There are more and more requirements for companies and organizations that need secure configuration or system hardening. Find out what they are here.
From NIS 2 and BAIT to DORA and TISAX
Admittedly, some of the abbreviations may sound a little strange. But behind them are many important global industry standards and EU regulations. Under no circumstances should companies ignore these or take them lightly!
Because the so-called “cyber war” is raging online, in which small and large companies alike are being attacked by “script kiddies” as well as professional hackers. Your organization’s systems are likely under attack.
To make the IT systems of companies and operators of critical infrastructure more resistant to cyber attacks, numerous regulations have been enacted in recent years – and more will follow.
In the following sections, we highlight some of the regulations, laws, standards and directives that recommend or even directly require Secure Configuration or System Hardening.
ISO 27001
The internationally established standard for information security has been significantly revised. The final version of ISO 27001, known as ISO 27001:2022, has been available since the end of October 2022.
The standard specifies how companies should set up an Information Security Management System (ISMS). This includes requirements for “Security Configuration Management” (= Secure Configuration / System Hardening).
In the “Configuration Management” control, requirements are placed on secure configuration in several dimensions. The following is a simplified overview:
-
- “Templates” are to be used. This eliminates the need for self-developed hardening configurations.
- Process-related requirements: A structured process must be set up for implementation and monitoring.
- Monitoring of the configuration is also required; changes and deviations (“anomalies”) must be identified.
And very important: The implementation of ISO 27001 is not a singular event! You have to continuously adapt and continuously improve your measures and implementation.
➡ Further information can be found in our article “Configuration Management in accordance with ISO 27001:2022 – How to avoid a deviation”
NIS2
This Europe-wide cybersecurity directive will be extremely important from 2025 onwards: NIS 2. The revised “Network and Information Security” directive is currently still being transposed into national law. It will then come into force and apply to companies with 50 or more employees or a turnover of at least 10 million euros. Approximately 30,000 German companies alone are affected, as they are considered “particularly important institutions”or at least “important institutions”.
Particularly Important Institutions” or “Important Institutions” must meet significantly more stringent IT security requirements. These include:
-
- regular risk analyses and professional risk management
- compliance with reporting obligations in the event of cyber attacks
- a guarantee of supply chain security
- technical measures such as Configuration Management.
Interesting: The “NIS Fact Sheet” from the Austrian Federal Chancellery lists numerous measures. It is noticeable that a Secure Configuration is recommended several times:
“Chapter 3.1 System configuration
Network and information systems must be configured securely. This configuration must be documented in a structured manner. The documentation must be kept up to date.”
And in chapter 4.2, “Systems and applications for system administration”, it states:
“Hardware and software used for administrative activities shall be managed and securely configured by the operator or, where applicable, by the service provider that the operator has authorized to perform administrative activities.”
Failure to comply with NIS 2 can result in hefty fines, potentially in the millions of dollars. Doing it right is good for your company’s wallet and good for your information security.
BSI Baseline Protection
BSI Baseline Protection (German: BSI-Grundschutz), also known as IT Baseline Protection (IT-Grundschutz), is a concept developed by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) to ensure information security in companies, public authorities and other organizations.
IT baseline protection offers a systematic approach for implementing the necessary security measures. The BSI has published a mapping table that maps the measures of ISO 27001 to basic protection. Under the point “A.8.9. / Configuration management”, System Hardening is clearly recommended.
BAIT, VAIT, KAIT & ZAIT
BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht / German Federal Financial Supervisory Authority) has issued several requirements in recent years. These include:
-
- BAIT (banking supervisory requirements for IT)
- VAIT (insurance supervisory requirements for IT)
- KAIT (capital management supervisory requirements for IT)
- ZAIT (payment services supervisory requirements for IT)
With the new versions of BAIT, VAIT, KAIT and ZAIT, banks, insurance companies, investment companies and capital management supervisors must meet more requirements than ever before in terms of IT security.
The topic “System Hardening” is specifically mentioned there, for example in the VAIT in the “Operational information security” section in chapter 5.2:
“The company shall, on the basis of the information security guideline
and information security guidelines, the company shall implement appropriate, state-of-the-art operational information security measures and
and processes in line with the state of the art.”
And it goes on to say:
“Information security measures and processes take into account, among other things:
-
- Vulnerability management (..)
- Segmentation and control of the network (..)
- Secure Configuration of IT systems
- Encryption (..)
DORA
While BAIT, VAIT, ZAIT and KAIT only apply to companies that are under the supervision of BaFin, DORA was created for all financial companies such as banks, insurers and investment companies in Europe.
The Digital Operational Resilience Act (for short: DORA) is a European Union initiative aimed at strengthening the resilience and security of digital operations in the financial sector. The focus is on improving IT security measures.
