A selection of the laws, rules and standards regarding IT permissions

8th EU Directive (“EuroSOX”)

The German federal government incorporated the 8th EU Directive into national law as part of its Accounting Law Modernization Act (BilMoG). The new accounting regulations came into force for financial years from January 1, 2010, onward.

Auditors are required to increasingly inspect how companies fulfill information security requirements, as they themselves are subject to stricter controls by their supervisory bodies. The BilMoG requires businesses to operate Internal Control Systems (ICS).

In contrast to SOX, EURO-SOX applies to all stock corporations, not just those listed on the stock exchange. This also obliges SMEs to more carefully address the issues of risk management, IT security and security audits.

The full guideline can be found on the European Commission’s website.

AEO certification

“Authorized Economic Operators (AEOs)” are defined by the European Union’s customs legislation as certified companies that enjoy tangible conveniences and benefits in the customs procedures applied to international trade.
The standard sets extensive demands in regard to reliability, solvency, compliance with legal requirements and the fulfillment of certain security standards, e.g. relating to access security.

Further information about AEO can be found on the European Commission’s website.

Basel II

Basel II refers to the entire set of equity regulations proposed by the Basel Committee on Banking Supervision in recent years. These were incorporated into German law in the Solvency Regulation (SolvV).

The relevance of these regulations
to IT is that banks must also consider applicants’ “operational risks” in decisions to grant loans. Because the use of IT represents an operational risk, shortcomings in this regard can result in high interest rates being charged or even refusal to grant a loan.

In December 2010, the preliminary final version of Basel III was published, although certain aspects are still being discussed. It was timetabled to come into force step-by-step beginning in 2013.

Further information about Basel II can be found in Wikipedia.
Further information about Basel III can be found in Wikipedia.

Mehr zu Basel II auf Wikipedia
Mehr zu Basel III auf Wikipedia


The German Data Protection Act (BDSG) together with the individual states’ legislation and other regulations pertaining to specific spheres regulate the use of the personal data that is processed in IT systems or by hand.

According to the BDSG, […] in particular, measures should be taken to prevent unauthorized access to data processing systems (system access control)

[…] it must be ensured that those permitted to use a data processing system can only access the data within the scope of their access permission and that personal data cannot be read, copied, altered or removed without the authority to do so (data access control).

The German Data Protection Act is due to be replaced by the General Data Protection Regulation (GDPR).

More information about the BDSG can be found in Wikipedia.
The German Data Protection Act can be found at the Federal Ministry for Justice.

BSI Grundschutz - IT Baseline Protection Catalogs

IT basic protection offers a simple way of identifying and implementing state-of-the-art security measures. The Federal Office for Security in Information Technology (BSI) provides numerous tools for achieving an appropriate level of security, such as its standards for managing information security and the IT basic protection catalogs. Some of the topics relate to data security and protecting access:

M 2.199  Maintaining information security
M 2.220  Guidelines for controlling system and data access
M 2.30  Regulation for instating users / user groups
M 2.31  Documenting authorized users and rights profiles
M 2.336  Assuming managerial overall responsibility for information security
M 2.360  Security audits and reporting for storage systems
M 2.370  Administration of permissions in Windows
M 2.63 Setting up access rights
M 2.8  Allocating access rights
M 4.309  Setting up access permissions on directory services
M 4.312  Monitoring directory services
M 5.10  Restrictive rights allocation

The IT basic protection catalogs can be found at the BSI.
How econet can help you meet the BSI’s requirements PDF 140KB.
A table comparing ISO 27001, ISO 27002 and IT basic protection can be found at BSI.

More information about the IT Baseline Protection Catalogs can be found in Wikipedia.


COBIT (Control Objectives for Information and Related Technology) is the official international IT governance framework. It divides IT tasks into processes and control objectives. COBIT’s primary aim is not to define how to implement requirements, but rather what must be implemented. There are various possibilities for COBIT certification.

DS 5.3 Managing user profiles: Ensuring that users’ access rights to systems and data conform with designated and documented business requirements and that user profiles are marked with these requirements.

