IT-Security Regulatory Update | February 2022
IT-Grundschutz Compendium 2022
The German Federal Office for Information Security (BSI) regularly publishes an update of the IT-Grundschutz Compendium, which together with the BSI standards forms the basis for information security. For this year’s compendium, 16 IT-Grundschutz modules were adapted compared to the previous year. The adaptions are based on feedback from information security officers. The BSI very much welcomes this input, as it makes a decisive contribution to the user-friendly design of the specifications.
The adjustments to the IT-Grundschutz Compendium can be summarized as follows:
- The BSI has made changes to the content of 14 modules, including the data protection concept (CON.3), software tests and releases (OPS.1.1.6), and general software (APP.6).
- Two further modules were editorially adjusted.
- Seven modules of the IT-Grundschutz compendium have been newly included. They deal with various topics, for example system management (OPS.1.1.7), containerization (SYS.1.6) and remote maintenance in an industrial environment (IND.3.2).
- Two modules have been renamed.
To simplify the practical implementation of the changes, the BSI has provided various supporting documents that you can access on the BSI website:
- A change overview showing and explaining the adjustments made. You can find them here.
- An overview of the structure of the 5th edition of the IT-Grundschutz Compendium can be found here.
- Cross-reference tables to the IT-Grundschutz Compendium can be found here.
- Checklists for the individual modules can be found here.
You can find the entire IT-Grundschutz Compendium 2022 here on the BSI website.
Source: German Federal Office for Information Security – BSI, https://www.bsi.bund.de/
BaFin expert panel addresses interpretation issues regarding the 6th MaRisk amendment and the FISG
With the publication of the drafts for the Financial Market Integrity Strengthening Act (FISG), a jolt went through the financial industry; the consequences of the Wirecard scandal had caught up with uninvolved institutions. Among various other issues, the law also sharpens regulation of outsourcings across the industry. At its meeting in October 2021, the MaRisk expert committee addressed various issues relating to the interpretation of the FISG and the 6th MaRisk amendment – which, among other topics, also entailed an increase in the context of outsourcing.
In addition, the expert committee dealt with the notification requirement in the outsourcing context, the planned adjustments to the Minimum Requirements for Risk Management (MaRisk) with regard to business model analysis, and information on the regulatory capital target ratio for covering risks in stress situations.
The minutes of the expert panel can be found here on the website of the German Federal Financial Supervisory Authority (BaFin).
© Federal Financial Supervisory Authority / www.bafin.de
New technologies demand rethinking of data protection
New technologies are currently challenging regulators and legislators across Europe. In the context of data protection, the European Union Agency for Cybersecurity (ENISA) has taken a closer look at the resulting opportunities and risks. It concludes that the General Data Protection Regulation (GDPR) needs to be rethought in relation to new technologies. Especially processing activities have to be reconsidered and, if necessary, new actors and responsibilities have to be defined.
With the report “Data Protection Engineering”, ENISA provides data protection practitioners and organizations with guidance on the practical implementation of technical aspects of data protection.
You can find the ENISA report here on their website.
Source: © European Union Agency for Cybersecurity (ENISA), 2022 – enisa.europa.eu
Information security officers should familiarize themselves with the changes to the IT-Grundschutz Compendium, identify adaptation requirements and implement them.
We at ADWEKO are happy to assist you in this process.