The global and independent platform for the SAP community.
The opinion of the SAP community, IT Security Column, MAG 17-09

IT Security Act: What do website operators need to be aware of?

In July 2015, the Act to Increase the Security of Information Technology Systems (IT Security Act) came into force. This article explains the requirements that the new IT Security Act places on website operators.
Alexandra Palandrani, IBS
September 7, 2017
Content:
It Security
avatar
This text has been automatically translated from German to English.

The IT Security Act is a so-called article law; a law that amends and expands several laws at the same time.

The aim of the law is to keep IT infrastructures in Germany at the highest possible level and to avoid dramatic consequences in the event of supply bottlenecks, especially in critical infrastructures (CRITIS).

However, not only CRITIS operators are affected by the IT Security Act; the legislator also imposes new information security requirements on website service providers. Any operator of a business website is to be regarded as a service provider within the meaning of the law.

Among other things, the IT Security Act has resulted in changes to the Telemedia Act (TMG). Telemedia includes, among other things, websites. The goal to be achieved by the amendments to the TMG is to curb the spread of malware via telemedia.

In Section 13 (7) of the German Telemedia Act (TMG), the legislator requires service providers to take technical and organizational measures ("insofar as this is technically possible and economically reasonable") to prevent unauthorized access to affected IT systems, to protect affected IT systems against interference from external attacks, and to prevent personal data breaches.

The report of regularly performed penetration tests, for example, can serve as proof of the implementation of such measures. The legislator requires implementation in accordance with the "state of the art".

This term is often used in legislative texts, as the development of technologies is much faster than legislation. National or international auditing standards can be consulted here as a concrete guideline, such as the technical guidelines of the BSI (German Federal Office for Information Security).

Section 13 (7) of the German Telemedia Act (TMG) specifically requires the use of encryption methods that are "recognized as secure". These are intended to protect the users of the website from unauthorized third parties being able to read the transmitted data.

Many protocols used for data transmission on the Internet transmit data in plain text. If an attacker is on the same network (or between the sender and receiver) and manages to redirect the data traffic to his device, he can read the transmitted data (for example, login data) with a simple network sniffer.

However, the use of an encryption method alone does not provide absolute security. The protocols used for encryption (for example, TLS), like software, are constantly being developed further and security gaps are being closed.

Older versions are already considered broken in some cases. Website operators must therefore pay attention to which protocols and which versions are supported by the system overall, and not just which are offered preferentially.

Otherwise, an attacker can negotiate a weak protocol version, break the encryption, and read the transmitted traffic, despite encryption.

Conclusion

Ensuring the confidentiality and integrity of user data should be a top priority for website operators even without the IT Security Act. If systems are compromised and customer data leaks out, this always results in reputational damage that can have serious consequences.

In addition, there are now the legal restrictions imposed by the new IT Security Act. A wave of warnings from competing companies or overzealous law firms is conceivable. A security check of the systems accessible from the Internet should therefore be carried out at regular intervals.

avatar
Alexandra Palandrani, IBS

Alexandra Palandrani is Auditor & Consultant IT Security at IBS Schreiber.


All articles of the author

Write a comment

The Hackett Group has recognized Esker in the area of C2C Receivables

Rackspace Technology launches UK Sovereign Services

August-Wilhelm Scheer Institute and BAD Gesundheitsvorsorge und Sicherheitstechnik: The future of healthcare

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.