Get started

IT security concept – living data protection

Every company that attaches importance to a modern IT infrastructure needs an IT security concept. And this has not only been the case since the EU General Data Protection Regulation came into force in 2016. Even in a company's very own interest, well-thought-out concepts for IT-security and data protection are an absolute must.


That's why IT security plays such an important role 

The term IT security describes techniques that secure information processing systems in the protection goals of availability, confidentiality and integrity. The primary aim is to protect against attack scenarios, to avoid economic damage and to minimize risks. Encryption of transmission paths and data storage, firewalls, protection against viruses and Trojans, ensuring availability (or protection against system failures) - all these things are considered to be part of IT security.

Hacker attacks on IT systems threaten both from the outside and the inside. The primary aim is to gain access to data in an unlawful way in order to gain economic advantages. Whereas in earlier times viruses only destroyed hard drive contents, identity theft is now at the top of the list of cybercrime. This particularly affects private individuals whose e-mail accounts or accounts of online shops have been hijacked. The field of industrial espionage also belongs in this area. Here it is important to prevent intruders into company networks by means of suitable firewall technologies.

Often underestimated is the threat from within through weaknesses in the system. Time and again software errors are exploited by hackers to gain access to IT systems. Manufacturers of user programs and operating systems are constantly striving to provide updates to close these security gaps. But even the personnel of your own company can pose a threat to information security. Former employees who still have access to business-critical data can cause damage, as can the misuse of Internet access within the company, where the distribution of copyrighted material by means of file sharing can result in warnings (Stoererhaftung).

Hackers can also easily gain access to data and IT infrastructures using social engineering methods. Here, every single employee of a company represents a danger through unconscious actions. A phone call from an alleged employee of the IT department is often enough to ask for passwords. Here it is important to sensitize every single user of the company network to scenarios of this kind.

>>> To avoid attacks of this kind, it is important to sensitize your own employees accordingly. Above all, however, the software solution used must be designed to ensure the maximum possible level of IT security.

Dangers do not only threaten from the outside in the form of natural disasters or hacker attacks and data theft, but also from the inside. Every single employee in the company - whether through unintentional operating errors or deliberate manipulation - as well as every hardware component represents a potential source of danger. This also includes natural disasters or technical failures.
At the latest when a customer or contractual partner asks for a documented IT security concept, it is time to think about such a concept. Contracts often contain clauses, in which the client is obliged to submit an IT security concept. After all, the customer wants his data to be in trustworthy hands.

IT security concepts are central and important components of the IT security management or Information Security Management Systems (ISMS). They describe defined security goals with the help of which risks are identified and evaluated. On this basis, countermeasures to protect your company and customer data can be defined in the IT security concept. An IT security concept is initiated by the company management or a data protection officer of the company. The data protection officer is responsible for implementing the concept. The measures of a consistently applied security concept minimize internal weak points and counteract threats to the IT infrastructure and its interfaces.


Measures and aims within the IT security concept

In order to prevent possible data mishaps, system failures, as well as virus and hacker-attacks, measures to optimize the IT security are constantly needed. IT security is defined by escalation regulations, emergency management as well organizational and technical measures. The latter include access control mechanisms, encryption technologies, firewall systems and last but not least the sensitization of employees through regular training courses.

he goal of the IT security concept is to achieve a certain level of security. The mentioned aspects should be summarized in a company-wide IT security manual or in form of an IT security policy.


How does an IT security concept work?

For Information Security Management Systems (ISMSe) and for IT security concepts, there is the international standard ISO/IEC 27001. This standard provides a good basis for creating your own concepts and serves as a basis for evaluation by auditors. Companies that are ISO27001-certified, like DRACOON, can prove their compliance with this standard and thus also meet legal and regulatory requirements.

Essentially, an IT security concept is structured in four sections:

  • Inventory analysis
    Make a note of what is worth protecting in your company.

  • Structural analysis
    Enter all components of an information processing process in a structured way.

  • Determination of protection requirements
    Determine the protection requirements of the individual objects.
  • Modeling
    Visualize the previous steps.

Try to honestly answer the following questions:

  • Does our security concept really meet the requirements?
  • Are our IT security standards really “state of the art” and do they meet the current requirements?
  • Is the IT security policy being accepted and supported by the employees?
  • Are outsiders able to gain access to sensitive data?
  • Could the data possibly be manipulated or even stolen?

You should repeatedly ask yourself these questions, as attack scenarios and risks can change at any time. An inventory of all safety measures can only act as a snapshot: If the entire system was recently updated to a secure state by eliminating vulnerabilities and security holes, it can constantly become vulnerable again through new security holes.


Emergency concept: Measures that are implemented after a security incident

In addition to the IT concept, an emergency concept is needed.This is put into action, as soon as business processes are interrupted by security threats that could endanger the company’s goals or even the company’s continued existence. An emergency concept contains plans and measures to enable the quickest possible restart and the resumption of critical business processes, after the security incident has occurred.


Legal aspects of the IT security concept

With an IT security concept, you create additional trust with your customers and suppliers, as you can document the security of your data. According to §109 of the Telekommunikationsgesetz (German telecommunications law), as a business man, you are even obliged to take precautions and measures against the violation of the protection of personal data.

DRACOON real IT security for your data

DRACOON has defined an IT security concept for itself as a company and has also been ISO 27001 certified. Various security aspects were also taken into account in the development of the product. Thus, DRACOON supports companies with regard to data handling to implement their IT security concept.
With the software, you can securely store, manage and send all your company data. DRACOON offers you numerous advantages to ensure secure and EU-GDPR-compliant data storage. The client-side encryption prevents data from flowing off.


  • Made & Hosted in Germany: DRACOON is being developed in Germany and operated in ISO27001-certified computer centers.

  • Multiple awards and certifications: Various seals such as ISO27001, EuroPriSe and BSI C5 confirm DRACOON’s highest security standards. 

  • GDPR-compliant thanks to Privacy by Default and Privacy by Design: As a German provider DRACOON is subject to the strict German security laws and supports you in implementing and complying with the EU-GDPR thanks to data protection-friendly technology design (Privacy by Design) and default settings (Privacy by Default). This enables you as a user to work automatically in compliance with data protection regulations.

  • Highest security thanks to client-side encryption: All data is already encrypted at the end device. On the server itself there is no possibility to decrypt the data because the key material is on the client. This way we ensure that neither we as a cloud provider nor third parties are able to access your stored data.

  • Modern rights management: With DRACOON you can assign access rights easily and individually to internal employees as well as external parties. This ensures, for example, that certain people only have read access, while others can also edit and delete data. Thus, for example, the IT department retains organizational sovereignty, but has no read and write rights to financial or personnel data. As a result, IT administrators can also be completely denied access to certain data (such as salaries, balance sheets, etc.). DRACOON also gives you the opportunity to limit the availability of data.

  • Classifications: Classifications provide a quick overview of the security level of a file.
  • Protection against ransomware attacks: In case of a hacker-attack, affected data can be restored at any time via the recycle bin.

  • Integrated reporting tool / audit log: The reporting tool with audit log provides information on file access. Authorized persons can thus trace who shared, processed or deleted data.

  • Demand-oriented billing: The required DRACOON licenses are billed on a user basis. This allows you to adapt DRACOON to your needs at any time.

IT security with DRACOON

Save, share and manage your files in a GDPR-compliant manner for 14 days for free!

Try now