| 01.03 |
Risk analysis is available |
A risk analysis is present when a systematic evaluation of potential hazards or threats resulting from the processing of personal data has been carried out. All relevant factors, such as the type and scope of processing, the type of data, the rights of data subjects, and technical and organizational measures, are taken into account. By conducting a risk analysis, vulnerabilities in existing data protection measures can be identified and appropriate protective measures can be taken to minimize the risk for the data subjects. |
| 01.05.02 |
IT security guidelines |
Written document in which "security guidelines" for employees are visible. |
| 01.05.03 |
Work and procedure instructions |
Work and process instructions describe the procedures and rules for working with IT systems and applications in a company. For example, an IT user guideline defines how to handle IT systems and services in order to ensure that the systems are used securely. The admin policy describes the tasks and responsibilities of IT administrators. The topic of social media regulates the safe and responsible use of social networks in the work environment. The rules for home office and mobile working define the necessary IT security with regard to accessing company data and resources from outside the company. The email policy regulates the use of emails to ensure that data protection and compliance are guaranteed. The rules for employee entry/exit define how access authorizations for IT systems should be managed when employees leave or join the company. These work and process instructions are an important part of a company's data protection concept and processing activities, as they provide a concrete framework for handling personal data in day-to-day work. Work and process instructions describe the procedures and rules for working with IT systems and applications in a company. For example, an IT user policy defines how IT systems and services are to be used in order to ensure that the systems are used securely. The admin policy describes the tasks and responsibilities of IT administrators. The topic of social media regulates the safe and responsible use of social networks in the work environment. |
| 01.07 |
Exclusion of joint use of the telecommunications facilities by external companies |
An exclusion of the shared use of the telecommunications systems by external companies means that it is not possible for outsiders or other third parties to use the telephone system. This can be achieved through technical measures such as a secure configuration of the telecommunications systems, password assignment only to authorized persons, or other access restrictions. The purpose is usually to prevent unauthorized use or unauthorized access to the network and to ensure the integrity, confidentiality, and availability of data. |
| 01.08 |
Vacation/sickness replacement of the IT manager |
In the absence of the data protection officer due to vacation or illness, a representation arrangement must be made. There should be a deputy who can act on behalf of the data protection officer and is also appropriately authorized. It should be noted that the deputy has sufficient knowledge of data protection law and technical and organizational measures (TOMs) to fulfill his tasks responsibly. |
| 01.11 |
Regulations for the procurement of hardware and software |
Can employees decide for themselves which IT devices and software are purchased, or is this regulated in some way? |
| 01.14 |
Sensitization trainings |
Regular reminders, admonitions, and awareness trainings serve to promote awareness of the handling of personal data. These measures can be an important component of a data protection program in accordance with technical and organizational measures (TOMs). The goal is to make employees aware of potential risks and to sensitize them to the responsible handling of personal data. |
| 01.18 |
Data protection strategy available |
If an organization has a data protection strategy, this means that it has a clear and comprehensive plan on how it wants to process and protect personal data. The data protection strategy should describe the goals, principles, and procedures for processing personal data, while also taking into account legal requirements. A data protection strategy can therefore help minimize the risk of data protection and strengthen the trust of customers and partners in the organization. |
| 01.19 |
Data protection management system and governance defined |
A data protection management system (DPMS) is a foundation for establishing and implementing data protection in a company or organization. Its purpose is to ensure a systematic approach to protecting personal data and minimizing risks. Governance defines the decision-making structures and responsibilities within the DPMS in order to achieve effective and efficient implementation of data protection. This also includes establishing and regularly reviewing and improving processes and procedures. Overall, the DPMS includes measures for compliance with data protection regulations, informing and raising awareness among employees, as well as monitoring and overseeing the implementation of data protection. |
| 01.20 |
Employees are contractually obligated to confidentiality. |
This means that the employees of a company are obligated through their employment contracts to not disclose or misuse confidential information that they receive during their employment, even after the employment has ended. This clause serves to protect sensitive data of the company and ensure that only those individuals who actually need access to this information have it. |
| 02.02.03 |
Telecommunications system separated |
A defined telecommunications system refers to a system or facility that is intended for the transmission of information, voice, or data over a network or channel. The system is delimited by technical and organizational measures in such a way that unauthorized access to systems and data is prevented. A defined telecommunications system can protect personal data and minimize security risks. |
| 02.02.04 |
Network distributor separated |
This means that the network distributor is installed in a specific area (e.g. in a lockable cabinet or a closed room) that is not accessible to unauthorized persons. This is intended to ensure that sensitive information, which may flow through the distributor, can be protected from unauthorized access. |
| 02.03.01 |
Access secured by door locks |
