Implementation areas
n Switzerland, there are initiatives to raise awareness of the dangers in the area of IT security and to identify possible countermeasures. Responsible for this is the National Cyber Security Centre (NCSC) the federal competence center for cyber security and thus the first point of contact for business, administration, educational institutions and the population on cyber issues.
Private households
Programming errors in almost any software make it almost impossible to protect against attacks of any kind. These vulnerabilities can also be exploited from the outside by connecting computers with sensitive data (e.g., home banking, stationery) to the Internet. Private households have lower IT security standards because few appropriate measures are taken to protect the infrastructure (e.g., uninterruptible power supply, theft protection).
But private households in other regions remain in deficit.
Many users are also unfamiliar with security aspects such as setting access restrictions. It is also important to identify vulnerabilities in the software used and to install updates regularly.
Many users are also unfamiliar with security aspects such as setting access restrictions. It is also important to identify vulnerabilities in the software used and to install updates regularly.
Computer security involves not only the preventive use of technical tools such as firewalls, intrusion detection systems, etc., but also an organizational framework in the form of well-thought-out principles that incorporate human systems as users Tool. By exploiting passwords that are too weak or so-called social engineering, hackers often succeed in gaining access to sensitive data.
IT security at savings banks and banks
The results of Basel II, the BaFin and KWG regulations, and individual audits by savings banks and banking associations are accelerating this process and underscoring its importance. Both external and internal audits are increasingly being designed around this topic. At the same time, a broad range of services has been created for the implementation of various projects to establish IT security processes within the company. Providers can be found in the internal and external markets of the respective corporate groups. For other financial service providers, insurance companies and securities trading companies, the concept is basically the same, although other laws may come into play here.
IT security at other companies
Even if laws and audits set fewer standards in other sectors of the economy, IT security still has a high priority.
Due to the growing networking of different branches, such as company acquisitions, the protection of IT systems is becoming increasingly important. Dangerous situations arise when data is transferred from an internal closed network to another location via an external public connection.
However, the danger lies not only in the exchange of data within companies; applications are increasingly being transmitted directly to users, or external employees or even outsourced service providers have access to data stored in companies and can edit and manage it. For their access authorization, it must be possible to authenticate and document the actions performed and changed.
This issue places new demands on existing security concepts. In addition, there are legal requirements that must also be integrated into the IT security concept. The relevant laws are audited by external and internal auditors. Since the method for achieving these results is not defined, various "best practice" methods have been developed for different areas, such as ITIL, COBIT, ISO or Basel II
The approach here is to manage and control the company in such a way that relevant and potential risks are covered. Standards for so-called IT governance can be seen as mandatory, i.e. legal and expert opinions and support.
This means identifying, analyzing and evaluating these risks. Based on this, being able to create an overall security concept. This includes not only the definition of the technologies used, but also organizational measures such as responsibilities, authorizations, control mechanisms, or conceptual aspects such as minimum requirements for certain security functions.
It should be noted that the way in which automation data is stored should always be clear, traceable and consistent. To this end, this data must be protected against manipulation and deletion. All changes should trigger version management, and reports and statistics about processes and their changes must be retrieved directly from a central location.
A sophisticated automation solution can provide a remedy here. Potential sources of danger are eliminated as less manual intervention is required. Therefore, data center automation includes the following areas:
- Risk factor process setup
- Risk factor resources
- Technology as a risk factor
- Time as a risk factor