Welcome to cptgut.com!

Hi everyone and thank you for visiting my website.

The heart of this website is the IT Goverenance, Risk & Compliance blog. It is intended to provoke thoughts and discussion on how to address current problems in the area, and give ideas on how to tackle them in day to day business situations. Go to blog...

Additionally, the website presents the latest Websites that I designed. As webdesign is a hobby only, the overview is not updated too often. Go to webdesign...

Additional functionalities are available in the private section for logged-on users, only.

Latest post on the IT Governance, Risk & Compliance blog:

Why IT Compliance Makes Good Business Sense
from Oliver Wehling on 21.04.2016, 14:17

Being an IT auditor, I am often confronted with the allegedly "high cost of IT compliance". People find countless reasons why laws and regulations are incompatible with the real world, are way to costly, and do not provide noticeable benefits for the organization. Consequently, IT organizations complain that they cannot keep up with the pace of recent statutory and regulatory developments due to the high costs a ... Read more

0 comment(s)

The Governance, Risk & Compliance blog is intended to provoke thoughts on recent ideas and trends in this area. While I am mainly focused on the IT of the banking industry, I try to keep my posts as "wholistic" as possible. I will periodically update the blog and enter new posts. If you would like to comment my posts please feel free to do so at any time. If you would, furthermore, like to publish "guest posts" please contact me through this website.

A word of caution: please do not take all my comments at face value but reflect on how they are meant. Additionally, all of my own posts reflect my personal opinion.

Please click on a headline to open the blog post:

Why IT Compliance Makes Good Business Sense
Oliver Wehling on 21.04.2016, 14:17

Being an IT auditor, I am often confronted with the allegedly "high cost of IT compliance". People find countless reasons why laws and regulations are incompatible with the real world, are way to costly, and do not provide noticeable benefits for the organization. Consequently, IT organizations complain that they cannot keep up with the pace of recent statutory and regulatory developments due to the high costs and rather need to focus on the cost effectiveness of their IT.

Contrary to this train of thought, I would argue that it makes good business sense to promote and foster a good IT compliance environment. That the benefits outweigh the cost. That it helps to focus the IT efforts. And that it can even enhance the IT organization's flexibility and transformation speed.

  • A good IT compliance organization adds to good IT governance. From clear-cut responsibilities over well-defined IT processes all the way to the safe and sound operation of the IT assets, they all increase the IT management's oversight and control. Without these, the IT management will have a hard time allocating the IT resources efficiently. The enforcement of the IT strategies and policies will be even harder. A strong governance structure, however, saves money as decision making and enforcement becomes much more effective.
  • A good IT compliance organization requires robust structures for identifying, analyzing, and adopting changes of the environment. From a compliance standpoint this is necessary to ensure the effective identification of new or changed laws and regulations in order to avoid any non-compliances. The less developed the compliance culture is, the more cumbersome and, thus, costly is the adoption of laws and regulations. At the same time, these compliance (change) processes can be used as a cost-efficient and effective catalyzer of changes of the business/IT strategies, markets, technologies, and best practices.
  • A good IT compliance organization does not only consider external requirements, such as laws and regulations. It also considers the organization's own goals and (business) requirements, such as strategies and policies. Thus, the compliance framework is a tool for the IT management to introduce, implement, and enforce the organizations very own goals. And it also features tools to measure any deviations from these goals. Without these tools, the IT management will have to put a lot more resources in the above management processes and will be much less likely to stay in control.
  • A good IT compliance organization requires some kind of IT risk management. In the absence of well-defined IT risk appetite and IT risk management processes, the IT management will have a hard time to adjust their expenditures in safe and sound operations and information security. Over- or under-spending might be the immediate result. On the other hand, a sound IT risk management framework fosters a safe and sound IT environment, reduces IT risk, and thus cost. Furthermore, the IT risk management allows the IT management to better allocate time and money to the most important risk areas, and thereby prevents misspending.
  • In the end, you will always have to fine-tune the compliance efforts in relation to the desired compliance culture (cost/risk/resources). But it is fair to say that good compliance fosters efficiency and vice versa, and thus makes good business sense.

