B-Rating Requirements

The training must cover the content of the information security policy and address current threats. The content must include at least the following topics:

• Proficient use of computers and information
• Select and manage passwords correctly
• Safe on the Internet (e.g. use of company data in AI services and social networks)
• Emails, spam, and phishing
• Dangerous malware
• Behavior and procedure if an IT security incident is suspected

Full training must take place at least upon entry and updated information must be communicated at least every two years.

There must be at least one named person who is responsible for the topic of information security, i.e. who creates the policy and takes care of the implementation of the measures and is given the necessary time for this. This person must have the necessary basic technical knowledge of the topics and keep themselves informed about cyber risks. This activity can be carried out in addition to other activities or can also be carried out by external parties on behalf of the company.

• There must be a directory of all IT assets used (systems, services - cloud and on-premise). This directory must at least contain the name and version of the system and the person responsible for it.
• The directory must be kept complete and up to date.

• Both access to the applications and to the file systems must be regulated and correctly set authorizations must be used to ensure that only those people who have a need for it based on their job profile (need-to-know) can access it.
• There is a documented procedure for granting and revoking permissions.

There must be clearly described minimum criteria for passwords, which implement the recommendations of current standards (password strength, two-factor authentication where necessary and appropriate, separation of passwords, etc.) Reference: BSI, NIST 800, etc.

There must be a document that describes the requirements for the safe configuration of the systems used. References to manufacturer recommendations are sufficient. These settings must also be actually implemented on all devices used - as far as technically possible. Alternatively, a vulnerability scan is verifiably carried out before commissioning.

• Regularly updating systems with updates provided by the manufacturer. No security update may be more than one quarter overdue (unless there is a documented reason why an update cannot be deployed).
• Systems that are no longer provided with security updates by the manufacturer are decommissioned in a timely manner or there are defined exception processes including a list of deviations and compensating measures.

A network segmentation device (e.g. firewall, router, etc.) is in use, which limits network traffic from the Internet to the internal network based on rules that are as restrictive as possible.

• It must be possible to transfer files in encrypted form, either via email (e.g. S/MIME, PDF encrypted, mandatory enforced TLS, etc.) or via encrypted upload.
• Form data on the website is only uploaded via https.

• At least the standard protocols of the operating systems which are security relevant must be activated. The logs must be available to the company.
• There is an overview of all active system logs and their storage location.
• Server logs are kept for at least 90 days, and client logs for at least 60 days.

The emergency plan (including backup concept) must describe how to respond to a serious IT security incident. Serious security incidents include:

• System failure,
• Malware infection (including cryptolocker) as well 
• Data leakage

Plans must be tested at least every two years. The test must include at least data and service recovery.