and Information Security (ENISA).
No concrete instructions available
Daily reports on security incidents in companies and authorities show that there is an urgent need for action to improve IT security. Article 32 of the GDPR regulates "security of processing" to ensure that, “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, appropriate technical and organisational measures are implemented.” This provision is meant to ensure a level of protection appropriate to the risk.
Both national and European legislators are, however, abstaining from defining what “state of the art” in IT security means and have failed in laying down concrete, detailed technical requirements and evaluation criteria for technical and organisational measures in the field of security.
Additionally, no methodological approaches are provided to those who must comply with the law.
In this context, the document published by TeleTrusT on the "state of the art" in IT security provides concrete advice and recommendations for action. These guidelines are intended to provide companies, service providers and manufacturers alike with assistance in determining the "state of the art" within the meaning of the IT security legislation. The document can serve as a reference for contractual agreements, procurement procedures or the classification of security measures that are implemented. They are, however, not a replacement for technical, organisational or legal advice nor for assessment in individual cases.
Improving IT security in European countries
The English version of the document will support companies in all EU countries in identifying the required level of security in the field of IT security. Dr. Udo Helmbrecht, ENISA Executive Director says: "ENISA continues its work in supporting the EU Member States by contributing to this handbook. The articles are designed to provide concrete information and recommendations on how to improve IT security. This booklet should be a useful guide to IT practitioners who have the responsibility for complying with legislation."
"By determining the state of the art, we will be able to adequately increase the level of IT security, strengthen our robustness against cyber attacks and thus significantly reduce the risk of ongoing digitalisation.", states TeleTrusT Chairman Prof. Dr. Norbert Pohlmann.
TeleTrusT Board Member Karsten U. Bartels explains:
"The consideration of the state of the art is a technical, organisational and legal task for companies and authorities. The guidelines help very specifically at these three levels - both in the operative implementation and in the documentation."