S 2.340 Consideration of legal framework conditions

Initiation responsibility: Top Management

Implementation responsibility: Supervisor, Head of Organisation, Top Management

When processing information, a number of legal or contractual framework conditions must be taken into account. They vary greatly depending on the type of the organisation, the industry and the business processes.

Typical areas of information processing that are subject to special statutory regulations include:

• protection of personal data,
• use of cryptographic procedures,
• protection of intellectual property,
• proper operation of IT systems.

Depending on the country in which the information is processed and their special application scenario, there might still be numerous other legal regulations. Providing a list of these regulations is beyond the scope of the IT-Grundschutz Catalogues. In various IT-Grundschutz areas, country- or industry-specific laws regarding, for example, cryptography, outsourcing or archiving are addressed. Due to the number of possible legal framework conditions, these only examples without any claim to completeness or currency.

All statutory, contractual and other provisions to be taken into consideration for the business processes and information as well as for operating IT systems and the related physical infrastructure must be identified and documented. Here, it must be taken into account that statutory provisions often differ on the national and regional level. As a consequence, the laws applicable at each location must be complied with. In addition, it must be taken into consideration that different provisions and regulations might be applicable depending on the type of the business processes and the application scenario of the IT systems (e.g. office environment, process control).

In particular,

• all operational practices and approaches used,
• all information processed as part of the business activities,
• all IT systems installed (hardware and software), and
• the physical infrastructure required for operating the business processes and IT systems

must comply with the applicable legal regulations. All changes to statutory requirements must be recorded and the changes relevant to the organisation must be taken into account.

Managers bearing the legal responsibility for the organisation on site must ensure the identification and documentation of the statutory provisions to be applied. For this task, a lawyer or legal expert should be contracted. If the required knowledge or the necessary resources are not available within the organisation, external legal advice should be obtained. Since not all employees have to know all laws and regulations, the statutory and contractual provisions relevant to the individual areas of the organisation should be worked out. To monitor the compliance with such provisions and regulations, persons responsible can be appointed in the individual areas. Thus, the organisation's Data Protection Officer is responsible for working towards the compliance with the applicable data protection provisions as well as for the compilation of and compliance with a set of rules applicable throughout the organisation to protect personal data. The IT management must ensure the definition and documentation of the licence management.

Of course, every single employee and the management personnel in particular is responsible for the implementation of the regulations regarding legal aspects and for monitoring compliance (see also S 3.2 Commitment of staff members to compliance with relevant laws, regulations, and provisions).

Review questions:

• Is there a document providing an overview over all statutory provisions relevant to the organisation?
• Are the responsibilities and authorities for the compliance of statutory provisions defined?