IT system management

Introduction

We ensure secure IT management through procedures for access security, password management, update and patch management, malware prevention, environment separation (DTAP/OTAP), backups, logging/monitoring, and cryptography. In addition to the basic measures taken by cloud and hosting partners, we have defined which measures fall within our own sphere of influence.

Detailed explanation

Access management

We have a systems access policy that specifies how access to systems and environments is granted, changed, and revoked. The principles include the need-to-know, controlled account management, and appropriate security measures such as (where applicable) multi-factor authentication, session management (e.g., timeouts), and logging of administrative and system-level activities. Privileged accounts and special accounts are managed in a controlled manner and, where possible, logged and reviewed separately.

Password policy

There is a formal password policy with principles for strong passwords, secure storage (such as hashing or encryption), and careful management of (temporary) credentials. This also includes guidelines for secure communication and handling of temporary credentials and the use of approved password management methods, including password managers where applicable (also for unnamed accounts).

Update and patch management

We use fixed cycles for update and patch management for workstations, mobile devices, servers, network components, and applications. Urgent security patches are addressed quickly. Monitoring relevant security notifications is part of this process, so that vulnerabilities can be mitigated in a timely manner.

Malware prevention

We have procedures for virus and malware protection with measures at endpoint, network, and process levels. This includes controlled network flows, segmentation, hardening, up-to-date patches, endpoint protection, email and file scanning, and clear reporting routes for suspected malware.

DTAP/OTAP (environment separation)

We use DTAP/OTAP separation to keep development, test/acceptance, and production environments separate. This supports change control and limits risks related to test data and production data. The use of (special) personal data in development and testing is not permitted; where test data is required, representative datasets are used or explicit written customer approval is obtained in exceptional cases.

Backup management (continuity and recovery)

To ensure continuity, we have a backup policy with principles for (offsite) encryption, retention, recovery, and integrity checks and recovery procedures. The policy also specifies how restore requests are handled, including situations in which “old” data may no longer fall under the customer's current processing basis.

Logging and monitoring

Logging and monitoring are set up to safeguard audit trails and to detect and investigate deviations or malfunctions in a timely manner. Access to logs is restricted. Relevant access and management activities are logged, and periodic log review is part of the control program.

Cryptography

We apply principles and implementation rules for encryption during data transport and, where applicable, during storage. Examples include TLS/SSL for transport, encryption on mobile devices, encryption in password management, and, where applicable, data masking/anonymization in logs. This supports data protection and the confidentiality of information.