GDPR: OTRS shows how companies can document their IT security processes clearly and legally

Cupertino, May 22, 2018 – In just two days, the European Union’s regulation known as the General Data Protection Regulation (GDPR) will go into effect. The regulation impacts many companies worldwide, not solely in the EU, as it strives to better protect and regulate the use of personal data. Among other things, it emphasizes IT security by stating that data breaches and losses of personal data must be reported to the responsible supervisory authority within 72 hours or companies risk high fines.

“Not all companies are prepared for this,” says Jens Bothe, Director Global Consulting at OTRS AG, a leading provider of solutions for process and communication management. “Recent incidents, such as the Equifax breach in 2017, have proven how vulnerable IT infrastructures can be. The EU Data Protection regulation responds to this and calls for timely reporting of security incidents. This is why it is essential for companies to record IT security incidents and to document them legally.”

OTRS AG — as an expert in security environments— provides the following recommendations to help companies address IT security:

Start small

Most large companies have already-defined processes and so-called cyber defense teams in use. However, many small and medium-sized enterprises still need to work out their strategies. For these, it is advisable to start “small”: creating a Reporting Office for Security Incidents is useful and dedicating a contact person or team that is responsible for security-related events is key. These can create centralized documentation that keeps everyone aware of what’s happening.

Consult experienced experts

In addition to the new EU GDPR, other legal regulations for data protection and IT security processes apply to critical sectors such as financial services providers. Companies do not always have the time to check all regulations to determine if they are relevant to their businesses. Therefore, you should not hesitate to consult external experienced experts with questions about guidelines and accepted standards, such as ISA/IEC series 27000.

Clear definition of IT security processes

It is important for all companies to establish clear processes and responsibilities for dealing with security-related events. The following questions should be among those considered:

• How do you define a security incident?
• When exactly does an incident need to be reported?
• Which data or processes should be protected?
• What is the potential impact of the incident?
• Who must or may be informed of an incident?
• In which order and in what timeframe must the communication take place?

Creating centralized digital processes

In order to document the security events and the corresponding steps taken to mitigate the situation in a secure manner, systems such as STORM of OTRS AG are available. They act as the technical backbone of IT security processes, support communication related to incidents and store documentation in case of later audits. They make it possible to define specific processes for threat scenarios, to grant users role-based access, and to enable encrypted communication between clearly authenticated users so that attacks are handled swiftly and the proper documentation is captured.

IT security as a continuous process

Once established, IT security processes become an everyday part of your business activities. Nevertheless, it must be considered that the regulations, processes and requirements can change again and again. This is why companies should keep up-to-date. If you want to build your security know-how and develop an IT security team within your organization, you should connect with other security officers and stay abreast of changes in the industry.

You can find more information about how OTRS can structure enterprise security efforts here.