    0 comments

    write a comment
     

    Why we need less policies & procedures and more good people for effective risk management
    Oliver Wehling on 04.05.2015, 18:14

    Imagine you could design a financial services IT organization and the corresponding GRC and security functions as you please. Forget about the existing laws and regulations and what (you think) you know about good processes and controls. How would you achieve effective GRC and security?

    A recent chat with a collegue who works in the area of IT security led to this subject. So we theorized and hypothesized about it, and it all burned down to the question: what is more effective, good processes or good people?

    In summary, we came to the conclusion that good people should always be first. But what makes people good at GRC and security? Mostly, risk management experience and training for which we formed the term "combat experience". That is: people need to "know their stuff". They need to understand it, embrace it, and live it. And they need constant training in handling the risks in their area. Let us look at an example:
    (1) A security manager monitors the intrusion detection system. She never experienced an incident, so far. All the sudden, hackers attack the company's accounting system through a vulnerability. She looks up her manual to find out who to inform and what to do about the intrusion. She follows the instruction and opens an incident ticket. The system manager reports back that he is not responsible because the intruder came through the interface and not the system itself. The ticket moves on to the interface manager. She takes care of the incident and reports back. The security manager files a report. The process works.
    (2) The experienced security manager might not look up her manual but goes right into the system, gets the system manager on the phone, agrees a remedy, locks the intruder out, and while doing so reports the attack into the security organization. Afterwards she does not exactly remember everything she did but does her best to file the report. She did not comply with the process, and even forgot to talk to the interface manager.
    The example might be a little "constructed" but it illustrates my point. While #1 followed the process, #2 was more effective in managing the risk.

    Do not get me wrong. I do not favor anarchy. Processes have their righteous place in our organizations. But the main reasons why policies and procedures did not make first place are that however good they are, they cannot replace "combat experience". Good processes on their own mean nothing. You always need people who live the processes. And then again, if you do not have good people who understand the processes and - more importantly - understand risk you will lack effectiveness.

    It is worth to take a look at the history of regulation and ever-increasing process-devoutness. Besides the idea of repeatability and standardized quality independent from individuals as introduced during the industrial revolution, the main reason for well-designed and documented processes in the financial services industry is comprehensibility, which is mostly driven by regulators and (internal) auditors. Financial institutions have to be able to prove their high standards to outsiders, and that they abide by their standards. The only way of doing so is to formalize processes and document their execution. Funny enough, while the rationale behind that is well-intentioned, especially two negative side-effects of strong fomalization might occur:

    Short-sightedness
    If tasks are well-defined, people tend to think inside these definitions. People might shy away from problems that require thinking and - more importantly - acting beyond these definitions. In risk management, that leaves a lot of weaknesses unnoticed.

    Reduced responsibilities
    If responsibilities are clear-cut, people tend to dodge the gray areas. While everyone exactly knows their responsibilities, they also exactly know for what they are not responsible. That is the opposite of good entrepreneurship.

    So, while helping the 2nd lines and 3rd lines of defense, the auditors, and the regulators with their comprehension of processes and compliance-assessments, the effectiveness of the financial institutions' GRC and security programs may suffer at the very same time. So I would argue that it is about time to discontinue the excessive formalization and to concentrate on "combat experience" to foster the effectiveness of GRC and security. The only problem for financial institutions being: although effectiveness through "combat experience" generates a track record it is hard to prove.

    0 comments

    write a comment
     

    The three most important factors of IT compliance: people, people and people!
    Oliver Wehling on 02.02.2015, 20:00

    Over the last years, I was involved in designing and implementing a governance and compliance function for IT, and in establishing their processes within the IT department. Being an auditor, my team and I constantly assessed the development of the compliance efforts. During that time we established an ongoing discussion within internal audit, with the auditees, and with external auditors. The main questions were (are): what are effective controls, how can the IT department include controls in their processes, and how can they keep their controls up-to-date. The underlying questions were: "How to establish compliance?" and "How to make compliance work and last?".