The statement states that access to a specific area is secured by door locks. This means that only individuals who have the necessary key or access code have access to this area. This is a typical security measure to prevent unauthorized entry into the area in question and to ensure the protection of information or resources. |
| 02.03.02 |
Access secured by electric door locks |
This statement means that a physical object (such as a room or facility) is secured by electric door locks. Access can only be granted through the use of an authorization card, password, or biometric feature. The goal is to prevent unauthorized access and ensure the security of the facility and the data or objects within it. |
| 02.04.01 |
key regulation |
A key control refers to a security measure where a physical or electronic key is required to access certain data or systems. This means that only authorized individuals have access to the data or systems they are entitled to, and unauthorized access is prevented. Key control can be applied in various situations, such as protecting files or documents in physical cabinets or safes, securing doors or entrances through key codes or card readers, or accessing computers or networks through access codes or biometric identification. Key control is an important security measure in data protection and helps to ensure the confidentiality, integrity, and availability of data and systems. |
| 02.04.02 |
Acknowledgement of key issue |
The acknowledgement of key issuance is a process that ensures that a person who receives a key has received it and is responsible for it. This is usually confirmed by the person's signature on a document or form that verifies the key issuance. The aim of this measure is to maintain control over access to certain areas or resources and to ensure that the risk of unauthorized access or loss of keys is minimized. |
| 02.06.02 |
ID regulations |
Identification regulations are rules that determine which types of identification documents are accepted to identify or authenticate a person. These regulations often apply to areas such as travel, banking transactions, or access controls. Examples of common identification regulations include presenting a passport, driver's license, or ID card. Such regulations aim to prevent fraud and ensure the safety of individuals and facilities. The protection of personal data must also be ensured. |
| 02.06.04 |
visitor regulations |
Visitor regulations refer to the rules and procedures that determine who is allowed access to a building, facility, or institution and how this access is granted. The fundamental purpose of visitor regulations is to ensure that potential visitors are appropriately identified in order to maintain a safe environment for all users. Visitor regulations may also include provisions for screening visitors for weapons, explosives, or other prohibited items. Additionally, visitor regulations may include provisions for collecting visitor data, such as name, date, and purpose of the visit, in order to provide adequate monitoring and security. Visitor regulations may also be part of a data protection concept to ensure that visitor data is appropriately protected and stored. |
| 02.07.01 |
Access control system with chip, magnetic, RFID cards |
An access control system with chip, magnetic or RFID cards is a technology used to control access to specific rooms or areas through a physical card. The technology is based on the use of cards equipped with an integrated chip, magnetic stripe or RFID chip. These cards are used to authenticate the system and thus open or close the corresponding doors or barriers. Such systems offer an efficient and convenient way to increase security in public or private spaces, and allow companies to quickly and easily manage the access rights of their employees. |
| 02.09.01 |
Presence control by means of electronic time recording system |
The attendance control using an electronic time recording system is a procedure for recording employees' working hours. This is done through an electronic time recording software which records when an employee enters and leaves their workplace. This recording can be done through various methods such as RFID chip, fingerprint or PIN code. With this data, the employee's working time can be accurately recorded, providing a reliable basis for personnel administration and payroll. It is important to comply with data protection regulations to protect the privacy of employees. For example, the storage duration of the data and the purpose of use must be clearly defined and made transparent. |
| 03.01.01 |
Passwords with corresponding complexity |
Complex passwords are passwords that are long enough, contain at least 10 characters, and consist of a combination of uppercase and lowercase letters, numbers, and special characters. The goal is to protect the password from unauthorized access by making it more difficult to guess or crack. In particular, passwords that allow access to personal data or other protected information should have a high level of complexity. |
| 03.01.02 |
Passwords Minimum length 10 characters |
The requirement "minimum password length of 10 characters" means that users must use at least 10 characters when creating passwords. This is a security measure to ensure that passwords are strong enough and difficult for potential attackers to guess or crack. A longer password length increases the complexity of the password and makes it harder to perform brute-force attacks, where automated software tries different possible password combinations. It is also important to remind users not to use easily guessable passwords such as the names of partners, children, pets, etc. |
| 03.01.04 |
Password initial registration procedure |
The password initial registration procedure refers to the process in which a user of an IT system creates a password for the first time in order to log into the system. Typically, the password should be secure and easy for the user to remember. It is recommended that the system has certain requirements for password complexity, such as a minimum length or meeting different criteria (e.g. upper and lower case letters, numbers, and special characters). This is to prevent users from creating insecure passwords that are easy to guess or crack. Additionally, further security measures can be implemented, such as a password reset if it is forgotten or a certain time period for the validity of the password. |
| 03.01.05 |