As part of DORA, financial institutions are required to secure their IT infrastructures against potential cyber threats and operational failures. A key aspect is the implementation of measures aimed at improving the robustness of IT systems – hardening the system landscape is a cornerstone of this.
Financial companies should not take DORA lightly! BaFin writes about this:
“(…) for the area of operational information security in DORA, it should be noted that the level of detail of the requirements is significantly higher than previously described in Chapter 5 BAIT/VAIT. The level of detail is more in line with the explanations of BAIT/VAIT as minimum requirements (..)”
For system hardening, it is clearly stated that “(…) hardening measures are taken and regularly monitored (…)”
PCI DSS 4.0
Organizations and companies that are not active in the sectors mentioned must also secure the money transfer – PCI DSS 4.0 ensures this. The new Payment Card Industry Data Security Standard was published in March 2022 and officially applies from March 31, 2024.
The fourth version of the Payment Card Industry Data Security Standard was published in March 2022 and will officially apply from March 31, 2024. Since then, all companies that process, store or transmit payment card data (e.g. payment service providers) must implement stricter cybersecurity measures.
The topic of “hardening” is mentioned directly in Chapter 2 and looks at processes as well as technical security.
B3S
The German industry-specific security standard for the medical sector, called B3S, has also included the topic of System Hardening as a real preventive protection measure.
In the “technical information security” chapter of the latest version (as of December 2022), “Hardening and Secure Basic Configuration” is listed as a priority measure. No wonder: B3S is based on the specifications of BSI Baseline Protection and the requirements of ISO 27001.
We find the level of detail interesting: the industry-specific security standard requires not only a one-off system hardening, but also process-related integration with monitoring. This becomes clear in the following requirements:
-
- ANF-0105: “Systems and applications must include specifications for Secure Baseline Configuration […]”
- ANF-0106: “Regular analysis and, if necessary, adaptation” must be carried out.
This shows that preventive measures such as a Secure Configuration are declared to be an essential addition to downstream detection and response capabilities in the medical sector. Implementation is regularly reviewed.
VDA TISAX
The VDA (Verband der Automobilindustrie / German Association of the Automotive Industry) also points out that the exchange of sensitive data must be sufficiently secure according to the state of the art. For this reason, the industry standard TISAX (Trusted Information Security Assessment Exchange) was developed for the automotive industry in 2017, which is based on the VDA Information Security Assessments (ISA).
Various elements of VDA-ISA and TISAX are based on ISO 27001, which means that the Secure Configuration of IT systems is playing an increasingly important role for automotive manufacturers and their suppliers.
And: TISAX has been continuously adapted since its publication. From April 1, 2024, the VDA-ISA catalog 6.0 will apply, in which – as with the VDA-ISA catalog 5.1 – System Hardening is mentioned several times.
On its website, the automotive association emphasizes why it is so important for companies involved in the automotive industry’s value chain to comply with VDA ISA and TISAX:
“In the industry, the two standards also form an essential basis for compliance with statutory regulations under the European Union’s NIS 2 regulation as well as other EU directives and their national implementations in the EU member states.
WLA-SCS
The Security and Risk Management Committee of the World Lottery Association (WLA) has developed a specific security standard called WLA-SCS, tailored for the lottery and sports betting industry.
This standard includes a set of requirements and best practices aimed at ensuring the integrity, confidentiality, and availability of lottery and sports betting systems. Based on the ISO 27001 guidelines, the World Lottery Association Security Control Standard mandates that IT security officials implement professional System Hardening, known as “Lottery Hardening“.
WLA members who implement the industry standard for IT security should be certified annually. Many state lottery companies and partners require proof of compliance with the WLA-SCS. A lack of certification can lead to exclusion from important tenders and collaborations.
GDPR
The GDPR (General Data Protection Regulation), or DS-GVO (Datenschutz-Grundverordnung) as it’s known in German, states that companies are obligated to protect customer data from misuse, among other things, by securing the IT systems “to the state of the art“. System Hardening or a Secure System Configuration is clearly part of it.
In addition, the mandatory provider control obligation required by the GDPR should be mentioned. This means: As the responsible body, every company is obliged to verifiably check the work of the service providers used from an information security and data protection point of view and to document the evidence.
The protection of the data as well as the check of the service provider can be done easily and automatically with professional hardening tools.
Further regulations
In Germany, as in the rest of the world, there are numerous other guidelines, standards and laws that recommend or even require Secure Configuration or System Hardening. Here are a few examples.
BSI TR-03184
The German Federal Office for Information Security (BSI) has been working on special security guidelines for space travel for some time, as the space tech market is growing. In May 2023, the technical guideline BSI TR-03184 Information Security for Space Systems was published.
This “space guideline” defines various requirements – with Secure Configuration playing an important role.
SOC 2
SOC 2 (System and Organization Controls 2) is a compliance standard for assessing the security, availability, integrity, confidentiality and data protection practices of companies.
