ORP.5 Compliance Management (Requirements Management)
Every institution has relevant statutory, contractual, and other requirements, such as internal policies, that must be observed. Many of these requirements...
Description
Introduction
Every institution has relevant statutory, contractual, and other requirements, such as internal policies, that must be observed. Many of these requirements have direct or indirect implications for information security management.
The requirements differ depending on the industry, country, and other framework conditions. Furthermore, for example, a government authority is subject to different external regulations than a public limited company. The management level of the institution must ensure compliance with the requirements (“compliance”) through appropriate monitoring measures.
Depending on the size of an institution, it may have various management processes that deal with different aspects of risk management. These include, for example, information security management, data protection management, compliance management, and controlling. The various units should work together in a spirit of trust in order to exploit synergies and resolve conflicts at an early stage.
Objective
The objective of this building block is to show how those responsible can gain an overview of the various requirements applicable to the individual areas of an institution. For this purpose, appropriate security requirements are to be identified and implemented in order to avoid violations of these requirements.
Scope and Modeling
The building block ORP.5 Compliance Management (Requirements Management) MUST be applied once to the entire information network.
The obligation of employees to comply with the statutory, contractual, and other requirements identified in this building block is not part of this building block, but is addressed in the building block ORP.2 Personal.
This building block does not address specific laws, contractual regulations, or other policies.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance to the building block ORP.5 Compliance Management (Requirements Management).
Violation of Legal Requirements
If information security is implemented incorrectly or only minimally, institutions may violate statutory provisions or contractual agreements. Institutions must also observe many different sector-specific, national, and international legal framework conditions. As this can be very complex, users may inadvertently violate legal requirements, or even deliberately disregard them. For example, many cloud service providers offer their services in an international environment. As a result, providers are often subject to other national laws. Cloud users frequently focus only on low costs and misjudge the legal framework conditions to be observed, such as data protection, information obligations, insolvency law, liability, or third-party access to information.
Unauthorised Disclosure of Information
Due to incorrect behaviour on the part of employees, protected information may be disclosed in an unauthorised manner. For example, confidential information may be discussed within earshot of outsiders, such as during breaks at conferences or over mobile phone calls in public environments. It is also conceivable that the line manager of a specialist department suspects employees of collaborating with competitors. To prove this, they ask IT Operations to gain access to the emails of these employees “through informal channels”. IT Operations complies with the request without obtaining the necessary consents.
Insufficient Verification of the Identity of Communication Partners
In personal conversations, on the telephone, or in emails, many employees are willing to disclose far more information than they would in, for example, a letter or in a larger group setting. Moreover, the identity of communication partners is generally not questioned, as this is perceived as impolite. Similarly, authorisations are often not sufficiently checked but are implicitly derived from the (claimed) role. For example, employees may receive an email from supposed acquaintances of their line manager, with which the quick transfer of an outstanding amount was allegedly agreed. Or an unknown person in work clothing with a toolbox is granted access to the data centre after mentioning something about “water pipes”.
Unintentional Disclosure of Internal Information
When information is passed on, it repeatedly happens that, in addition to the desired content, other data is inadvertently transmitted as well. This can result in confidential information falling into the wrong hands. This may involve, for example, old files or residual information on storage media that have been passed on. Users could also transmit incorrect data or send it to the wrong recipients.
Requirements
The following are the specific requirements of the building block ORP.5 Compliance Management (Requirements Management). The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and reviewed in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These SHOULD be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | Compliance Officer |
| Additional responsibilities | Central Administration, Supervisors, Top Management |
Exactly one role SHOULD hold Primary responsibility. There may also be Additional responsibilities. If one of these additional roles holds primary responsibility for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not indicate how many people are intended to fill these roles.
Basic Requirements
The following requirements MUST be fulfilled with priority for this building block.
ORP.5.A1 Identification of Framework Conditions (B) [Central Administration, Top Management]
All statutory, contractual, and other requirements with implications for information security management MUST be identified and documented. The statutory, contractual, and other requirements relevant to the individual areas of the institution SHOULD be compiled in a structured overview. The documentation MUST be kept up to date.
ORP.5.A2 Observance of Framework Conditions (B) [Supervisors, Central Administration, Top Management]
The requirements identified as security-relevant MUST be taken into account in the planning and design of business processes, applications, and IT systems, or when procuring new components.
Managers who bear legal responsibility for the institution MUST ensure compliance with statutory, contractual, and other requirements. The responsibilities and accountabilities for compliance with these requirements MUST be defined.
Appropriate measures MUST be identified and implemented to prevent violations of relevant requirements. If such violations are identified, appropriate corrective measures MUST be taken to remedy the deviations.
ORP.5.A3 DISCONTINUED (B)
This requirement has been discontinued.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be fulfilled.
ORP.5.A4 Design and Organisation of Compliance Management (S) [Top Management]
A process SHOULD be established within the institution to identify all relevant statutory, contractual, and other requirements with implications for information security management. Appropriate processes and organisational structures SHOULD be established to ensure an overview of the various legal requirements applicable to the individual areas of the institution, based on the identification and observance of the legal framework conditions. For this purpose, those responsible for compliance management SHOULD be designated.
Compliance officers and Information Security Officers SHOULD exchange information on a regular basis. They SHOULD jointly integrate security requirements into compliance management, translate security-relevant requirements into security measures, and monitor their implementation.
ORP.5.A5 Exemption Approvals (S) [Supervisors]
If it is necessary in individual cases to deviate from established regulations, the exception SHOULD be justified and approved by an authorised body following a risk assessment. There SHOULD be an approval procedure for exemption approvals. An overview of all exemption approvals granted SHOULD be created and maintained. A corresponding procedure for documentation and a review process SHOULD be established. All exemption approvals SHOULD be time-limited.
ORP.5.A6 DISCONTINUED (S)
This requirement has been discontinued.
ORP.5.A7 DISCONTINUED (S)
This requirement has been discontinued.
ORP.5.A8 Regular Reviews of Compliance Management (S)
A procedure SHOULD be established for regularly reviewing the compliance management system and the requirements and measures arising from it for their efficiency and effectiveness (see also DER.3.1 Audits und Revisionen). The organisational structure and the processes of compliance management SHOULD be regularly reviewed for adequacy.
Requirements for High Protection Needs
The following are exemplary proposed requirements for this building block that go beyond the level of protection that represents the state of the art. The proposals SHOULD be considered in the case of high protection needs. The specific determination is made within the framework of an individual risk analysis.
ORP.5.A9 DISCONTINUED (H)
This requirement has been discontinued.
ORP.5.A10 DISCONTINUED (H)
This requirement has been discontinued.
ORP.5.A11 DISCONTINUED (H)
This requirement has been discontinued.
Additional Information
Good to Know
The International Organization for Standardization (ISO) provides guidelines for a compliance management system in the standard ISO 19600:2014 “Compliance management systems — Guidelines”.
The ISO also addresses requirements management in the standard ISO/IEC 27001:2013 “Information technology — Security techniques — Code of practice for information security controls” in chapter 18.
The Institut der Wirtschaftsprüfer (IDW) defines guidelines for the auditing of compliance management systems in the IDW publication IDW PS 980 “Grundsätze ordnungsmäßiger Prüfung von Compliance Management Systemen”.