"Because, what is not allowed cannot happen."
"Compliance" means observing rules of conduct, laws and policies. This often involves a voluntary obligation over and above legal provisions; IT compliance also ensures that the executive board is not made liable, for instance, for damages that ensue in the event of insufficient IT security, (i.e. if a network is misused as a bot network, and external computers are flooded with malware or e-mails, or when provisions of the data protection act are violated).
In order to make compliance possible, many companies implement a information management system, such as one in accordance with ISO 27001. This categorizes the network according to different parameters based on corporate processes. Computer systems are also evaluated here with regard to their protection category and level of criticality. However, the question is one of how to verify whether the required protection level is maintained? Is compliance verified with a Security Level Management system based on target specifications?
In Germany, the principle of obligatory organization reigns. This can be interpreted as, "you should not operate systems if they harbor a danger for others and you are not in control of them." From the point of view of the legal fraternity, IT systems are just as "dangerous" as cars or nuclear power stations - This means that the amount of threat has no relevance to their being categorized as a "dangerous system". This is why the same principles of liability apply to IT systems: the law demands reliability and the controllability of the system by the operator! This means that he has to institute measures to ensure that no danger emanates from the system at any time.
§9 of the German Data Protection Act (BDSG) also holds companies liable for taking "technical and organizational action" as soon as they compile, process, and use personal data. A commentary on the BDSG states that security systems should, if possible, be updated automatically, since an obsolete security application only gives a false sense of security.
Not every security leak is justifiable. In the event of the misuse of data or damage, case law will orient itself to what the experts say on the state-of-the-art. Currently it states that, "a purely reactive response to improving security systems in cases where weak spots are revealed by attacks, or random sampling as a control, do not suffice to release the party from liability." In actual fact, companies are to provide current knowledge on the dangers that exist and the requisite measures within the organization, and update this continuously, and make it transparent to users. In reality, this does not mean that smaller enterprises need to implement an automatic monitoring system, according to the principle of proportionality, when a manual system suffices to inform them of the prevalent status. At very large companies with complex networks, an appropriate quality assurance system needs to be put into place.
In other words, Christian Morgenstern's bon mot, "...what is not allowed cannot happen," applies to IT security in particular. Owing to the continual changes in determining factors, or, in other words, the flood of new malware into the networks, compliance requires permanent quality management, i.e. continual control that in reality, no violation of the rules of conduct, laws and policies exists, and not just in theory.