    While the answer to the first question (How to establish...) was the focus of all the project efforts, the second question (How to make it work and last) is less obvious, and - in my opinion - oftentimes not satisfactorily answered; neither by the IT department nor by the external consultants.

    When establishing the compliance organization, everybody focuses on the organizational structure (i.e. who is responsible, how to separate from IT operations) and the processes and procedures (i.e. who does what and when). All these factors impact the efficiency and effectiveness of the compliance program. However, there are many ways to implement a good IT compliance program and in the end it might not make a big difference e.g. whether you established the direct report to a governance body or a management body. So stop for a minute and think about the single most important factor that decides on whether the IT compliance program becomes a success or a failure: people, i.e. general management, IT management and IT staff.

    Why is that? Although the processes, policies and procedures are an important building block, they do not work on their own. First, general management must see the need to establish IT compliance and must be willing to invest accordingly; the latter not only in terms of money but also in terms of their own time and willingness to promote the IT compliance program. If general management does not fully support and drive the program, I would argue that you can stop right there and put your money elsewhere. The program will not work.

    Second, IT management must see the value they receive from a well-working IT compliance program and must drive it accordingly. That includes that they openly admit compliance issues and leave their comfort zones to change their own behavior. Most important, they have to allow transparency which leaves themselves in a "vulnerable" situation. Only if IT management sets a good example, IT staff will follow. Otherwise, ... you guessed it ... the program will not work. Even if staff supported the compliance program, a lack of transparency and IT management support would kill all efforts resulting from compliance issues.

    Third, IT staff needs to understand the reasons for the IT compliance program and must be able to include the compliance routines in their everyday work. Sounds self-evident, but to my understanding this is the most underestimated factor. Unless you can convince your IT staff that the program is important and helps the organization, and maybe also staff themselves, they will try to avoid compliance routines wherever possible. You could force them, but the quality would not be satisfactory (at least if you have to force the majority of your staff). Beyond general understanding, you will have to train your staff. They need to understand what they have to do, why they do it and how to do it. It is not enough to write an IT compliance handbook with hundreds of pages and let your staff figure out the rest. And finally, you have to factor in the time that is required to carry out the compliance routines. This is probably the most costly element of the whole compliance program. Forget about the expensive IT compliance officer and external consultants. Allowing time for IT compliance in everyday business costs real money! If you want to make the compliance program a success, - assumed the operations workload stays the same - you will have to hire more people in the affected IT functions. Otherwise, ... and I am repeating myself ... the program will not work.

    Finally, when you consider all the afore-mentioned factors, and all three groups of people fully support the IT compliance program, you are most likely to make the IT compliance efforts last. And - finally - you can start optimizing and tweaking the IT compliance processes and procedures, it will not do any harm to the program as people will know how to handle the changes.

    0 comments

    write a comment
     

    Prove me right
    Oliver Wehling on 22.12.2014, 19:23

    I often hear auditors argue that the auditee should be able to prove everything she does is correct and that she complies with the policies and procedures. So the burden of proof is always with the auditee. On the first look, nothing wrong with that. But take a closer look at what this statement implies.

    On the one hand, the very reason for documenting the execution of controls is to establish an audit trail. The audit trail proves to the 2nd and 3rd lines of defense that the processes are run correctly and in line with the regulations. This is how control systems work.

    On the other hand, where does this burden of proof end and who defines the border? The employee does not have to document her every move only to prove her correct and compliant behavior to others. To a certain extend we have to trust her, at least in lower-risk areas. Otherwise processes become extremely inefficient and our knowledge-based enterprises turn into assembly lines filled with workers who happily turn off their brains.

    Let us look at an example taken from the company I work for: the process for identifying legally critical outsourcings and for deciding how to manage these outsourcings leaves the decision on the latter with the business unit involved. If they decide that the outsourcing does not require intensive supervision, they will not prepare all the excessive documentation on how the came to their decision. Why should they, the outsourcing is not critical. Now the discussion between audit and business unit goes as follows:
    Auditor: Why did you not document your decision? No one can comprehend the reasoning and the correctness of your decision?
    Auditee: But the outsourcing is not critical. Why should we?
    Auditor: I cannot comprehend your decision.
    Auditee: But I just explained to you why the outsourcing is not critical. [And I saw you nod you head!]
    Auditor Well, without documentation I do not see how this could be comprehensible.
    Auditee: ???
    Auditor: You cannot prove to me that you did the right thinking when you assessed the outsourcing as not critical.
    Auditee: But you would agree that is not critical?
    Auditor: That doe not matter. I can only accept your reasoning when it is properly documented.