Screen lock with password activation during breaks |
The screen lock with password activation is used to increase data protection and prevent unauthorized access to data during breaks or absence. This measure should be considered and implemented as part of the company's technical and organizational measures (TOMs). It is recommended that employees lock the screen when leaving their workstation to protect sensitive data from unauthorized access. Enabling password protection when unlocking provides additional security and reduces the risk of unauthorized access, as only authorized users have access to the system and sensitive data remains protected. |
| 03.01.06 |
Access lock after failed login attempts |
This means that a system is configured in such a way that after a certain number of failed login attempts, access to the system at the time of login is automatically blocked. This is primarily for security purposes and is intended to prevent potential attackers from gaining access to the system through brute force attacks on passwords. This also prevents unauthorized users from accessing the system or repeatedly attempting to log in in order to exploit potential security vulnerabilities. |
| 03.01.07 |
Password history |
The password history is a security concept that helps companies protect their systems and data from unauthorized access. A certain number of passwords that a user has used in the past are stored. If the user tries to reuse a previously used password, the system will block it and they must create a new, secure password. The password history serves as a safeguard against reusing insecure passwords and increases the security of access and accounts. |
| 03.01.09 |
Password policy |
A password policy is a policy created by an organization that sets requirements for the passwords of users or employees. This policy is developed to ensure that users choose strong and secure passwords to guarantee the security of user accounts and the confidentiality of information. The password policy may include instructions on how often passwords need to be changed, how long they should be, and what special characters they must contain. A password policy is an important component of a comprehensive information security program. |
| 03.01.15 |
increased password complexity and length for administrator access |
This means that when registering as an administrator, a long and complex password is required. This is done to increase the security of sensitive data and systems and restrict access to these critical resources to authorized individuals. Increased password complexity may, for example, require the password to consist of a combination of letters, numbers, and special characters. Increased password length means that the password must consist of a certain number of characters to enhance security. |
| 03.01.16 |
Only personalized access codes |
This means that each user receives a unique identifier or username to access a system or application. This access identifier is personalized and not publicly accessible. The use of personalized access identifiers helps to increase the security of a system, as each user is responsible for their actions and the user's activities can be better tracked. |
| 03.01.17 |
Dedicated service user accounts for data exchange |
Dedicated service user accounts" are special user accounts used for data exchange between different applications or systems. These user accounts are created solely for this purpose and typically have special access rights and permissions to ensure that data is exchanged securely and only by authorized individuals or systems. These accounts can be used by various services or applications to exchange data without burdening the user themselves. It is important for such accounts to be clearly identifiable and protected against unauthorized access. This can be ensured through appropriate security measures such as password security, encryption, and access controls. |
| 03.01.18 |
Electronic Password Safe |
An electronic password safe is a software used to securely store passwords and other confidential data. The password safe can be unlocked by entering a password or using a biometric feature. Multiple passwords for different accounts can be stored in a password safe, so the user no longer has to memorize all of them. Some password safes also have features such as automatic login or sign-in buttons to make it easier to access various websites and applications. The electronic password safe offers a convenient and secure way to store passwords and data and protect them from unauthorized access. |
| 03.01.19 |
Multi-factor authentication |
Multi-factor authentication (MFA) is a method for increased security when logging into a system or platform, which relies on multiple confirmation factors. At least two different factors are combined to ensure that the user is actually authorized to access the system or platform. Confirmation factors can include, for example, entering a password, receiving an SMS with a one-time code, fingerprint or facial recognition, smart cards, or biometrics. This achieves a higher level of security, as a potential attacker would need to steal more than just a password to access the system. MFA is now a standard in many areas, especially in security-critical areas such as online banking or managing sensitive data. |
| 03.02.01 |
Access via biometric procedures (one-to-one) |
Biometric procedures (one-to-one) refer to the use of physical or behavioral characteristics to enable access to a system or database. It is a method of identification and authentication in which the user presents a characteristic, such as a fingerprint or facial scan, to a previously stored pattern or profile. If the measured biometric characteristic matches the stored pattern, access is granted. These types of procedures are often more secure than passwords or PIN codes, as biometric characteristics are unique and not easily replicated. However, when using these procedures, data protection regulations must also be observed to ensure that all data is processed and stored appropriately and securely. |
| 03.03 |
Logging of access (sign in/sign out) |
The logging of access (login/logout) refers to the recording of information about accessing a system, particularly when a user has logged in and logged out. This logging is important to ensure the security of the system and to be able to trace who has accessed which data and when. |
| 03.04 |
