The NTS experts Johannes Holzer, Information Security Manager & Data Privacy Coordinator and Matthias König, Legal Counsel, have provided an insight view into NTS internal measures for protection, security and threats.
DATENSCHUTZ BEI NTS
HOW DOES NTS ITSELF DEAL WITH THE DELICATE TOPIC OF DATA PROTECTION?
We are not afraid of data protection! The topic is not so delicate if you are well prepared and if one understands the fundamental principles. We started early on to occupy ourselves with data protection – partly because some of our employees were personally enthusiastic about this topic. Each of us is concerned and strive for the highest possible protection of his or her own data and we act based on this guiding principle.
There are many stipulations based on the EU General Data Protection Regulation (GDPR) and companies had to use them as orientation in order to establish a data protection management system. Besides a substantial effort with regards to documentation as well as many contracts with our customers and partners, a huge chunk of our work is the actual protection of data. And this is where our information management system that has been certified according to ISO 27001 comes into play. It is the framework and the basis for our work and our passion around the security of the data that has been entrusted to us. Some of us are dealing exclusively with this day in, day out and they are trying to infect all employees with their enthusiasm.
We are trying to provide to our customers our own products in the same way as we as customers of software and hardware manufacturers were required in the past in order to implement data protection.
Thereby, we had to answer questions such as:
- Which categories of personal information will be stored in the system?
- Which group of persons is concerned?
- Does the system itself already support GDPR requirements?
- Do I have to conduct a data protection impact assessment?
Thereby, we attempt to bring to life the principle of privacy by design in our products. This principle is prescribed in the GDPR only in a very abstract way.
WHICH STEPS WERE TAKEN AT NTS TO PROTECT SENSITIVE CUSTOMER DATA?
How many hours do we have to discuss this topic? Data protection measures and information security are VERY comprehensive topics. That is why the topic is so exciting and definitely not dull at all. All this starts with a clearly defined goal: how good do we want to be?
NTS has defined the target to be at least at the state-of-the-art level of the technology. This starts with access and admission controls, continues with input and order controls as the data should of course be sufficiently separated between customers, and we also want to know where the data goes.
As one can see – there is a lot of “control” hidden in this topic. This means that from a technical, but also from an organizational point of view, the frame conditions are set. Here, the classical disciplines of information security come in to play: access control, personal security, administration of assets (including data), physical security, communication security, incident response, vulnerability management, supplier and partner relationships, etc., but also “new things” such as clean concepts for deletion, retention periods, anonymization. The situation needs to be revaluated from the perspective of data protection during each evaluation of new software, when employing new processing activities and during each change in our processes. We have a great advantage when applying new technical means: we have the expertise in-house. It could be network security, malware protection or enterprise mobility management – we prefer to fall back on those products that we distribute ourselves!
HOW IS THE DATA BEING PROCESSED?
It is fundamentally important to understand why NTS processes personal data at all. The business model of NTS does not include that we do business or trade with personal data. Never – at any time.
We require a little data for our customers in order to carry out our tasks as an IT system integrator. This means for example that our employees use the contact information of our customers to place our services or a hardware component in the network of the customer. The contact information can only be used for our legitimately permitted business purposes, any other usage is not permitted for our employees. Customer information is administered in a centralized database that functions as a resource for other systems. This database is a part of our ERP system, which we use to conduct our central business processes. This data is actively serviced and maintained.
WE HAVE A GREAT ADVANTAGE WHEN APPLYING NEW TECHNICAL MEANS: WE HAVE THE EXPERTISE IN-HOUSE.
WHAT ARE THE CHALLENGES FOR THE LEGAL DEPARTMENT? HOW CAN THE TOPIC DATA PROTECTION BE IMPLEMENTED IN A LEGAL COMPLIANT BUT STILL VIABLE MANNER?
With this topic that is of a strong bureaucratic nature, it is a key challenge to stay at a healthy level. It is of no good when we introduce hundreds of forms to fill in but are going to lose all our customers after some time. The GDPR compliance can be met in an uncomplicated and legally compliant manner with common sense and good templates!
This balancing act also extends to the other side. To some extent, we notice heavy uncertainties at our customers. This is understandable as nobody wants to make mistakes when facing punishments. This sometimes leads to the fact that the customers expect more bureaucracy from us than there would have necessary being for a collaboration according to the GDPR. Thereby, we face the challenge that we carry out our support process-like and that we have integrated the data protection into existing processes. We provide our services with 250 highly qualified engineers, where the scalability of customized bureaucratic solutions will not work that well anymore. We would like to make our business work where it is at its best. We would like to keep the extra administrative effort as low as possible for our engineers, which are our most valuable resource. However, as an understanding system integrator, we were so far able to come to an agreement with every customer with regards to common standards and procedures.