    I better stop here, but I guess you know where I am getting to. The question is: should we require our employees to keep proving they are right for everything they do. I do not think so. We have to design our controls in a way that they catch the big risks. But we should not put a general burden of proof on everyone for everything. It is inefficient and it kills entrepreneurship. Instead we should leave the burden of proof for the less risky activities and decisions with those who question them, like the internal or external auditors. In these cases, instead of the employee proving she was right, let them prove she was wrong.

    0 comments

    write a comment
     

    EUC economics
    Oliver Wehling on 06.12.2014, 13:05

    Does your company operate EUC* (end user computing)? Stupid question, isn't it? I believe every company out there uses EUC and, to me, it makes a lot of sense to give the non-IT units their own toys. If only the regulator wasn't spoiling the party...

    But wait a minute. Why is it only the regulator who stipulates all these requirements and, thus, renders - at least some - well-established EUC applications inefficient? Isn't it in the company's very best interest to handle EUC the same way they handle all the central IT? I would argue: yes, it is!

    Some of the most common reasons for EUC are time-to-market, fast-moving environments, strong entanglement of IT and business, and insufficient IT manpower. So the business units would usually argue that it is highly cost-efficient to be fast to the market whith their highly flexible EUC that does exactly what they want. And all of that while spending virtually no money on it. I would like to argue that this view is mostly wrong.

    While EUC enables the business to considerably increase their time to market, they should consider that - for more or less critical functions - EUC can almost always be a first prototype, only. Take an Excel-based EUC, maybe one of the most common type. By putting up an Excel-based prototype, you may get quick results and insight on how things work out. You know Excel and can even use the more advanced functions. All together you can quickly put together a powerful application that processes a lot of data. Still, in the process nobody thought about external requirements and internal processes and procedures. Things like access controls, lifecycle management, back-ups, and coding guidelines are usually not considered. To leave all these useless overhead out of the equation was the reason to do EUC in the first place. And platforms like Excel do not feature these things, anyway - at least not very well. So you have your Excel-application ready to work but cannot secure it. Do you want to use it, anyway? What you forgot to do is to consider the operational risk resulting from the EUC and then make a well-informed decision on benefits vs. cost.

    Here are a few things companies might want to consider before implementing EUC:

    • Is the required application short-lived? If so, EUC might be just right. Otherwise you might want to take a look at your cost of implementation and all follow-up costs.
       
    • Does the required application process sensitive data? If so, EUC might not be your first choice. You might want to consider all the measures to maintain data confidentiality and integrity. Usually, this involves things like encryption and strong access controls. If you do not employ a platform that features these security measures, you might want a professional (i.e. IT department) to develop your application. Otherwise it will cost you a lot of time to secure the application yourself. Professionals can usually apply their standard libraries which makes them a lot more efficient.
       
    • Is the required application part of a critical or regulated process? If so, EUC might not be your first choice. You will have to consider all the IT standards from access controls, over change management, to operations. If your company does not have proper EUC processes in place, it usually makes a lot more sense to have IT develop and run your application. That is the very reason they exist: they professionally, safely, and efficiently develop and run IT.
       
    • Does this or a similar application already exist? You might think: stupid question. But wait. The problem of the decentralized business-unit-does-their-own-thing approach is that it is less transparent what applications are out there. Thus, if you do not have a central register for EUC you may want to check with other business units before spening time and money on your own EUC.

    Considering the above might help to understand various aspects of IT/EUC and related costs. Only if companies consider these (and more) they can implement and run EUC in a cost-efficient way.