Encryption of mobile data carriers and hard drives in mobile devices |
The encryption of mobile data carriers and hard drives in mobile devices is an important component of data protection. The data on the devices is protected using strong encryption algorithms, so that in case of loss or theft of the device, it cannot be viewed or used by unauthorized persons. Due to the increasing prevalence of mobile devices and the sensitive personal and business data contained within them, encryption has become essential. This not only protects the privacy of users, but also the intellectual property of companies. |
| 03.09.04.02 |
Deployment software firewall |
A software firewall is a type of security software used to monitor and control network connections. It can be installed as a standalone software application or as part of a more comprehensive security package. A software firewall works by monitoring network connections and applications to determine if they are safe or not. It can filter internet traffic by restricting access to certain websites and applications and blocking unauthorized access from potentially malicious sources. A software firewall is an important component of an organization's IT security measures to protect their network environment. |
| 03.09.04.03 |
Deployment Hardware Firewall (Appliance) |
A hardware firewall (appliance) is a physical device unit that serves as the primary defense against external threats for a network. It provides a first line of protection for a network against unauthorized access and external attacks. A hardware firewall can restrict ports, services, and protocols, and limit traffic to the minimum necessary. Hardware firewalls can be available in various sizes and configurations, including desktop devices for small offices or home networks to large installations for large companies. They can also have different features, such as antivirus protection, intrusion prevention, virtual private network (VPN) support, and more. |
| 03.09.02 |
Firewall access authorization concept |
The firewall access authorization concept is a concept that determines which employees or work groups within a company are allowed to access specific areas of the firewall in order to protect the network and control data traffic. It is important to ensure that only authorized individuals or groups with the necessary permissions have access to specific parts of the firewall in order to avoid unauthorized access and security issues. The firewall access authorization concept should be a part of a comprehensive security concept for a company. |
| 03.09.03.02 |
Firewall rule changes traceable |
The requirement "traceable firewall rule changes" means that all changes to the rules of the firewall, which control the data traffic in a network, must be documented and traceable. This means that it must always be possible to trace who made which rule change to the firewall, when, and why. This is intended to ensure the integrity and security of the network and minimize potential security risks. |
| 03.09.03.03 |
Firewall rules are regularly checked. |
This means that the firewall's rule set is periodically checked to ensure that it is still current and effective. This is usually done to ensure that the network is protected against known attacks and vulnerabilities. By regularly checking the firewall settings, unexpected changes or vulnerabilities in the system can also be identified and corrected to ensure the security of the network. |
| 03.09.08.01 |
Regular version updates of the firewall, automated process |
When updating the firewall, the goal is to ensure that the firewall software is up to date and all security vulnerabilities are addressed. This is important in order to protect against external attacks. A regular and automated process means that updates are automatically installed without the user having to intervene manually. This ensures that the firewall is always up to date and potential security vulnerabilities are quickly closed. |
| 03.09.08.02 |
Regular version updates of the firewall, manual procedure |
"Regular version updates of the firewall, manual process" means that the firewall software used to secure networks is regularly updated, but these updates must be installed manually. This means that responsible individuals must regularly check the firewall software and ensure that the latest version is installed to ensure maximum security. |
| 03.09.09.02.01 |
Regular security patches for the firewall, automated process |
Security patches for the firewall should be regularly installed to fix potential vulnerabilities and protect the integrity and confidentiality of data. Ideally, an automated process should be set up to ensure that these patches are installed at regular intervals, to ensure that the firewall is always up to date. This can be done manually or automatically, and it is important to ensure that all patches are downloaded and verified in a secure and reliable environment to avoid compromising the functionality of the firewall. |
| 03.09.09.02.02 |
Regular security patches for the firewall, manual procedure |
The regular installation of security patches on a firewall is an important step in maintaining security for a network. In this case, the manual procedure refers to the fact that the firewall is updated through manual intervention and not automatically. This may mean that an IT administrator manually downloads patches and installs them on the firewall, or that another manual procedure is used to bring the firewall up to date. It is important to ensure that the manual procedure is carried out regularly to ensure the best possible security for the network. |
| 03.10.01.01 |
Browser updates and security patches ongoing, automatic |
Browser updates and security patches need to be carried out regularly to avoid potential security threats. It is recommended that updates are downloaded and installed automatically in the background to ensure the browser is up to date and any potential security vulnerabilities are quickly addressed. This can be achieved by enabling automatic updates in the settings of the respective browser. This ensures that the system is always protected and a higher level of security is maintained. |
| 03.10.02.01 |
Browser configuration management by administrator |
