The global and independent platform for the SAP community.

IT Security Act: What do website operators need to be aware of?

In July 2015, the Act to Increase the Security of Information Technology Systems (IT Security Act) came into force. This article explains the requirements that the new IT Security Act places on website operators.
Alexandra Palandrani, IBS
September 7, 2017
It Security
avatar
This text has been automatically translated from German to English.

The IT Security Act is a so-called article law; a law that amends and expands several laws at the same time.

The aim of the law is to keep IT infrastructures in Germany at the highest possible level and to avoid dramatic consequences in the event of supply bottlenecks, especially in critical infrastructures (CRITIS).

However, not only CRITIS operators are affected by the IT Security Act; the legislator also imposes new information security requirements on website service providers. Any operator of a business website is to be regarded as a service provider within the meaning of the law.

Among other things, the IT Security Act has resulted in changes to the Telemedia Act (TMG). Telemedia includes, among other things, websites. The goal to be achieved by the amendments to the TMG is to curb the spread of malware via telemedia.

In Section 13 (7) of the German Telemedia Act (TMG), the legislator requires service providers to take technical and organizational measures ("insofar as this is technically possible and economically reasonable") to prevent unauthorized access to affected IT systems, to protect affected IT systems against interference from external attacks, and to prevent personal data breaches.

The report of regularly performed penetration tests, for example, can serve as proof of the implementation of such measures. The legislator requires implementation in accordance with the "state of the art".

This term is often used in legislative texts, as the development of technologies is much faster than legislation. National or international auditing standards can be consulted here as a concrete guideline, such as the technical guidelines of the BSI (German Federal Office for Information Security).

Section 13 (7) of the German Telemedia Act (TMG) specifically requires the use of encryption methods that are "recognized as secure". These are intended to protect the users of the website from unauthorized third parties being able to read the transmitted data.

Many protocols used for data transmission on the Internet transmit data in plain text. If an attacker is on the same network (or between the sender and receiver) and manages to redirect the data traffic to his device, he can read the transmitted data (for example, login data) with a simple network sniffer.

However, the use of an encryption method alone does not provide absolute security. The protocols used for encryption (for example, TLS), like software, are constantly being developed further and security gaps are being closed.

Older versions are already considered broken in some cases. Website operators must therefore pay attention to which protocols and which versions are supported by the system overall, and not just which are offered preferentially.

Otherwise, an attacker can negotiate a weak protocol version, break the encryption, and read the transmitted traffic, despite encryption.

Conclusion

Ensuring the confidentiality and integrity of user data should be a top priority for website operators even without the IT Security Act. If systems are compromised and customer data leaks out, this always results in reputational damage that can have serious consequences.

In addition, there are now the legal restrictions imposed by the new IT Security Act. A wave of warnings from competing companies or overzealous law firms is conceivable. A security check of the systems accessible from the Internet should therefore be carried out at regular intervals.

avatar
Alexandra Palandrani, IBS

Alexandra Palandrani is Auditor & Consultant IT Security at IBS Schreiber.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.