HOW DOES NTS AVOID MISTAKES?
Here, we opted for a risk-oriented approach as well. The protection of the content-related data of each person concerned takes center stage: we consider ourselves in a guarantor position towards our customers. In our company, this is looked at from top-down and it is a special concern of our board members: we are entrusted with information and we take it as a given that we protect it adequately. Not for nothing, personal information is under special legal protection.
Therefore, the GDPR provides several starting points for the authorities to investigate responsible persons and to subsequently fine them. And we are not even mentioning the disastrous public impact of a data protection problem. The most obvious start of such a process is certainly the presence of a complaint of an affected person or a severe security leak that must be reported to the authorities. If this happens, you will be in the spotlight. We are trying to give no reason for any of these issues to occur, and we reckon to be well positioned for it. Data protection is best done in the quiet. More can be found here.
IS THE DATA PROTECTION DONE TO 100% BY NTS ITSELF?
We have considerable expertise from all angles in the legal department as well as in the specialist departments with regards to the topics of data and information protection. However, it is never the best idea to only “stew in your own juice”. It was not easy to find a partner that is able to support us with experience and with competent advice. During the early days, when the GDPR was implemented and became valid, we daily received several advertising letters from consultants that just seemed to have discovered this topic.
However, you need experience to deal with the topic of data protection. As a matter of fact, only very few people were interested in that topic prior to the GDPR. This experience was only sparsely available on the market, but it was in much higher demand and accordingly booked. The GDPR has created a demand of additional 75,000 data protection experts practically overnight (despite a lead time of two years). Luckily, we already had the relevant know-how in-house in the legal department and thus had a sensitized management board that allowed us to implement the topic with great tranquillity and professionality. Therefore, we were able to fulfil our “compulsory exercises” on time. In the meantime, we moved on to “free-style” next to the daily data protection operation and we are continually refining our data protection management and our policies.
WHICH CHALLENGES ARE PROVIDED BY THE CONTINUOUS GROWTH OF NTS?
In the meantime, we are as a global business right in the choppy waters of the complexities of the GDPR. Data transmissions within the group, especially to third countries, are not really favored by the GDPR nor are they easy to govern. This is a tremendous advancement for the persons concerned as one cannot hide behind complex company structures in order to disguise data processing.
Each part of a company requires a legal cause and a legal basis to be permitted to utilize a dataset. For that purpose, one certainly also must think thoroughly about the business processes and the dataflow in the company. With the obligation to keep records, the GDPR guides a company with the necessary rigour.
The downsides are the comprehensive agreements for the intertwined data applications that one must conclude within the company.
SECURITY BEI NTS
NTS, RESPECTIVELY BUSINESSES: EXPOSED TO WHICH THREATS?
It is not easy to find a general answer to this question – each business itself must contemplate about the facts, which threats they or their industry may be exposed to. It will be helpful to run through a list of potential threats and one does not necessarily need to start with the Cyber threats. It starts with “trivial” issues such as fire, lightning strike (that could greatly restrict the availability), lack of personnel (pandemic), theft or an attack. An attacker could take advantage of weaknesses (vulnerabilities) or configuration errors (even doubtful software developments).
A big topic is malware and here it is mainly ransomware that is booming as well as phishing – or in more general terms social engineering. However, where human beings work, mistakes happen and they may have huge impacts.
The same applies here as well – the topic is VERY complex. Telling some inside stories, we can say that we are currently focusing on the protection from social engineering attacks (training of employees and awareness programs), on faster detection of weaknesses (here we are helped by our NTS DEFENSE team that also offers the NTS Vulnerability Management as a managed service to our customers) and we also have and want to become better in discovering unusual activities and malware attacks. Here, our DEFENSE team is involved as well (NTS THREAT DETECTION SERVICE | SIEM).
WHAT AT NTS IS WORTHY OF PROTECTION?
Our approach is a risk and a business oriented one. This means that we identify the essential business processes (one can however also take departments or products of the departments) of NTS and together we determine with the top management the importance of availability, confidentiality and integrity for the individual IT services/processes. These processes that keep our business alive are naturally the most important. This involves everything concerning customer contracts. One of the most important lifelines is for example our NTS OC (Operations Center).