The browser configuration management by an administrator refers to how settings and configurations in a web browser can be centrally managed. Typically, users can make their own settings in the browser, but with central management by the administrator, certain settings, such as the homepage and saved passwords, can be standardized and applied to all users in an organization. This can also help increase security by standardizing and enforcing certain configurations. |
| 04.01.01 |
Written authorization concept |
A written authorization concept is a documentation that defines which persons or groups of persons within an organization may have access to which data or resources. It describes the roles and responsibilities of employees and defines which authorizations are required to perform certain tasks. The authorization concept serves as a basis for the targeted and effective assignment of access rights and minimizes the risk of unauthorized access to sensitive data. It is an important component in the implementation of data protection concepts and is usually updated regularly. |
| 04.01.03 |
Role-based authorization concept |
A role-based authorization concept is a concept based on the idea that certain roles within an organization or system require specific authorizations in order to perform their tasks. In this context, a role can be a department, a job title or a position within an organization. Based on these roles, an authorization system can then be set up that restricts or grants access to certain data or processes within the system. This concept ensures effective and secure management of sensitive data and protects against unauthorized access to this information. |
| 04.01.08.02 |
Logging file accesses |
File access logging refers to the recording of information about access to certain files in a system. This information can include, for example, who accessed the file, when it was accessed and what the purpose of the access was. File access logging is an important data protection measure that makes it possible to quickly identify and investigate potential data breaches and to monitor and manage the behavior of users in the system. |
| 04.01.09 |
No administrative rights for users on end devices |
"No administrative rights for users on end devices" means that users do not have full administrative rights on their end devices, such as smartphones or laptops. This may mean that they cannot install or uninstall programs, make significant changes to the device's settings, or access certain folders or apps. These restrictions are intended to reduce the risk of errors or damage caused by improper handling and the unintentional installation of malware, as well as to ensure the security of the device and the data stored on it. |
| 04.01.10 |
Processes for obtaining and modifying permissions |
Processes for obtaining and changing permissions refer to the procedures and measures necessary to grant or revoke certain rights and access to systems, applications, data, or information for a user. This typically includes the application and approval process, where management or the data protection officer reviews the user's request and either approves or denies it. There may also be procedures for verifying the user's identity and reliability to ensure that permissions are granted only to authorized individuals. Changing permissions also involves the process of removing permissions if a user no longer requires the necessary access rights or their position within the company has changed. These processes are essential to ensure that access to confidential information and sensitive data is managed in a targeted manner and to prevent abuse by authorized users. |
| 04.01.10.04 |
Regular review of permissions |
Regular reviews to determine whether granted permissions are still necessary involve periodically checking if the issued permissions for accessing personal data are still justified and appropriate. This practice helps protect the data protection principles of "necessity" and "data minimization." By conducting such regular reviews, it can be ensured that unnecessary or inappropriate permissions do not persist, thereby reducing the risk of data misuse. |
| 04.02.04 |
Decentralized storage of backup data carriers |
The decentralized storage of backup data carriers refers to the fact that data backup data carriers are not stored exclusively in the same building or office as the original system. Instead, backup disks are stored in a different location away from the main system. This may be a different department, office or even country. The purpose is to ensure that in the event of system failure, data loss, or company theft, the backed up data is fully preserved. |
| 04.03.12 |
Prohibition of the use of private data carriers |
The prohibition on the use of private data carriers means that employees of a company are not allowed to use personal devices such as USB sticks, external hard drives, or smartphones to store or transfer company data. Instead, all data must be stored and transferred on company-owned devices or cloud storage that meet the company's security requirements and can be monitored by designated data protection officers or IT experts. This ensures the protection of company data from unauthorized access or loss and ensures that data security complies with applicable data protection regulations. |
| 04.10.03 |
Separate guest WLAN |
A separate guest WLAN is a WLAN network that is set up specifically for use by guests in a company. It is operated separately from the main Wi-Fi network to prevent access to the company's internal network. This prevents guests from gaining unauthorized access to confidential data or damaging or compromising the internal network. A separate guest WLAN can be protected by additional security measures, e.g. by using fixed passwords and regular checks of the security protocols. |
| 04.10.04 |
Encryption of wireless networks |
One current encryption technology for WLAN is called Wi-Fi Protected Access II (WPA2). This protocol uses a symmetric encryption standard called Advanced Encryption Standard (AES) to protect communication between wireless end devices and the WLAN router. This means that unauthorized third parties cannot simply spy on or manipulate the data transmitted by a WLAN signal. An encrypted wireless network connection is highly recommended for data protection and security reasons. |
| 04.10.08 |
Email encryption |