DS 5.4 User account administration: Rights and guidelines for access to a company’s systems and information should be defined for all user types. Regular checks are required of all user accounts and the corresponding user rights.

More information about COBIT can be found in Wikipedia

GDPR – the General Data Protection Regulation (planned)

The European General Data Protection Regulation is currently being planned by the European Union (as at May 2015). The GDPR is meant to standardize data protection law throughout Europe and to replace national legislation such as the BDSG. The GDPR is to enter into force two years after it is passed, which means not before 2017.
However, it makes sense to get up to speed on the planned changes right now.

Article 23 of the draft GDPR on “technical presets” defines the obligations for regulating user and permission administration for processing personal data in IT systems:

“In particular, these processes must ensure that personal data is absolutely not made accessible to an uncontrolled number of individuals.”

More information about COBIT can be found at the European Comission

FDA regulation 21 CFR Part 11

All facilities in the pharmaceutical, cosmetics and food sector that manufacture products for the US market are affected by regulation 21 issued by the US Food and Drug Administration (FDA).

21 CFR Part 11 prescribes, among other things, “restricting access to the system to authorized persons” (§ 11.10d) and “checking rights and roles so as to ensure that only authorized persons use the system” (§ 11.10g).

Further information is available directly from the FDA: Code of Federal Regulations, Title 21, Part 11

FINMA RS 08/21

The Swiss Financial Market Authority finma’s Circular 2008/21 entitled “Operational risks for banks” has been legally binding for all Swiss banks and financial service providers since January 1, 2015.

It requires them to define who in the company has access to customer data, who has the right to authorize access, who is responsible for the various business processes, and who has the ultimate authority over such data.

Further information is available directly from the finma


The International Financial Reporting Standards (IFRS) are a collection of standards and interpretations developed by the independent, private International Accounting Standards Board (IASB). These standards and interpretations list the regulations that apply to the external reporting of publicly traded companies.

Reports compiled in accordance with the IFRS are meant to provide information about the state of a company’s assets, finances and revenue. They should cover the accrual principle and the principle of going concerns.

Reports have to fulfill certain qualitative criteria regarding comprehensibility, relevance to decision-making, materiality, reliability and comparability.

Further information can be found on the IFRS/IAS website

ISAE 3402 and SSAE 16, successor to SAS 70

If a company uses any services from third parties that have a direct influence on its financial reports, it must make sure that the appropriate control mechanisms are in place at any such external service providers.

Until June 15, 2011, the SAS 70 standard was the internationally recognized reference, at which point it was replaced by two new standards – the international ISAE 3402 standard and the American SSAE 16 standard – which apply to all reports covering periods ending June 15, 2011, or later. Reports must be completed by a qualified auditor.

More information about COBIT can be found in Wikipedia

ISO/IEC 27001

In order to certify an Information Security Management System (ISMS), it must meet the requirements of ISO/IEC 27001. This standard specifies the criteria for the manufacturing, introduction, operation, monitoring, maintenance and improvement of a documented system that takes risks into account throughout the entire organization. An ISO/IEC 27001 certificate is considered a definite plus in a Basel II or SOX assessment.
More information about ISO/IEC 27001 can be found in Wikipedia


ISO/IEC 27002

This standard is described as a “comprehensive selection of control mechanisms based on methods and procedures that have proven effective for information security”. Practical experience, procedures and methods formed the basis for this standardization, hence it adopts a best-practice approach similar to that used in ITIL.

Zur Web-Präsenz der ISOSubsection A.11 of ISO 27002 covers “Access control”:
3.2 Access restrictions: Access to IT systems and data shall be restricted and implemented as securely as possible.
3.31 Segregation of duties within applications: It must be ensured that a division of power exists in IT systems.
3.42 Management and monitoring of user accounts: Mechanisms are established that seamlessly monitor the changes to user accounts and user profiles so as to preclude the risk of any unauthorized or inappropriate access to IT systems (applications) and any data (therein).

