An Interview with Daniel Kremer, Chief Information Security Officer (CISO), on DENIC's Information Security and Risk Management Division, He Is in Charge of

When it comes to information security and data protection, DENIC relies on feasible, pragmatic and cost-efficient solutions. Here you will learn what this precisely means:

Which role does information security play for a domain registry?

Information and data security are generally very important for any organisation, and with digitisation increasing and new threats emerging, they are constantly gaining importance.

DENIC in particular has been categorised as operator of a critical infrastructure according to the regulation on the German IT Security Act (BSI-KRITIS Ordinance) with regard to the operation of the authoritative DNS server since 2018. And since this February, we are additionally registered as critical infrastructure for the new system category "Top Level Domain Name Registry" with the German Federal Office for Information Security (BSI). Thus, DENIC is one of 2,000 KRITIS operators in Germany.

What precisely means "critical infrastructure"?

Critical infrastructures are defined as facilities and parts thereof which are necessary for the provision of critical services to society as a whole and which exceed certain threshold values. The ultimate aim is to ensure security of supply for the society and the private sector. According to the IT Security Act, critical services are divided into several sectors: Next to energy, water, food, health, transport and traffic, finance and insurance, and waste management, the Act defines the sector information technology and telecommunications, which is where, among others, the categories "Authoritative DNS Servers" and "Top Level Domain Name Registry" belong to.

Operators of critical infrastructures must meet a wide range of requirements. They are, for instance, obliged to report to the BSI disruptions in the provision of critical services, must demonstrate compliance with all legal requirements to the authority every two years, or implement technical and organisational security measures for detecting attacks.

How is this reflected in the tasks of DENIC's Security division?

The aspects of information security must be observed across the entire organisation. A particular focus is on governance, risk management and compliance. To fulfil this aim, policies, rules and guidelines have to be drafted and implemented. As to risk management, the CISO must identify realistic threat scenarios for each business process and categorise them according to damage and probability. Moreover, suitable measures must be initiated, implemented and monitored that reduce the probability of occurrence.

Last but not least, we have to comply with multiple normative (ISO 27001 and ISO 22301) and legal requirements, such as the IT Security Act.

That sounds as if IT security is a very dynamic field of work. Can you explain these dynamics in greater detail?

Our vital task is to do everything we can to keep business operations going so that we can provide our services. To achieve this, management systems must be maintained and advanced consistently. A process of continuous improvement is essential. Moreover, our work is reviewed by annual external audits.

The launch of new services, both for internal use and those we offer to external customers, must be accompanied carefully, too. Given the large number of systems and applications we are operating and using already today, a mature identity and access management including regular checks, for instance, is crucial. Attack detection systems (also called intrusion detection systems) require deep insight into operative security.

What characterises sustainable information security in an organisation according to your experience?

It needs well-coordinated responsibilities, established processes, organisation-specific regulations and tailored measures to achieve a sustainable level of information security. Appropriate training and awareness-raising programs for the staff are crucial. Potential threat scenarios should be known and suitable measures be initiated and implemented in a reasonable manner. DENIC therefore continuously performs awareness-raising initiatives to keep our staff's awareness level of information security high.

DENIC is tightly integrated into the international Domain community through organisations like CENTR or ICANN and through technical bodies. How would you describe this cooperation in the field of security?

Our contacts with the community are strongly based on partnership and there is a regular open exchange. Through the Security Working Group of CENTR, an association of European registries, we are constantly in good personal contact with each other. But we also share best practices in other bodies or associations. Finally, we are all facing the same challenges: to operate our core services, registry and domain name system, in a manner that ensures a high level of stability, reliability and security.

We also have cooperated closely for many years with the adjacent registries of Austria, Switzerland and the Netherlands and mutually support us, especially in internal auditing.

What makes working in the Security division of DENIC particularly exciting?

Information security is a very wide and multifaceted field that includes all parts of the organisation, and it is important to stay in regular contact with all of them. It includes everything, from workplace computers via server systems and on-site applications up to applications in the cloud, and that makes the job so diverse and varied.

Back to main page Information Security