1. Importance of information security
As a local IT company, we strive to protect our project and management operations as well as our data and IT systems through various technical, physical and organizational measures. We are aware that the security of our data and systems is an essential part of our success and that we must offer our customers a high level of trust and security. Therefore, we use innovative technologies and measures to protect ourselves in the best possible way.
The legal basis results, among others, from:
- Legal provisions (GmbH Gesetz, HGB)
- Data Protection Regulation (DPR or DSGVO) and the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG)
- IT basic protection compendium of the BSI (IT-Grundschutz-Kompendium, BSI)
- Telecommunications Act/Telemedia Act (TMG)
- Information Technology Security Act (IT-SiG)
- General Equal Treatment Act / Allgemeines Gleichbehandlungsgesetz (AGG) etc.
Our company’s activities take place in a constantly changing digital world. Accordingly, we must protect all data that we collect and store from unauthorized access, loss, misuse and unauthorized disclosure. This also applies to personal data that we process and store, including the personal information of our employees, customers, partners and suppliers. We must take the proper security measures to ensure that this information is safe and that we maintain the confidentiality, integrity and availability of all data.
The good reputation of our company depends not least on the serious presentation on the Internet and the reliable provision of services and communication media. Manipulation of the Internet presentation, for example, or misuse of the e-mail service through a spam attack, would damage the reputation of our company and negative effects on our customer projects would have to be feared.
With increasing digitalization, we must prepare for the growth in the use of home offices, cloud services and the connection of online products and services. In doing so, it is essential that we consider and implement the necessary data protection and security aspects.
The basis for information security in an IT company is a commitment to information security on the part of the executives.
This commitment, and thus also the assumption of overall responsibility by the executives, is expressed by establishing an information security guideline (ISL).
2. Area of Application
The information security guideline applies to Intechcore GmbH incl. external project employees (freelancers) as well as to suppliers and service providers. Excluded from this are partners and customers, provided that e.g. no relevant data are available here or no disciplinary measures can be implemented.
In addition to IT systems and electronic data, information security also includes paper records in the form of files, documents, deeds, receipts, as well as information from communications with affected parties (telephone or personal conversations). It also includes all organizational, personnel and technical measures to ensure information security.
External persons, institutions and companies (partners and suppliers) that provide services for Intechcore GmbH must comply with Intechcore’s requirements for adherence to information security objectives in accordance with this guideline. For this purpose, they are informed and obligated to comply in a suitable manner (e.g. by AV contract, declaration of confidentiality).
3. Information Security Goals
In the course of performing the mandatory tasks and the tasks that Intechcore GmbH undertakes on a voluntary basis, information is collected and processed, the confidentiality, integrity and availability of which constitute a high asset.
To fulfill these tasks, data, IT systems, applications, procedures and processes must be available and protected.
The following goals are to be achieved specifically with regard to information security:
- Raising the awareness of all employees and imparting the necessary knowledge in dealing with data, IT systems and communication media.
- Keeping IT systems (workstations, servers, network infrastructure, applications) up to date and ready for use
- Avoidance of IT security incidents and negative effects on Intechcore GmbH (costs, reputation, data loss)
- Compliance with legal regulations (e.g. DPR/DSGVO)
- Creation of a high level of trust in information security for all parties involved
The goals set are monitored using suitable measures and measurable target variables (internal audits, inspections, employee discussions, checklists, evaluation of protocols, etc.) and presented to the management at regular intervals.
4. Key elements of the security strategy
Information and data security is very important for administrative actions. The security strategy is therefore structured as follows:
- Intechcore GmbH establishes an appropriate information security management system (ISMS) and follows the CISIS12 approach.
- As the central security authority, the Managing Director appoints an Information Security Officer (ISO) / Informationssicherheitsbeauftragter (ISB) and a deputy, who is responsible for all information security matters and issues. He is independent and not subject to directives and reports directly to the Executive Board in this role. Sufficient resources shall be made available to the ISB and suitable qualification measures shall be made possible.
- An information security team shall be formed to support the ISO and shall meet for discussions at regular intervals. The team consists of the ISO, representatives of the management level, the system administrator and the data protection officer.
- Intechcore GmbH anchors the topic of information security throughout the organization by means of clearly formulated guidelines and security requirements that are binding for all employees.
- There are ongoing training and awareness measures for employees.
- The implemented security measures are subject to regular monitoring (e.g., through walk-throughs or internal audits) and the result is communicated to the management.
- The implemented information security management system and the associated measures are regularly updated and further developed.
- Intechcore GmbH bases all information security activities on current standards and proven methods from practice.
5. Commitment to implementation and responsibility
Every employee is responsible for information security. It is part of the official duties of all employees. This document is binding for all employees and is fully supported by the owner and the management. The resulting measures are to be implemented even if there are impairments to the use of the information systems.
The signatory bears overall responsibility for ensuring information security, regardless of whether and in what way sub-tasks are delegated. It is his responsibility to ensure that the necessary measures are implemented and to provide the resources, funding and IT systems required for this purpose.
The security measures must be commercially justifiable in relation to the damage that can be caused by security incidents. This is defined by the value of the information to be protected and the IT systems. The effects on the physical and mental integrity of people, the right to informational self-determination, financial damage, impairment of the performance of tasks, the reputation of the company, and the consequences of violations of the law must also be assessed.
6. Commitment to continuous improvement
The management undertakes to participate in the improvement of information security and to exemplify and support this. It is to be informed regularly about the current security status.
The IPM is responsible for the further development of the ISL and the safety concept, with the best possible support from the specialist managers. The employees are required to pass on possible improvements or weak points to the relevant departments. The ISO must be informed and involved at an early stage in the case of all organizational and technical innovations or changes that may have an impact on information security.
7. Training and sensitization of employees
To ensure that all employees are aware of what is expected of them in terms of information security and how they should react in security-critical situations, training and awareness-raising measures are carried out on a regular basis.
For this purpose, the following measures are prepared and implemented:
- Every employee takes part in training on the basics of information security, in particular data protection.
- Further training provides employees with the necessary information security expertise to perform their specialist tasks.
- If specific information is required, employees receive newsletters or individual messages from the IT security officer and/or the data protection officer.
8. Violations and sanctions
Every employee of Intechcore GmbH is obliged to handle data, information, applications, IT systems and communication media with care. Intentional or grossly negligent endangerment of information security, for example
- the illegal use or misuse of information, data and systems
- the non-compliance with specifications in the service instructions
- non-compliance with legal requirements (e.g. DPR/DSGVO)
- the circumvention of security settings in programs and devices
may result in consequences under labor law. Employees are required to report possible vulnerabilities or security breaches immediately. In the event of violations or non-compliance with rules, those responsible must take suitable and appropriate disciplinary measures (e.g. admonishment, warning).
9. Update of the Information Security Guideline
The administration is always subject to dynamic changes. In the area of information security, this affects information and communications technology as well as internal processes, organizational structures and external conditions such as legal requirements. It is therefore necessary to promote and further develop tried-and-tested security measures in order to be able to guarantee an appropriate level of security in the long term. Using the “PLAN-DO-CHECK-ACT” method, existing weaknesses are regularly analyzed and improvements made.
The information security guideline, the security concept and the current measures are reviewed annually by the ISO to ensure that they are up to date and effective, and optimized as necessary. The business manager as well as the employees support the continuous improvement of the security level.
10. Enactment
The information security guideline will come into force on 31 March 2023 and will be brought to the attention of all employees immediately after signing.