S 2.42 Determination of potential communications partners

Initiation responsibility: IT Security Officer, Head of IT, Data Protection Officer, Head of Organisation

Implementation responsibility: IT Security Officer

When information is to be transferred to a communications partner, it must be ensured that the recipient has the necessary authorisations to handle and process this information. If information is to be exchanged between several communicating parties, then all parties involved should be able to see who has received and who will receive the information. In order to meet the above criteria, it must be determined which communications partners may receive which information. To accomplish this, it is necessary to classify all information according to its strategic importance to the organisation (see S 2.217 Careful classification and handling of information, applications, and systems).

The recipients must be made aware of the fact that the data transferred may only be used for the purpose for which they were passed on. For data protection reasons (see, for example, the Federal Data Protection Act (BDSG), Transfer Control), a list of persons authorised to receive information, in particular personal data, through the transmission of data or an exchange of data media should be created.

Review questions:

• Is it determined which communications partners may receive which information?