IT Security According to VdS 10000

IT Security Under VdS 10000: Technical Measures Overview

Technical security measures form an essential part of VdS 10000. They define concrete requirements for your IT infrastructure that your organization must implement to achieve an appropriate security level. While organizational measures set the framework, technical controls ensure that threats are mitigated at the system level.

This guide provides a structured overview of all technical security areas covered by VdS 10000. The complete list of all 75 controls can be found in the VdS 10000 measures. The overarching requirements provide the overall context.

Network Security: Firewalls and Segmentation

Network security is the first line of defense for your IT infrastructure. VdS 10000 requires that the transition between the internal network and external networks (especially the internet) is secured by appropriate protection mechanisms.

Firewall Requirements

• Perimeter firewall: every connection to the internet must be protected by a configured firewall. Default-deny principle: only explicitly permitted traffic is allowed.
• Rule documentation: all firewall rules must be documented. Each rule requires a justification and an owner.
• Regular review: the firewall ruleset must be reviewed at least semi-annually for relevance and necessity. Outdated rules must be removed.

Network Segmentation

VdS 10000 requires separation of network zones by security requirements. Typical segments:

• Production network (servers, services)
• Office network (workstations)
• Guest Wi-Fi (separated from the production network)
• Demilitarized zone (DMZ) for externally accessible services
• Management network for administrative tasks

Segmentation limits the potential damage from a successful attack. Even if an attacker penetrates one segment, they do not have direct access to other areas.

Access Control: Authentication and Authorization

Access control ensures that only authorized individuals can access systems and data. VdS 10000 defines clear requirements for authentication and authorization concepts.

Authentication

• Individual user accounts: each employee receives a personal user account. Shared accounts are not permitted.
• Strong passwords: minimum length, complexity requirements, and regular changes, or alternatively, use of a password manager.
• Multi-factor authentication (MFA): strongly recommended for access to critical systems, remote access, and administrative accounts.
• Account lockout: automatic lockout after multiple failed login attempts.

Authorization Concept

• Principle of least privilege: each employee receives only the access rights required for their role.
• Regular review: permissions are reviewed at least annually and immediately adjusted upon role changes or employee departure.
• Administrative accounts: separate accounts for administrative tasks. Administrators use a standard user account for daily work.
• Documentation: all permissions are documented and traceable.

Encryption

VdS 10000 requires the use of encryption to protect sensitive data. This covers two areas:

• Encryption in transit: all connections over which sensitive data is transmitted must be encrypted (e.g., TLS/HTTPS, VPN). This applies especially to remote access, email communication, and cloud connections.
• Encryption at rest: sensitive data on mobile devices (laptops, smartphones, USB drives) must be stored encrypted. In the event of loss or theft, data access is then prevented.

The encryption methods used must meet the current state of the art. Outdated protocols (e.g., SSL 3.0, TLS 1.0) must be disabled.

Patch Management

A structured patch management process is one of the most effective security measures. Many successful cyber attacks exploit known vulnerabilities for which patches are already available.

VdS 10000 requires:

• Timely installation: security updates for operating systems, applications, and network components must be applied promptly. Security-critical patches within days, not weeks.
• Testing procedures: before rolling out to production systems, patches should be tested in a test environment to avoid compatibility issues.
• Software inventory: a current inventory of all installed software with version numbers must be maintained.
• End-of-life software: software no longer supported by the vendor must be replaced with current alternatives or secured through compensating controls.

Backup and Recovery

Data backup is for many SMEs the last line of defense against ransomware and data loss. VdS 10000 sets clear requirements for the backup concept:

• Regular backups: all business-relevant data must be backed up regularly. The frequency depends on the rate of change and the acceptable data loss.
• Physical separation: at least one backup copy must be stored in a separate location from the original data (e.g., external data center, cloud backup).
• Regular restoration tests: backups that are never tested are worthless. Restoration capability must be verified regularly.
• Documentation: backup schedules, retention periods, responsibilities, and test results must be documented.

A proven strategy is the 3-2-1 rule: three copies of data, on two different media types, with one stored at a different location.

Monitoring and Logging

Without monitoring and logging, security incidents remain undetected. VdS 10000 requires that security-relevant events are captured and analyzed.

• Logging of security events: login attempts (successful and failed), access to sensitive data, changes to system configurations, firewall events.
• Centralized log collection: logs from various systems should be collected centrally to identify correlations.
• Retention: log data must be retained for a defined period (typically 3-12 months) to enable post-incident analysis.
• Alerting: automatic notifications should be triggered for critical events (e.g., multiple failed logins, unusual access times).

Mobile Device Management

Mobile devices present a particular security risk because they leave the corporate network and can easily be lost or stolen. VdS 10000 requires:

• Device encryption: all mobile devices containing company data must be fully encrypted.
• Screen lock: automatic screen lock with PIN, password, or biometric authentication.
• Remote wipe: the ability to remotely delete company data in the event of loss or theft.
• BYOD policy: if personal devices are used for business purposes, clear rules for separating personal and business data must exist.
• App management: only approved apps may be installed on business devices.

Cloud Security

An increasing number of SMEs use cloud services for email, file storage, business applications, and infrastructure. VdS 10000 addresses the specific security requirements of cloud usage:

• Careful provider selection: cloud providers must be evaluated regarding security measures, certifications, and data protection.
• Contractual agreements: Service Level Agreements (SLAs) with clear availability, security, and data protection clauses.
• Data localization: knowing where your data is stored, particularly with respect to EU GDPR requirements.
• Access controls: MFA for cloud access, role-based permissions, monitoring of access activities.
• Exit strategy: ensuring you can migrate your data and switch providers at any time.

Malware Protection

Protection against malware is a fundamental requirement of VdS 10000. This encompasses more than just installing an antivirus scanner:

• Current protection software: up-to-date anti-malware software must be installed on all endpoints and servers and regularly updated.
• Email protection: incoming emails must be scanned for malware and phishing links. Executable file attachments should be blocked.
• Web filtering: access to known malicious websites should be blocked.
• Execution controls: restricting program execution to approved applications (application whitelisting) should be considered for critical systems.
• Removable media: USB drives and other removable media should be scanned for malware or their use should be restricted.

Summary: Technical Measures by Priority

Integration with Risk Management

Technical measures do not stand in isolation. They are the result of the VdS 10000 risk analysis. Each technical measure should be mapped to a specific risk. This ensures that you invest in the right areas and do not implement measures without reference to the actual risk profile.

A GRC tool like Kopexa makes this mapping transparent: you can see at a glance which technical measures address which risks, where gaps remain, and the implementation status of each measure.