Expanding Internet Security
Customer trust in the measures we take to ensure information security is the basis for ensuring that they feel able to trust us both with personal digital information such as photos, documents, and e-mails, and with business data (e.g., when running applications in the cloud).
The information that we have to protect comprises both customer and employee data. It is handled in our internal systems in business processes that are in turn part of products. We aim to protect information against unauthorized access and misuse throughout the entire, complex product environment. In the process, we ensure we comply with the protective goals of preserving confidentiality, availability, and integrity. Our security strategy aims to use specific security management measures to achieve and continuously enhance our protective goals throughout the Group at an appropriate and uniform level.
We base our activities here on recognized international standards. For example, we have implemented an information security management system (ISMS) in accordance with ISO 27001. Establishing and expanding our effective, scalable security organization is particularly important here.
Apart from protecting customer data, the main objective of information security is to maintain United Internet’s ability to do business and to reduce negative impacts on its business operations.
The overarching ISMS is managed by the Information Security department, in keeping with the participating companies’ business strategies. This department comprises two teams: Service and Security Management, and Technical Security. Among other things, the Service and Security Management team is responsible for managing information security guidelines, developing security instructions, training staff, communicating with government authorities about security issues, and performing information security risk management. The Technical Security team provides advice in relation to security architectures, and applications, systems, and network security. This unit trains employees how to ensure secure development and operations, performs security tests, and handles any security incidents together with the departments concerned.
The Head of Information Security – who is also one of the Group’s telecommunications security officers under the German Telecommunications Act (Telekommunikationsgesetz – TKG) reports regularly to the Chief Technology Officers in the relevant segments. Reporting covers the information security risk portfolio, any relevant security incidents that have occurred, the specific measures taken, the results of security audits, and key security trends. Security architects and experts from the Information Security department support the Head of Information Security in designing and implementing wide-ranging and overarching security enhancements.
Vulnerabilities can have far-reaching consequences, both for United Internet’s reputation and for customers. United Internet has taken the following technical and organizational security measures, among others, to prevent such risks.
We perform a thorough review of existing technical and organizational information security measures before entering into business combinations with other companies, and at key points in the integration process that follows. A maturity analysis based on international standards is used for this. Information Security then supplements the level of maturity established by conducting a risk assessment and recommending actions. A range of integration measures are then resolved and implemented, depending on the results and our business strategy. Acquired companies are included in United Internet’s Information Security Management System (ISMS) where it makes sense to do this. The goal is to establish an appropriate, Group-wide security standard. In 2021, planning started on introducing a joint target ISMS covering those IONOS subsidiaries that do not form part of the Group ISMS.