Jump to content

Get Your
Free 30-Day Trial WhatsUpGold

Germany Regulations

Please note: Data privacy laws in the European Union have a very strong emphasis on protecting the individual’s right to know what personally identifiable data is being collected, who is collecting the data, and for what purposes. Furthermore, such laws protect the individual’s right to refuse collection, dissemination, or analysis of their personal data. Organizations who collect personally identifiable data have an obligation to confirm exactly what data is considered protected, what consent they need to obtain from data subjects, and what safeguards they should employ to protect that data from unauthorized uses.

See how the WhatsUp Gold family can mitigate risk and protect personal data to comply with German Federal Data Protection Act regulations

Like many other countries with similar privacy regulations, the German Federal Data Protection Act seeks to "protect individuals against infringement of their right to privacy as a result of the handling of their data." The act applies to both public and private institutions. In the event of a security breach, a new strengthening of the Act, Section 42a revised in 2009, stipulates that organizations must inform their respective data protection authority and affected parties.

Without the right risk mitigation solution in place, you could be setting your company up for a costly security breach and audit – the stakes have been raised to up to EUR 300,000 for material breaches of the German DPA. See how the WhatsUp Gold family of solutions can help prove compliance with the act:

Federal Data Protection Act Requirement How WhatsUp Log Management Addresses Federal Data Protection Act Requirement

(Section 9)

Public and private bodies which collect, process or use personal data on their own behalf or on behalf of others shall take the necessary technical and organizational measures to ensure the implementation of the provisions of this Act, especially the requirements listed in the Annex to this Act.

Annex
Measures:

  1. to prevent unauthorized persons from gaining access to data processing systems for processing or using personal data (access control),
  2. to prevent data processing systems from being used without authorization (access control),
  3. to ensure that persons authorized to use a data processing system have access only to those data they are authorized to access, and that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording (access control),
  4. to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred personal data using data transmission facilities (disclosure control),
  5. to ensure that it is possible after the fact to check and ascertain whether personal data have been entered into, altered or removed from data processing systems and if so, by whom (input control),
  6. to ensure that personal data processed on behalf of others are processed strictly in compliance with the controller’s instructions (job control),
  7. to ensure that personal data are protected against accidental destruction or loss (availability control),
  8. to ensure that data collected for different purposes can be processed separately.

WhatsUp Log Management

  • Automatic collection and consolidation of log files from all types of infrastructure and applications for near real-time review and forensic analysis
  • Real-time monitoring and detection of suspicious events and messages to mitigate risk of unauthorized use of and security threats to personal data
  • Protection of archived log data via cryptographic hashing / FIPS 140-2 encryption & validation to maintain personal data integrity
  • In-depth forensic analysis to pinpoint where security policies went wrong in the aftermath of a security event
Requirements Recommended WhatsUp Log Management Report

(Annex, Section 9)

Where personal data are processed or used in automated form, the internal organization of authorities or enterprises is to be such that it meets the specific requirements of data protection. In particular, measures suited to the type of personal data or categories of data to be protected shall be taken:

  1. to prevent unauthorized persons from gaining access to data processing systems for processing or using personal data (access control),
  2. to prevent data processing systems from being used without authorization (access control),
  3. to ensure that persons authorized to use a data processing system have access only to those data they are authorized to access, and that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording (access control),
  4. to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred personal data using data transmission facilities (disclosure control),
  5. to ensure that it is possible after the fact to check and ascertain whether personal data have been entered into, altered or removed from data processing systems and if so, by whom (input control),
  6. to ensure that personal data processed on behalf of others are processed strictly in compliance with the controller’s instructions (job control),
  7. to ensure that personal data are protected against accidental destruction or loss (availability control),
  8. to ensure that data collected for different purposes can be processed separately.

  • Account Management – Success/Failure
  • Directory Service Access – Success/Failure
  • System Events – Success/Failure
  • Object Access Attempts – Success/Failure
  • Object Deletions
  • Group Management
  • Password Reset Attempts by Users
  • Password Reset Attempts by Administrators or Account Operators
  • Computer Account Management
  • Directory Service Access Attempts
  • Logon Failures – Active Directory
  • Logon Failures – Local Logons