    * For those who do not know what EUC is, here is a brief definition taken from wikipedia.org: End-user computing (EUC) refers to systems in which non-programmers can create working applications. EUC is a group of approaches to computing that aim to better integrate end users into the computing environment. These approaches attempt to realize the potential for high-end computing to perform problem-solving in a trustworthy manner. End-user computing can range in complexity from users simply clicking a series of buttons, to writing scripts in a controlled scripting language, to being able to modify and execute code directly.

    0 comments

    write a comment
     

    Documentation overload
    Oliver Wehling on 01.11.2014, 20:00

    Did you ever wonder about the tons of policies and procedures that companies create every day? I bet that at least at one point in time everyone of us had this feeling of being completely overwhelmed by the sheer amount of documents that they should have read, and according to the policies before they even lift a finger. So why do we give ourselves such a hard time with a flood of badly written und incomprehensible policies and procedures?

    While the statutory and regulatory regulations require sound policies and procedures, they typically are pretty imprecise on how to implement them in terms of range, detail and complexity. Regulators interpret their regulations based on the individual risk-situation. Consequently, the institutions need a sound understanding of the risk involved and the related appropriate level of documentation. If the institution cannot explain why they chose the actual range, detail and complexity of their documentation, the regulators pass on the burden of proof (proof of insufficiency) to the institution (proof of sufficiency). Why would you want to lose control?

    On top of that, I believe that internal and external auditors traditionally overstate the required scale of documentation and level of detail. From my own auditing experience, I know that auditors rather prefer a black-and-white view on documentation: undocumented processes and controls are considered "not performed" or "not existing". Sometimes, documentation gaps are said to render the whole documentation obsolete. Oral discriptions are not valued at all or, at least, not reliant.

    Now, you might argue that auditors are shy folks who hate people and very much prefer reading over talking. They should stop being so stubborn and start judging with a little sense of proportion. What can I say, you are right. But you will not change them. So what? The logically consistent reaction of the auditee, i. e. the arbitrary amendmend of and meddling with process documentation, policies, and procedures, however, cannot be the right solution to the problem.

    But what is the right solution? I believe that institutions should implement three important rules to ensure the documentation is just right and does not get out of hand:

    1) Know the risk related to the process and/or the controls.
    You do not have a risk management process in place? It is about time you install one. It should be the very basis of any reasonable decision. I do not refer to excessive risk management programs. The size and scope should completely depend on the size and the needs of the organization. But somehow you should be able to systematically identify and rate your risks.

    2) Implement a simple framework that defines the documentation in terms of range, scale, and level of detail based on risk.
    Now you know your risk. But this is not the end of the process. It is the beginning. You want to have a framework that helps you to discriminate different levels of risk and helps you to figure out how to respond. Again, I am not talking about table that map hundreds of risk items against hundreds of actions. A simple scale of a handful of risk weights linked to a handful of checkpoints may come in much more handy. However the framework looks like, it should pragmatically help you to identify the required level of detail, the required scope, and the required complexity of your process documentation, policies, procedures, and controls documentation.

    Off course, you might want to apply the prior two steps not only to the documentation. Thus, the more generally applicable your framework, the more you can capitalize on it.

    3) Have a communications expert write or review the documentation.
    Everyone knows this. Although subject matter experts know their processes and controls best, mostly, they cannot easily explain them to others. They tend to emphasize and overstate every single detail. Sometines, they even forget about the big picture and the relative importance to other processes and controls. Thus, you should have the experts deliver the input but have everything processed by communication experts. The latter know how to address things the right way. They can tailor the documents to the right size, use the right (understandable) language, and adjust the level of detail. You might argue, that a lot of important details get lost this way. Yes and no. Details may get lost, but usually that is the price you will have to pay for documentation that can be easily read and quickly understood. And to me, most of the time, the latter is much more important than the former. In the end, every emplyoee still has a brain and, once she got the gist of the documentation, is able to go the last few steps on her own.

    Finally, do yourself and your company a favor. The next time an (internal or external) auditor comes around please fight for your right to decide on how to design and detail your policies and procedures, or documentation in general. Your employees will thank you a lot for not blindly adding to the pile of documentation.