The so-called “Trust Service Criteria” were developed by the American Institute of Certified Public Accountants (AICPA) and are particularly important for companies that store, process or manage customer data.
➡ Find out how to achieve SOC 2 certification with a Hardening tool in our ESRB Success Story.
___________________
Why is System Hardening so important?
At the end of 2014, the BSI published the latest version of its annual report “The state of IT security in Germany”. The summary states:
“The attack surfaces increased as digitalization continued to advance: complex and vulnerable systems are becoming more numerous. Once again, the number of daily known vulnerabilities increased compared to the previous year.”
The primary goal of System Hardening is to contribute to the actual reduction of the attack surface. Symbolically, all the doors and windows of a house are closed to make it more difficult for burglars to get in.
To clarify once again: While almost all currently popular cybersecurity measures support detection and / or adequate response, professional System Hardening closes existing vulnerabilities and security gaps. System Hardening is therefore an essential measure in the area of protection.
The following diagram shows how the most common IT security measures can be categorized in the NIST Cyber Security Framework:
👉 Accordingly, you should include the hardening of your systems in your cybersecurity strategy now at the latest and implement it consistently.
What size of company needs to act now?
The simple answer: All of them! Because both large corporations and small start-ups are in the crossfire of attackers. They are becoming increasingly professional.
Nowadays, the question is no longer whether a company will be attacked by cyber criminals, but when! Without System Hardening and other IT security measures, your company is an easy target.
That’s why you should make it as difficult as possible for hackers and other “cyber gangsters” to penetrate your IT systems and cause damage. If the hurdle for an attacker to compromise your system is high, they may give up as the ratio between effort and reward is unfavorable.
If, on the other hand, you make it too easy for hackers, they will strike mercilessly: (customer) data and business secrets will be stolen, important systems will be blocked, put out of operation or severely damaged. The financial damage is usually followed by damage to your image – or, in the worst case, insolvency.
How can system hardening be implemented?
A multi-stage approach is recommended. It can look like this:
Step 1: Analysis
To begin with, you should carry out an assessment of the current situation. In other words: How secure are your IT systems currently configured? This check can be easily carried out with AuditTAP. As a result, you will receive a detailed report that also includes a risk score.
The Risk Scores show how well or not your systems are hardened. But don’t just look at the chart, draw the right conclusions from the compliance report!
Step 2: Conception
In the next step, you should determine how and to what extent you want to harden your systems. You can choose between these common approaches:
-
- Layered Hardening
- Rapid Hardening
- Lifecycle Hardening
➡ Find out more in our article “Layered Hardening, Rapid Hardening & Lifecycle Hardening: Which method is best?”
Step 3: Implementation
The next step is to put together an individual configuration or use a hardening template. Follow the recommendations of cybersecurity authorities, for example CIS and DISA
Roll out the hardening configuration to all your systems – preferably automatically using a tool such as Enforce Administrator. This allows you to achieve sustainable Hardening in accordance with the highest standards centrally and without the use of self-developed group policies.
Step 4: Optimization
Rolling out the hardening is not the end of your work! From now on, permanently monitor your systems for accidental or unintentional misconfigurations by third parties or attackers. You can do this fully automatically with the Enforce Administrator.
👉 Why is the Enforce Administrator a very good solution? Why does this unique Hardening tool in Europe beat Hardening via GPOs? You will find the answers in this comparison:
Functions / Features | Group Policy Objects | Enforce Administrator |
Opportunity to set an innovative, company-wide standard | Yes | Yes |
Simple, role-based administration of various Hardening configurations | No | Yes |
Automatic correction of non-compliant settings | Yes | Yes |
Detection of non-compliant settings | No | Yes |
Automation via REST API and integration into third-party systems | No | Yes |
Simple web interface for configuration | No | Yes |
Merging several Hardening recommendations into one configuration | No | Yes |
Risk minimization by avoiding permanent (local) admin rights | No | Yes |
Permanent monitoring and alarm function | No | Yes |
Simple creation of reports, e.g. for compliance and GDPR audits | No | Yes |
Getting started and time to result | High | Low |
Restore old configurations | High Effort | Low Effort |
Conclusion
Invest your IT budget not only in symptom detection and response, but also in the basic protection of your IT systems. System Hardening is not a “nice to have”, but a “must have”!
This fact is underlined by numerous laws, regulations and standards. Companies and organizations of almost every size now have to deal with the requirements and recommendations – and usually implement them promptly.
👉 So make 2025 the year in which you raise your cyber security to a new, decisive level!
Can we help you?
Would you like to know how you can professionally implement (automated) System Hardening and implement it in your company? Talk to us – our hardening experts will be happy to help you!
Images: Freepik, BSI, IT Support Guys, FB Pro