The legal term “state of the art” has received increased attention in recent years. Here’s what it means. And these measures can be taken.
What is the “state of the art”?
State of the art – this term is increasingly heard and read. It is used in various areas, including IT.
Since it is an indeterminate legal term, the meaning of “state of the art” turns out to be vague and sometimes subjective. In the german Jura Forum it is explained thus:
“The state of the art summarizes the technical possibilities that are guaranteed at the current point in time and that are in turn based on scientific and technical knowledge.
By the clause “state of the art” for example in contracts, it should be ensured that it comes to the use of the best available technology.”
The following paragraphs explain what the “best available techniques” or “state of the art techniques” mean in IT and especially in information security.
A further approximation of what the term “state of the art” means is shown by the three-level model. In this, the “state of the art” lies between the “existing scientific knowledge and research” and the “generally accepted rules of technology”.
What the “best available techniques” or “state of the art techniques” mean in IT and especially in information security is explained, among other things, with examples in the following paragraphs.
State of the art in information security
The further development of hardware and software is advancing steadily and rapidly. All systems that were considered high-end or cutting-edge a few years ago are now obsolete. Unlike hardware, software can be constantly improved, optimized and adapted with updates.
But at some point, the end of the line is reached here as well. The product life cycle ends and a new software and/or hardware generation takes over. At that point, the hardware and software that has been used up to now is no longer state of the art.
Software that is provided with security updates by the respective manufacturer is generally recognized as state of the art.
Conversely, this means that software without manufacturer support is generally no longer considered state of the art! Measures must therefore be taken if the software in question is to continue to be used.
Examples from IT
Let’s move from theory to practice. Here are two well-known examples of systems that are either no longer up to date or will not be for long:
- Floppy disks, like the ones in our lead picture, are definitely no longer state of the art. The technology is far outdated and unreliable.
- Extended support for Windows Server 2008 R2 SP 1 ended at the beginning of 2020, which means that from this point on, the operating system was no longer a “state of the art techniques”
Windows 11 is here and is slowly gaining acceptance. Companies should therefore definitely find out when the official end of support for Windows 10 begins. It is also advisable to implement measures to harden Windows 10.
What about the GDPR?
One important reason why IT managers in particular are increasingly talking about the state of the art is the General Data Protection Regulation (GDPR).
Supposedly simple things such as transferring data from A to B or using personal data for a purpose other than that for which it was intended are prohibited under the GDPR without a permit. And state of the art measures are required to protect personal data.
If companies collect and process employee and customer data with systems that do not comply with the state of the art, this may already constitute a violation of the GDPR, which applies throughout Europe.
In the event of data protection violations, the national supervisory authorities levy fines. These can be very high! Even minor violations can cost a company six-figure sums, while serious incidents are sanctioned with up to 20 million euros or up to 4% of the total global annual turnover according to Art. 83 of the GDPR.
IT security law and other legislative measures
Even apart from sanctions such as fines, every company is obliged
to keep its customers’ information and its own information secret and secured [confidentiality]
to secure its own systems against intentional or unintentional manipulation by means of various measures [integrity]
to make information available in a stable and efficient manner [availability]
To ensure that these very important targets are turned into real measures, the IT SiG (IT Security Act) was passed back in 2015. The German Federal Office for Information Security (BSI) comments:
“The aim of the IT Security Act is to improve IT security at companies and in the federal administration, as well as to provide better protection for citizens on the Internet.”
The IT Security Act, the GDPR and other ordinances, regulations/laws and recommendations are intended to ensure that IT security in Germany and Europe is advanced in line with the current state of the art.
Among other things, the Critical Security Controls (CSC) of the Center for Internet Security (CIS), which we highly recommend as a CIS member, can support this.
Recommendations from Teletrust
A more detailed explanation of what the state of the art means in relation to GDPR is explained in the very good and free handout from the German “Bundesverband IT-Sicherheit e.V.” (“Teletrust”).
The Teletrust state of the art handout lists numerous measures, for example:
- Enforcement of strong passwords
- Use of trusted connections to company networks such as VPNs
- Encryption of hard disks, files, and folders
- Increasing router security
- Proper communication via instant messenger
- Implementation of system hardening measures, e.g. with the Enforce Administrator
We also recommend and implement numerous measures for increasing information security to our customers on a daily basis. In order to achieve the current state of the art, we rely, among other things, on:
- Imparting basic knowledge. For example: What are the differences between information security, data protection and IT compliance?
- Regular audits and checks with AuditTAP. This allows configurations to be quickly checked for security flaws and settings that need improvement.
- Regular GDPR compliance checks for Windows 10, which is also possible with the AuditTAP, among other things.
- The replacement of systems where extended support ends.
Many other sensible measures could be mentioned at this point. We would be happy to explain these to you in a personal meeting.
What is the aim of the measures?
The measure “system hardening” is used against the following IT security threats, among others:
- The risk of manipulation of personal and sensitive company data.
- Risks associated with data leakage, such as the extraction of entire databases.
- Threats related to manipulation of applications on servers or on linked systems.
- Risks related to manipulation, sabotage, or espionage in operational and production processes.
- The threat of identity theft, for example in attacks on domain controllers.
- The threat of malware infiltration and spreading.
- Misuse of server capacity, for example for crypto-mining.
- The threat of attackers using corporate servers as a springboard to attack other systems.
Even though the current state of the art is not exactly defined legally, there are some sources and references that describe the term and its application very well.
What you should never forget: Securing and hardening IT systems as well as protecting data and information are not lapidary matters! They are essential for the business and continued existence of companies. Especially as digitalization continues to pick up speed and permeate all of our lives more intensively. At the same time, the threat of cyber attacks is increasing massively.
Therefore, keeping hardware and software up to date is an essential component of IT security to protect your systems!