    0 comments

    write a comment
     
    Please enter your name:

    Write your comment:

    Please read security code clockwise and enter it below:

    Creating and maintaining websites is a hobby of mine which I do for family and friends. For professional design projects time is just too short. Still, I very much enjoy creating these sites and improving them over time.

    Amongst others, I designed the following websites, including most of the graphics and programming (usually JavaScript and PHP):

    Impressum

    Oliver Wehling
    Friedberger Landstraße 47
    60316 Frankfurt

    Telefon: 06915627442
    E-Mail: oli@cptgut.com

    Verantwortlich für den Inhalt (gem. § 55 Abs. 2 RStV):
    Oliver Wehling
    Friedberger Landstraße 47
    60316 Frankfurt



    Disclaimer – rechtliche Hinweise

    § 1 Haftungsbeschränkung
    Die Inhalte dieser Website werden mit größtmöglicher Sorgfalt erstellt. Der Anbieter übernimmt jedoch keine Gewähr für die Richtigkeit, Vollständigkeit und Aktualität der bereitgestellten Inhalte. Die Nutzung der Inhalte der Website erfolgt auf eigene Gefahr des Nutzers. Namentlich gekennzeichnete Beiträge geben die Meinung des jeweiligen Autors und nicht immer die Meinung des Anbieters wieder. Mit der reinen Nutzung der Website des Anbieters kommt keinerlei Vertragsverhältnis zwischen dem Nutzer und dem Anbieter zustande.

    § 2 Externe Links
    Diese Website enthält Verknüpfungen zu Websites Dritter ("externe Links"). Diese Websites unterliegen der Haftung der jeweiligen Betreiber. Der Anbieter hat bei der erstmaligen Verknüpfung der externen Links die fremden Inhalte daraufhin überprüft, ob etwaige Rechtsverstöße bestehen. Zu dem Zeitpunkt waren keine Rechtsverstöße ersichtlich. Der Anbieter hat keinerlei Einfluss auf die aktuelle und zukünftige Gestaltung und auf die Inhalte der verknüpften Seiten. Das Setzen von externen Links bedeutet nicht, dass sich der Anbieter die hinter dem Verweis oder Link liegenden Inhalte zu Eigen macht. Eine ständige Kontrolle der externen Links ist für den Anbieter ohne konkrete Hinweise auf Rechtsverstöße nicht zumutbar. Bei Kenntnis von Rechtsverstößen werden jedoch derartige externe Links unverzüglich gelöscht.

    § 3 Urheber- und Leistungsschutzrechte
    Die auf dieser Website veröffentlichten Inhalte unterliegen dem deutschen Urheber- und Leistungsschutzrecht. Jede vom deutschen Urheber- und Leistungsschutzrecht nicht zugelassene Verwertung bedarf der vorherigen schriftlichen Zustimmung des Anbieters oder jeweiligen Rechteinhabers. Dies gilt insbesondere für Vervielfältigung, Bearbeitung, Übersetzung, Einspeicherung, Verarbeitung bzw. Wiedergabe von Inhalten in Datenbanken oder anderen elektronischen Medien und Systemen. Inhalte und Rechte Dritter sind dabei als solche gekennzeichnet. Die unerlaubte Vervielfältigung oder Weitergabe einzelner Inhalte oder kompletter Seiten ist nicht gestattet und strafbar. Lediglich die Herstellung von Kopien und Downloads für den persönlichen, privaten und nicht kommerziellen Gebrauch ist erlaubt.

    Die Darstellung dieser Website in fremden Frames ist nur mit schriftlicher Erlaubnis zulässig.

    § 4 Besondere Nutzungsbedingungen
    Soweit besondere Bedingungen für einzelne Nutzungen dieser Website von den vorgenannten Paragraphen abweichen, wird an entsprechender Stelle ausdrücklich darauf hingewiesen. In diesem Falle gelten im jeweiligen Einzelfall die besonderen Nutzungsbedingungen.

    Quelle: Impressum erstellen mit Juraforum.de - Unser Tipp: Rechtsanwalt aus Frankfurt finden.



