Although the IT Security Act and the related KRITIS regulation have been in force for some time, there is still much uncertainty regarding implementation. It is certain that organizations from different industries and different sizes have to set up their IT infrastructure within a period of two years in such a way that they correspond to the general state of the art. However, this issue alone raises more questions than answers. At least, it is clarified which industries are affected. Even the wording “general state of the art” is to be interpreted more ambitiously than the neglected. Specifically, the requirement for the technology used in terms of, for example, failure safety is high. Depending on the turnover structure of the organizations, this also applies to penalties. These are up to 100,000.00 EUR if the guidelines are not followed. However, this leads to the next question: according to which standards do the auditors actually take place?
Is this a part of the exam?
Affected organizations from the sectors of energy, IT + TC, food and water are obliged to submit the first test certificates to the Federal Office for Information Security (BSI) on May 3rd, 2018. The BSI recently presented the training content and concepts in a multiplier workshop, according to which auditors are to be trained. This is derived from what should be audited and, above all, how. Basically, the checked parameters are not new and are currently part of conventional audits. However, the underlying level of KRITIS audits is significantly higher, since specific questions are also raised regarding the availability and failure safety, especially in emergency situations. It is important that profitability can only be very limited as an excuse for an unconverted measure.
No Excuses! Even insurance companies no longer help
For example, a KRITIS auditor may well complain about the use of complex PLC control systems, which function for a long time without any complications and have basically been industry standard, if these have, in the meantime, serious weak points, which could lead to a significant supply bottleneck. This is no longer accepted by the BSI and cannot be compensated by insurance. The organizations designated by the Energy, IT + TC, Nutrition and Water Sectors, which are designated on May 3rd, 2016, are currently under review. It is doubtful that all will submit test reports to the BSI by the end of the deadline on May 3rd, 2018, as some have not yet started implementing the measures according to the required “state of the art”.
Send the auditor directly to DARZ
When working with a full IT service provider such as DARZ, the affected organizations benefit not only from the outstanding infrastructure and technology that guarantees failure safety and availability. Above all, the full certification according to ISO 27001 – the gold standard in the area – KRITIS creates seamless legal consistency. In addition, the auditors can be sent directly to DARZ, because we also organize this process for the customers.
Recommendations for action, hacks and shortcuts are provided by the strategy paper “KRITIS – Status Quo, Challenges and Recommendations of Action”, which can be downloaded free of charge here: http://bit.ly/2lAUd2U
In addition, you can find out more about this in the video interview of “Speicherguide” with DARZ: http://bit.ly/2mAUMyw