Email encryption is a process by which the content of an email is altered using an encryption method so that it can only be decrypted by authorized recipients. The purpose of encrypting the email is to protect the confidentiality of its content. This means that a third party who intercepts the email or intrudes into email traffic cannot read the content, as it has been rendered unreadable by the encryption method. Encrypted emails can be encrypted in various ways, such as through symmetric encryption or asymmetric encryption. The recipient can use the private key to decrypt the email, while the recipient's public key is used to encrypt the email and ensure that only the recipient can decrypt it. |
| 04.10.15 |
Separation of functional network groups into individual VLANs |
The separation of functional network groups into individual VLANs means that the network is divided into logical units. These units are referred to as VLANs and are used to segment data traffic within the network. By separating into VLANs, different groups of devices, such as employee devices, guest devices, IoT devices or systems, can be isolated from each other. This increases the security and data protection of the data transmitted via the network. However, the implementation of VLANs requires proper planning and configuration to ensure that the segments are effectively separated from each other. |
| 05.03.02 |
Encrypted data transmission |
Encrypted data transmission refers to the process of converting data into an encrypted form before it is transmitted over a network. An encryption algorithm is used to convert the original data into an unrecognizable form that can only be decrypted with a key. This is an important protection mechanism to prevent potential eavesdropping and data misuse. |
| 05.05.03.03 |
Encrypted data transfers |
Data is secure and protected during transmission with the help of a special encryption process. The information is converted into a text format that cannot be read without the appropriate decryption algorithm and key. This ensures that the data can only be read by authorized persons and is protected against unauthorized access during transmission. |
| 05.11 |
Regulations for working from home |
Regulations for home office are measures and guidelines established by companies or public institutions to ensure the protection of personal data even while working from home. This includes topics such as technical and organizational measures for data security, access and entry controls, the use of encrypted communication channels, behavior rules in handling personal data, and training and sensitization of employees. These regulations are essential to ensure that personal data can be adequately protected and processed even outside the company network. |
| 05.12.06 |
Remote maintenance only with explicit authorization by the client |
This means that remote maintenance on the client's system may only be carried out if the client has explicitly granted access to it. This is usually done through a prearranged process, such as a request via email or telephone. No access to the system may be made without the express consent of the client in order to protect the privacy and data security of the client. |
| 05.12.07.01 |
Encryption of the transmission path for remote maintenance |
Encryption of the (entire) transmission path for remote maintenance refers to the fact that all communication between the parties involved is protected by means of cryptographic techniques. This means that all transmitted data, such as usernames, passwords or files, are made unreadable by encryption and thus protected from unauthorized access. Secure encryption during remote maintenance is an important protective mechanism against attacks on the system or network traffic and is therefore an important part of a comprehensive data protection concept. |
| 05.12.08.01 |
Remote maintenance access via user ID/password |
Remote maintenance access using a user ID/password means that an IT support employee or technician can gain remote access to a computer system or network by using a user ID and password. Access is gained via special software that makes it possible to access the remote computer or network and make changes. It is important to ensure that a secure user password is used and that remote access is only granted if explicitly authorized by the user. In addition, remote access must be secured by technical and organizational measures to prevent unauthorized access or data leaks. |
| 07.02.02 |
Certifications and seals of quality as a criterion for selecting contractors |
When selecting contractors, certifications and seals of quality can be used as a criterion. These certifications and seals of quality are intended to ensure that the contractor meets certain data protection and information security requirements. These include, for example, compliance with the GDPR and other data protection regulations, the implementation of appropriate technical and organizational measures to protect personal data, and the fulfillment of quality standards in the area of information security. |
| 07.02.03 |
Data security concept as a criterion for selecting contractors |
The presentation of a data security concept can serve as a criterion for selecting contractors to ensure that they take appropriate security measures to protect personal data. In the context of data protection, companies are obliged to ensure that personal data they process on behalf of others is adequately protected. The submission of a data security concept can be an important part of the process of verifying that contractors are complying with all the necessary data protection requirements. |
| 07.05 |
Detailed written regulations (contract/agreement) of the order relationships |
This feature outlines that companies processing personal data must establish clear written agreements with their data processors. Responsibilities, obligations, and duties must be defined in detail. The involvement of subcontractors must also be clearly regulated. The entire processing workflow should be formalized to ensure that data protection is guaranteed at all times and that personal data cannot be accessed unauthorizedly or unencrypted. These regulations should be encapsulated in a contract or agreement to oblige the data processor to uphold the privacy and data protection of the individuals concerned. |
| 07.08 |
Written agreement with processors according to Article 28 of the GDPR. |