    Datenschutzerklärung:

    Datenschutz
    Nachfolgend möchten wir Sie über unsere Datenschutzerklärung informieren. Sie finden hier Informationen über die Erhebung und Verwendung persönlicher Daten bei der Nutzung unserer Webseite. Wir beachten dabei das für Deutschland geltende Datenschutzrecht. Sie können diese Erklärung jederzeit auf unserer Webseite abrufen.



    Wir weisen ausdrücklich darauf hin, dass die Datenübertragung im Internet (z.B. bei der Kommunikation per E-Mail) Sicherheitslücken aufweisen und nicht lückenlos vor dem Zugriff durch Dritte geschützt werden kann.

    Die Verwendung der Kontaktdaten unseres Impressums zur gewerblichen Werbung ist ausdrücklich nicht erwünscht, es sei denn wir hatten zuvor unsere schriftliche Einwilligung erteilt oder es besteht bereits eine Geschäftsbeziehung. Der Anbieter und alle auf dieser Website genannten Personen widersprechen hiermit jeder kommerziellen Verwendung und Weitergabe ihrer Daten.



    Personenbezogene Daten

    Sie können unsere Webseite ohne Angabe personenbezogener Daten besuchen. Soweit auf unseren Seiten personenbezogene Daten (wie Name, Anschrift oder E-Mail Adresse) erhoben werden, erfolgt dies, soweit möglich, auf freiwilliger Basis. Diese Daten werden ohne Ihre ausdrückliche Zustimmung nicht an Dritte weitergegeben. Sofern zwischen Ihnen und uns ein Vertragsverhältnis begründet, inhaltlich ausgestaltet oder geändert werden soll oder Sie an uns eine Anfrage stellen, erheben und verwenden wir personenbezogene Daten von Ihnen, soweit dies zu diesen Zwecken erforderlich ist (Bestandsdaten). Wir erheben, verarbeiten und nutzen personenbezogene Daten soweit dies erforderlich ist, um Ihnen die Inanspruchnahme des Webangebots zu ermöglichen (Nutzungsdaten). Sämtliche personenbezogenen Daten werden nur solange gespeichert wie dies für den geannten Zweck (Bearbeitung Ihrer Anfrage oder Abwicklung eines Vertrags) erforderlich ist. Hierbei werden steuer- und handelsrechtliche Aufbewahrungsfristen berücksichtigt. Auf Anordnung der zuständigen Stellen dürfen wir im Einzelfall Auskunft über diese Daten (Bestandsdaten) erteilen, soweit dies für Zwecke der Strafverfolgung, zur Gefahrenabwehr, zur Erfüllung der gesetzlichen Aufgaben der Verfassungsschutzbehörden oder des Militärischen Abschirmdienstes oder zur Durchsetzung der Rechte am geistigen Eigentum erforderlich ist.

    Kommentarfunktionen

    Im Rahmen der Kommentarfunktion erheben wir personenbezogene Daten (z.B. Name, E-Mail) im Rahmen Ihrer Kommentierung zu einem Beitrag nur in dem Umfang wie Sie ihn uns mitgeteilt haben. Bei der Veröffentlichung eines Kommentars wird die von Ihnen angegebene Email-Adresse gespeichert, aber nicht veröffentlicht. Ihr Name wird veröffentlich, wenn Sie nicht unter Pseudonym geschrieben haben.

    Auskunftsrecht

    Sie haben das jederzeitige Recht, sich unentgeltlich und unverzüglich über die zu Ihrer Person erhobenen Daten zu erkundigen. Sie haben das jederzeitige Recht, Ihre Zustimmung zur Verwendung Ihrer angegeben persönlichen Daten mit Wirkung für die Zukunft zu widerrufen. Zur Auskunftserteilung wenden Sie sich bitte an den Anbieter unter den Kontaktdaten im Impressum.

    Copyright 2014, cptgut.com

    ID
    Password
    Forgot your password?
    ID

    Logon?

    Please enter your email message below. Thank you very much for your interest.

    Your email address:

    Subject:

    Message: