Security Is a Matter of Trust.

Transcription

1 Security Is a Matter of Trust.

2 Dear Readers: Data protection and data security are a top priority. In these times of tougher and tougher global competition, employees, partners and suppliers must be committed to the issue of data security and be sensitized to corresponding measures. Secure data and business processes are the foundation of business success. This applies to you, our customers. But it applies even more to T-Systems, because for us data security and trust in our services are the basis for all of our business activities. T-Systems operates data networks worldwide for you and processes your data in its own data centers. We are very aware that data security has absolute priority in this process. You yourself decide on the level of security that you wish to apply to your corporate information. Our security concept gives you a myriad of options for this. In addition, the security measures, processes and procedures are independently reviewed year after year and are demonstrated through ISO/IEC certification. On the following pages you will find out the measures that T-Systems has implemented in the data centers in order to protect your information. These measures include more than technical solutions, because security starts in the minds of our employees. This is why we launched a worldwide security awareness campaign at the beginning of 2006 and honed the knowledge of our 56,000 employees in over 20 countries regarding the handling of sensitive information and we are continuing with these activities. Sincerely, Reinhard Clemens Member of the Board of Management Responsible for Business Customers at Deutsche Telekom and CEO of T-Systems

3 Secure Data? Absolutely! The processing and administration of customer information by external service providers is a matter of trust. The survival of a company can depend on the security of data, their protection from manipulation and, last but not least, their high availability. Studies conducted by independent market researchers show that most companies cannot survive longer than one week without their IT data, from an economical aspect. And this applies worldwide. The effects on the international economy can be devastating because suppliers and sub-suppliers quickly get pulled down with the undertow. T-Systems operates its own data centers for its business customers, which include banks, security authorities and public administrations. Therefore, T-Systems feels a high degree of obligation when it comes to the issue of data protection and data security. Regular checks as well as inspection of the security systems by customers and independent bodies are mandatory. They prove the high security level of the data centers time and again. The external data processing of customer data is and will remain a matter of trust. The individual wishes of customers have the highest priority for T-Systems. In principle, the following applies: The data that T-Systems administers belongs to the customer during its entire life cycle. The customer alone decides the degree to which his or her data should be protected by T-Systems. The newest technology is used at T-Systems data centers. This applies both to the hardware as well as software. Continuous updating of security components such as firewalls, virus scans and spam filters as well as other highly professional, integrated security solutions is standard practice. Highly qualified IT experts work round the clock and ensure that process chains are secure and are not interrupted. The Customer Decides. At T-Systems, the customer can choose between various interconnected security models. Data can be protected according to verifiable criteria and with various measures in accordance with their priority. T-Systems consultants work out an individual security package with each company that addresses the requirements of their organization. This includes the issue of access rights, among other things. Only the customer decides whether T-Systems may access his or her data in order to carry out a task. Data that requires special protection is stored in T-Systems data centers in such a manner that only their owner, but not T-Systems employees, can access them. Integrated Security Strategy. Security is an integral component of all business processes at T-Systems. That means that all processes are continuously verified for security-relevant components and updated. Each individual employee, up to the executive level, is responsible for implementing the required steps. This security concept comprises continuous development and the further development of a standardized security management system which is based on international standards as well as on certification in accordance with worldwide recognized standards (ISO/IEC 27001, BS25999). Security at a Glance. Proof of Certification Data centers at home and abroad are certified in accordance with the international security standard ISO/IEC Annual SOX and SAS-70 inspections confirm the security level. Internal Control System Deutsche Telekom s security organization manages and controls the internal security level and conducts regular inspections of the security measures. Security Awareness Systematic awareness measures for motivation and information about security topics and increases the safety awareness of employees. Secure Infrastructure and Work Tools Implementation of security standards on platforms, systems, infrastructure and clients, such as hard drive encryption, TIKS card, intrusion detection systems, access control with isolating devices and security zones. Regular Inspection of the Security Level by External Auditors Carrying out of revisions and penetration tests ensure the highest possible security level.

4 Security Processes with Certificate. National and international mandatory standards apply to security and quality standards. They are worked out and verified by independent bodies. T-Systems has been certified by DQS GmbH according to these standards and consistently applies the prescribed measures. T-Systems data centers at home and abroad and other central areas are certified in accordance with the international security standard ISO/IEC This guarantees the highest security standards. Customers can rely on the fact that their corporate data as well as all business processes that operate through T-Systems data centers are handled with a high degree of quality and security. This is also attested to by a Type II SAS-70 Report, a certificate provided by the independent consulting firm Ernst & Young. This report confirms that all checks are applied and effective at T-Systems. Security is not an off-the-rack solution. But rather, security is connected to continuous processes which must be constantly further developed. T-Systems security management works tirelessly to inspect all safety-relevant measures in order to guarantee a high level of security. T-Systems is also annually evaluated by independent experts and bodies. All security processes and procedures as well as the effectiveness of their implementation are verified on a rotating basis. ISO/IEC This is how T-Systems is certified. 1. Security Strategy Guidance by executive management regarding information security in the company. 2. Security Organization Infrastructure to guarantee information security, classification and verification of values. 3. Determination and Classification of Values Classification of information, identification and processing of information. 4. Personnel Security Security for job descriptions and in the provision of resources, user training, procedures in the event of safety incidents and problems. 5. Physical and Environmental-Related Security Security zones, device security, general measures. 6. Management of Communication and Operations Operating procedures and responsibilities, system planning and acceptance, protection from malicious software, household organization, network management, handling and security of data carriers, exchange of information and software. 7. Access Control Business requirements regarding access control, administration of the access rights of users, user responsibility, network access control, control of operating system access and system usage, mobile computing and telecommuting.

5 Secure Processing of Sensitive Data. Security begins with every employee. Starting with the hiring process, job applicants for security-relevant business areas have to answer questions defined by ISO The rule of thumb here, of course, is: The higher the security level, the stricter the check. Data centers are highly sensitive environments and are therefore subject to special rules. A different access control is mandated for the various areas of a data center. T-Systems uses state-of-the-art locks for its highly secure data centers which can only be accessed with a personalized security card with which only one person can be clearly identified. IT-based protocols for all areas and sub-areas document access time, the duration of a person s stay as well as when a person leaves the secured area. This way it is possible to easily prove at all times who was in the data center at what time, where and how long they worked at the data center and what they worked on. Supervised Data Access. Identifying and authenticating employees working with customer data are important elements of the security rules which are written in stone for T-Systems data centers. Only clearly identified employees can log in to the systems. Authentication governs who may work with which data and how. Automatic reporting of log-ins and log-outs documents in detail which employees worked with customer information and for how long. If desired, different encryption mechanisms are activated during data transmission, to prevent unauthorized access and the manipulation or destruction of data. Active network components report the forwarding of data. T-Systems utilizes secure transmission paths for both data transmission and business processes for example so-called virtual private networks that do not allow access of unauthorized persons. Detailed instructions are in place for employees who must access data within the scope of their tasks. Individually defined authorization concepts govern access to data pools or parts thereof. A mandatory security framework is created in close cooperation and in accordance with the customer s specifications. This framework can be adapted to current requirements at any time. A regular logical separation of the database ensures that data collected for different purposes can be processed separately. If required, a spatial separation can also be carried out in order to differentiate protection of the data. Keeping Our Eyes Open Regarding Disposal. Even the most careful of security mechanisms cannot take hold if data protection does not comprise the data s entire life cycle. Time and again discoveries of old data carriers or carelessly disposed hardware with highly sensitive data make the headlines. And all this despite the fact that comparatively simple measures are sufficient to irretrievably delete data. T-Systems deletes and destroys data as well as data carriers and the associated storage hardware in compliance with data protection and security regulations. Certified disposal companies are reliable partners who attest to proper hardware disposal for each individual case. Security Starts in the Mind. For years T-Systems and its employees have been committed to the area of security with a worldwide security awareness campaign. In 2007 it received the security award from the federal state of Baden-Württemberg. Awareness that sensitive information must be treated in a responsible manner is an important pillar of our corporate philosophy. This is why T-Systems together with the Pforzheim Technical College evaluates the security awareness of each employee year after year.

6 Distributed by: T-Systems Enterprise Services GmbH Mainzer Landstraße Frankfurt am Main K-Nr Stand 11/2008 vs Contact