A written agreement with data processors is an important tool for data protection in accordance with Article 28 of the GDPR. According to this provision, a data controller who transfers personal data to a data processor must enter into a written agreement that details the processing of the data. The agreement is crucial because it ensures that the data processor processes the data only in accordance with the instructions of the data controller and ensures adequate protection of personal data. This also includes the establishment and implementation of technical and organizational measures by the data processor to protect the personal data. The written agreement must also include provisions that ensure the data processor only retains the personal data for as long as necessary and does not pass the personal data on to third parties unless required by law or authorized by the data controller. Therefore, the written agreement is an important part of meeting the requirements of the GDPR and an essential tool in establishing a high level of data protection. |
| 07.09 |
Employees at contractors are obligated to confidentiality. |
This means that individuals working for companies or organizations that act as contractors for other companies or organizations are obligated to treat all information made accessible to them during their work as confidential. This obligation is intended to ensure that personal data and other confidential information are not disclosed or misused without authorization. The confidentiality obligation can be established in contracts or agreements between the parties or may also be mandated by law, such as the General Data Protection Regulation of the European Union. A breach of the confidentiality obligation can have legal consequences, such as claims for damages or even criminal prosecution. |
| 08.01.01 |
Fire extinguisher in the server room |
A fire extinguisher must be placed in close proximity to the servers in order to be able to respond quickly in the event of a fire, thus preventing data loss or damage. This is an important part of the technical and organizational measures (TOMs) to ensure data protection and to ensure the smooth operation of computer and server systems. |
| 08.01.02 |
Fire extinguishers in the PC workrooms |
Fire extinguishers in PC workspaces are an important safety measure to be able to act quickly in the event of a fire and limit the damage. They should be kept clearly visible and accessible so that they can be easily found and activated in an emergency. It is also important that they are regularly checked and maintained to ensure that they work properly in an emergency. However, it should be noted that certain types of fire extinguishers are more suitable for use in PC workspaces than others, depending on the fire risk and the materials used. |
| 08.01.03 |
Smoke or fire detector |
A smoke detector, also known as a fire alarm, is a device capable of detecting smoke and heat and sounding an alarm when a fire breaks out. A typical smoke detector consists of a housing, electronics, a power supply, and a warning signal like a siren. These devices are usually installed in homes, offices, and public buildings and can protect lives and business assets by triggering an early alarm, allowing people to evacuate the building quickly and alert the fire department. |
| 08.02 |
No smoking in server and PC rooms |
A smoking ban in server and PC rooms means that smoking is not allowed in these rooms. This can be enforced by taking appropriate measures such as setting up smoke detectors or placing warning signs. This is an important data protection aspect, as smoke and fire in these rooms can not only cause property damage but also data loss. The smoking ban reduces the risk of fires and data loss, thus ensuring the integrity, confidentiality and availability of data. |
| 08.04.01 |
Uninterruptible Power Supply (UPS) |
An uninterruptible power supply (UPS) is an electronic device connected to an electrical network that maintains power supply during a power outage or network failure. A UPS typically contains a series of batteries that serve as a backup system to keep the power supply running during a power outage until either the normal network is available again or the system can be safely shut down. A UPS can be purchased in various sizes and capacities, ranging from small units suitable for PCs or servers to large installations capable of powering entire buildings or neighborhoods. |
| 08.04.03 |
Surge protection devices |
Surge protection devices are equipment designed to protect electronic devices and systems from damage caused by overvoltages. Overvoltages can occur from events such as lightning strikes, switching operations, or disruptions in the power grid. These protection devices ensure that the overvoltage is diverted and absorbed before it can cause damage to connected equipment. There are various types of surge protection devices, including surge protection power strips, surge protection modules, or surge protection devices integrated into electrical systems. |
| 08.05 |
Server room air conditioning |
The climate control of a server room refers to the technology used to regulate the temperature and humidity in a room where servers and other electronic devices are operated. A server room requires a special air conditioning system to prevent excessive temperatures and humidity from damaging the equipment or affecting its performance. It consists of a system of air conditioning units, fans, air filters and monitoring sensors that work together to ensure a stable environment for the operation of servers. The air conditioning of a server room is an important component in ensuring the availability and function of IT systems. |
| 08.06.01 |
Data backup plan available |
A data backup plan outlines the measures and processes taken to protect data against loss or unauthorized access. It includes information on the frequency and methods of data backup, storage and verification of backups, as well as procedures for data recovery in the event of a failure. The data backup plan is a crucial component of the data protection management system and helps to minimize the risk of data loss. |
| 08.06.03.02 |
Data backup for network components |
Data backup of network components refers to the protection of data stored on network devices such as routers, switches, firewalls and other network components. In operation, they store data such as configuration settings, protocols and user data. It is therefore important that this data is also regularly backed up. This data backup serves to ensure the integrity and confidentiality of the data on these devices in the event of a hardware or software failure or if these devices are compromised by malicious attacks. |
| 08.06.06.04 |
