The company RIEGE Software International GmbH, provider of the SaaS logistics software “Scope”, would like to comment on the above-mentioned EU regulation and its consolidated versions.
RIEGE Software International has decided to establish a so-called information security management system in Meerbusch, which is commonly known under the ISO certification 27001. We carry out regular internal audits and external ISO audits by TÜV Süd in order to meet the requirements of information security. First of all, we would like to discuss our technical and organizational measures, which represent an interface between information security and data protection.
In general, unauthorized persons are denied access to our IT infrastructure; in addition, the buildings and their areas are divided into different security zones. On one hand, this applies to our alarm-protected offices, which are only accessible to RIEGE employees via access cards and separate transponders. Visitors and external companies must be registered and accompanied within the offices and be recognizable as such. Our internal IT equipment is subject to further security measures to make access to our systems considerably more difficult. Access to the systems is subject to authentication with an individual user account whose password is only known to the assigned user. Trivial passwords are technically impossible, the minimum length is 14 characters. In case of inactivity on server systems, console access is automatically logged out; password-protected lock screens start automatically on PCs. At operating system level (e.g. SSH), authentication is also possible using an asymmetric cryptosystem (key) instead of a password. Logging processes as well as failed attempts are logged. The logs are stored for at least 6 months, the history contains the last 1,000 executed commands.
Internal media, such as hard disks, should be encrypted according to the state of the art in order to provide an appropriate level of security in the event of theft. Firewalling and anti-virus software round off the concept.
With regard to the systems operated for customers, the responsible party defines the authorization of its users via group regulations, application modules and/or the branch office. The servers operated are deliberately owned by RIEGE and are administered exclusively by corresponding employees in accordance with an authorization concept. Access to the server rooms and various fire protection zones of the data centers in Frankfurt am Main and Hilden (each operated by the companies I.T.E.N.O.S. and Datacenter ONE) is secured by separate access controls, including an ID card check.
Scope logs the creation, last modification and deletion of data in log files. Changes made to database systems are recorded in tickets and in a logbook (documentation).
In order to prevent the system from manipulating security-relevant information, such as security and comparable data on the respective air freight consignments, corresponding user restrictions are in place for our employees in these operational fields.
RIEGE has equipped its transport management system (TMS) “Scope” with a zero-trust policy, which means that our systems are highly isolated from each other, both internally and externally! The systems connected to the Internet are provided by reverse proxy servers, which creates an additional layer of security. Our firewall systems are redundantly available, which enables us to provide continuous intrusion detection and intrusion prevention. We carry out penetration tests on our system landscape at regular intervals. Furthermore, ongoing vulnerability assessments (vulnerability management) are carried out on our systems.
As part of our ISO 27001 certification, the ISMS team also looks at the security of our systems and analyzes any security irregularities that may arise.