The OC has to comply with certain SLAs at the customer, which means that it has stringent requirements for the availability of the network and the alert management. Next, supported by tools, we model the necessary services all the way down to the network components such as DNS or AD. The result of this modeling is the protection level and the requirements for the systems beneath. Looking at confidentiality, we gain access to very sensitive information of our customers. This information is protected by us at a maximum level. Everything else is subordinated to this goal.
WHICH POTENTIAL WEAKNESSES IN THE TECHNICAL SECTOR ARE CONSTANTLY MONITORED?
All of them. Together with our NTS DEFENSE team we developed a system to establish which weaknesses we shall first concentrate on. There are of course many sources where to detect weaknesses. One of them is our vulnerability management that we outsourced internally to the NTS DEFENSE team.
We detect weaknesses (that we have not discovered otherwise with the help of feeds or mailing lists) with very close-knit and constant scans (even locally on the systems themselves). The importance is classified according to a formula based on the criticality (based on CVSS), the kind of usability (remote, simple, only locally,…), the importance of the affected system and the accessibility of the system. Weaknesses with the highest importance will be removed faster. This would not work like that without experts and without constant tuning and processing of high data volumes.
WE ARE TRUE TO THE PRINCIPLE: “EAT YOUR OWN DOGFOOD!”
WHICH SECURITY TECHNOLOGIES ARE USED AT NTS?
For security reasons, we are not allowed to disclose which products are used where and how. We do not of course mention it, but we are true to the principle: “Eat your own dogfood!” This means that we employ solutions that we also keep in our portfolio. The area of security is so broad that there are naturally products that cannot be found at NTS.
We back on firewalls, which we also sell to our customers. We count on malware and URL protection and of course on e-mail security solutions. Together with social engineering, e-mail traffic is still the most important entry point for all criminal activities. Our department, being responsible for the security of NTS, is also always an important sparring partner and beneficiary of our NTS SECURITY SERVICES and our NTS DEFENSE department at the NTS Vulnerability Management and the NTS THREAT DETECTION SERVICE | SIEM.
WHERE ARE THE STRENGTHS OF NTS ON THE TOPIC OF SECURITY?
The decision of our ISMS to go for certification according to ISO 27001 was a big step in the right direction. Do not get us wrong – even before the certification everybody at NTS was striving to make NTS more secure, but an organized and proven approach comes with a lot of advantages. Furthermore, in this way one is forced again and again to reassess one’s standpoint, focusses and to have them evaluated by independent experts.
We have the in-house product expertise, which means that questions such as, “In which version, in which feature set is the security solution the most efficient one?”, “How can I apply the solution in the most efficient way?” or “Which version of the SW is the most stable one?” can be solved quickly. Here, the experience of our experts that are day in, day out confronted with these questions at the customer, comes to help. It is the big advantage (that is also for the benefit of the customers) of our NTS SECURITY SERVICES of the DEFENSE teams that the experts are not only familiar with our system but also have a view of other companies. Thus, they will not become blinded by routine. Furthermore, we are better able to evaluate threat situations.
WHICH ADVANTAGES FOR THE CUSTOMERS ARE THE RESULT OF THE NUMEROUS MEASURES AND TECHNOLOGIES OFFERED BY NTS?
The most important advantage for our customers is the fact that we protect the information of our customers in a conscious and focussed manner. Every day we learn something new and we try to utilize this internally as much as possible. However, what we are seeing, and learning can also indirectly be for the benefit of the customer. Our engineers who monitor the condition of our systems that manage our weaknesses also do this for our customers. That way, everybody benefits. There is also another huge benefit by performing the internal function – one can focus on risks as the location of weaknesses and their evaluation is left to the DEFENSE people.
HOW DOES NTS EXPERIENCE THE SECURITY TOPIC IN DAILY PROFESSIONAL LIFE?
With each and every activity the employees have to keep the topic of security in mind during each process step. They are also always reminded of the security measures like for instance when they are located in protected areas, which means that they have to open doors with their access cards/employee badges. That is when our employees realize that security barriers are installed there. Other measures such as encrypted mobile devices are only apparent to specialist, but these are no constraints for the daily operation.
However, everybody is tasked to be attentive concerning external e-mails. Occasionally e-mails that have been sent with malicious intent still reach the recipient despite a highly automated support. That is when each individual has to pay attention and evaluate the legitimacy of the message. Here as well, experts are available to help, but the fast (wrong) click should not happen.