More information about ISO/IEC 27002 can be found in Wikipedia 

ISO/IEC 27018

ISO/IEC 27018 defines the requirements regarding data protection for Cloud service suppliers (Security techniques – Code of practice for controls to protect personally identifiable information processed in public cloud computing services). The contents of this standard are an extension of existing standards – particularly ISO/IEC 27002. However, ISO/IEC 27018 specifically regulates the processing of personally identifiable information stored in the Cloud.

More information about ISO/IEC 27018 can be found at ISO

ISO/IEC 38500

“Corporate Governance in Information Technology” is the title of ISO/IEC standard ISO/IEC 38500:2008 (introduced in 2008). ISO 38500 is an international standard that defines and describes how companies can establish a system of IT governance based on best practice.

This reference model is aimed primarily at senior management and executive managers to help them take responsibility for effective, efficient and legally compliant use of IT. Systematic evaluation of IT use and continuous monitoring of progress toward targets play a key role.

Further information about ISO/IEC 38500 can be found at ISO

ISO 9001

Defective products are often the first sign of shortcomings in processes. ISO 9001 sets out the model for an entire quality management system, in which a company determines what guidelines need implementing in order to increase effectiveness and to ensure quality in all departments and at all interfaces, including any IT involved.

Sector-specific standards, such as IFS Food, expand upon ISO 9001.

Further information about ISO/IEC 38500 can be found at ISO

ITIL Access Management

In the ITIL international standard for IT business processes, access management forms a part of service operations. Access management is meant to ensure that only authorized users have the right to use a service and to simultaneously prevent any unauthorized access.

ITIL Access Management covers the following sub-processes:

- Administering user roles and permissions profiles
Ensuring that the catalog of user roles and permissions profiles corresponds with the IT services and applications systems, and preventing undesired clusters of access permissions.

- Processing permissions applications
Processing requests to add, change or delete access rights and ensuring that only authorized users have the right to use a given service.

Further information about ITIL Access Management can be found at wiki.en.it-processmaps.com

MaRisk from BaFin

The minimum risk management requirements (MaRisk) set by the Federal Financial Supervisory Authority (BaFin) specify § 25a of the German Banking Act (KWG) and implement the regulatory supervision processes for banks in accordance with Basel II.

These requirements state that banks must establish “processes for appropriate allocation of IT permissions” so as to ensure that every member of staff is only allocated the rights required for his duties. Furthermore, expert and technical staff must regularly check that IT systems and their related processes are appropriate.

More information about MaRisk can be found in Wikipedia


Any dealer who processes or stores credit card payments on his systems is subject to compulsory certification according to the Payment Card Industry Data Security Standard.

The aim of the Payment Card Industry Data Security Standard is to improve the security of credit card data and online payment transactions made using credit cards. Protecting credit card data by means of secure permissions allocation for data access and systems administration is a key requirement.

7.1.1 Restriction of access rights to the lowest level required to complete any given process.
7.2.2 Allocating user rights to individual users on the basis of their job description and function.

Any affected companies that fail to comply with the standard’s guidelines can be fined and punished to the point of exclusion from credit card payment transactions.

More information about PCI DSS can be found in Wikipedia.

Sarbanes-Oxley Act

The Sarbanes-Oxley Act (SOX) passed in 2002 is a US law to improve company reporting following the accounting scandals at firms including Enron and Worldcom.

The aim of the law is to restore investors’ trust in the accuracy of companies’ published financial data. The law applies to domestic and foreign companies that are listed on the US stock exchanges or NASDAQ and to US companies’ foreign subsidiaries.

At the heart of the rules laid out in this law is the duty to establish an appropriate Internal Control System (ICS) for all data relevant to the company’s rendering of accounts. Among other things, this requires the introduction of software tools for documenting and evaluating internal processes and controls.

More information about PCI DSS can be found in Wikipedia.
Sarbanes-Oxley Act in full.

The texts published on this site in regard to compliance issues are meant for the purpose of general information and training and are not a suitable source of advice in the case of any ongoing legal action. Although every due care has been taken, we cannot guarantee that you will not encounter any incorrect, incomplete, obsolete, contradictory, out-of-context or abbreviated information. Please note: The wording of laws posted on the Internet is not official. Official versions can only be found in the Federal Law Gazette.