Encrypted backup media |
This means that the storage device on which backup copies of data are saved is protected by an encryption process. This prevents unauthorized individuals from accessing the stored data in case the storage device is lost or stolen. Encryption is activated on the storage device using a password or a key and protects the information stored on it from unauthorized access. |
| 08.06.06.05 |
The quality and completeness of the data backups are regularly checked. |
Data backups are regularly checked for quality and completeness. This includes verifying the integrity of the backed-up data, the functionality of the backup systems, and the success of the recovery in the event of a potential data loss. These regular checks ensure that a reliable and complete recovery is possible in the event of a data loss. |
| 08.08 |
Virus protection / protection against malware |
Virus protection is a measure designed to protect IT systems and data from malware such as viruses, Trojans and malware. Various security measures such as certain tools or software are used to detect and eliminate possible threats. The aim is to prevent unauthorized or malicious access to data and systems and thus ensure the integrity, availability and confidentiality of the data. |
| 08.08.05.03 |
Automatic update of the protection software |
An “automatic protection software update” refers to automatically updating a computer or network's protection software to the latest version as soon as an update is available. This can help to ensure that the software is always up to date and covers any new vulnerabilities and threats. Automatic updating saves time and ensures that protection is always at the highest level without the user having to intervene manually. However, it is important to ensure that the updates are actually carried out automatically and securely. |
| 08.09 |
Spam filter |
A spam filter is a software that is used to filter unwanted e-mails out of the recipient's inbox. The filter analyzes e-mails according to various criteria, such as sender, subject, content, attachments or behavioral patterns. In doing so, an e-mail is checked for suspicion and, depending on the result, marked as spam and moved to a separate folder or deleted directly. A well-functioning spam filter helps to keep annoying advertising, fraudulent messages and malware out of your inbox, thus protecting the recipient's privacy. |
| 08.10 |
Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) |
An intrusion detection system (IDS) is a software or hardware that monitors network traffic to detect potential attacks or anomalies. The IDS analyzes network traffic or event logs to determine whether there is a threat, for example, from an attack on a system. An intrusion prevention system (IPS) is a further development of the IDS that is additionally able to actively respond to a threat by executing certain actions to block or ward off the attack. For example, the IPS can configure a firewall to interrupt the attacking data flow or trigger targeted actions to stop an attack. To sum up, both the IDS and the IPS are specially developed systems for monitoring network activity. While IDS is designed to detect attacks, IPS can take targeted action to defend against them. |
| 08.12 |
Contingency plan |
A disaster recovery plan is a document that describes a structured method for how a company responds to unexpected events or disasters. The goal of the emergency plan is to ensure that the company is able to respond quickly and effectively to critical situations in order to minimize damage and resume business operations as quickly as possible. An emergency plan can also outline the responsibilities and accountabilities of the employees involved, as well as specific steps for restoring critical systems or infrastructure. |
| 08.13 |
Monitoring of hardware and services |
Hardware and service monitoring involves the regular surveillance of physical devices such as servers, network devices and workstations, as well as the services and applications provided on them. This can be achieved by using special software such as monitoring tools. Monitoring helps to identify potential problems such as failures, performance issues or security breaches, and to fix them in a timely manner. Regular monitoring thus ensures the availability, reliability and security of hardware and services. |
| 09.09 |
Separation of particularly sensitive data |
The separation of particularly sensitive data is a data protection measure in which certain types of personal data are processed and stored separately from other data categories. This is data that requires a higher level of protection because it can pose particular risks to the privacy and freedom of the data subjects. This includes, for example, health data, biometric data, genetic data or data on sexual preferences. Separating sensitive data from other data categories ensures that only authorized persons have access to this data and that appropriate protective measures can be taken to ensure the confidentiality and integrity of the data. |
| 08.06.03.03 |
Backup of the backup configuration |
The backup of the backup configuration refers to regularly saving the settings and configurations of the backup itself. This ensures that in the event of data loss or a system disruption, all settings and configurations necessary for restoring the backup are available. This includes, for example, the storage locations of the backups, the type of backups and their schedules, as well as any other settings and configurations that are relevant to the backup process. By regularly backing up the configuration, a quick recovery of the system and data can be ensured. |
| 08.06.03.05 |
Data backup of network components |
Data backup of network components ensures that important data and configurations of network devices such as routers, switches and firewalls can be effectively backed up and restored in the event of a hardware failure, hacker attack or unintentional data loss. Data backup typically involves creating backups that are stored on external storage media or in the cloud, as well as regularly checking and testing the backup recovery functions. An effective data backup strategy for network components is an important measure for protecting critical company data and maintaining network stability. |
-1.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.png?width=24&height=24&name=Data%20and%20Experience%20icons%20(1).png){kind=small}
.svg){kind=small}
