In a highly connected and information-dependent business environment, the risk of damage due to loss of confidentiality, availability or integrity of information is increasing. Events such as the loss of critical resources and cyber-attacks can jeopardize business continuity. Certitude supports you in managing and protecting you from these risks. Moreover, this allows you to take full advantage of new business opportunities. The key elements:
/ Comprehensive protection for your information and systems
Due to the growing importance and increasing complexity of information and communication technology (ICT), effective management of ICT risks is crucial to staying competitive. The supervisory authorities are also becoming increasingly aware of the risks, as well as opportunities, in this area and are becoming ever stricter on ensuring effective management of ICT to minimise these risks.
ICT & Security risk management is not, and should not be seen as, a separate measure, but rather a strategic bundle of principles, processes and technologies embedded in daily business. ICT & Security risk management includes, among others, the following topics:
> ICT strategy und governance / ICT strategy and information security targets, ICT governance and control framework
> Protection of ICT assets / Assessment of the criticality of ICT infrastructure (hardware and software, applications and information), measures and instructions for actions to protect assets
> Technical operational safety / Firewall strategy, endpoint protection, network segmentation, configuration of network components, security patches, Group Policy Object, Active Directory
> Authorisation management / Protection against unauthorised manipulation and misuse of data and ICT systems, authorisation under need-to-know restrictions, authentication und user-specific access traceability
> Privileged users / Data and ICT system security measures and controls for privileged users, role-based access control, monitoring and logging of irregularities, strong authentication measures
> Access management and control / Physical protection of ICT systems and information, protection of sensitive areas, restriction and traceability of access
> Protection of critical areas / Protection of storage media and equipment, power supply, cooling and fire alarm systems
> ICT service management / ICT governance service management, ICT asset management (e.g. configuration, dependencies, life cycle, backup), ICT incident und change management
> Business continuity management / Business impact analyse, business continuity planning, contingency planning, planning a restart, crisis communication
> Management of outsourcing / Contracting & SLAs, processes for monitoring provision of services
The aim of ICT & security risk management is to bolster resistance to threats to company information and communication systems, avoiding possible economic damage. Benefit from our hands-on expertise and let Certitude's consultants support you through this process.
/ Identifying and controlling cyber-risk
Damage caused by cyber-attacks often costs companies hundreds of thousands (or even millions) of euros, and as such pose a very real threat to many companies, with advances in digital technology in many fields serving to heighten these risks ever more. Attacks can range from the installing of spyware or sending of phishing emails to employees, through to attempts to sabotage the entire IT infrastructure of a company (e.g. DDoS-attacks). Cyber-attacks can mean weeks of standstill in business operations, leading to enormous financial damage and far-reaching effects on customer relations and company reputation.
Cyber-security is, on many levels, a central and challenging issue for companies and organisations. The sheer and ever-increasing quantity of information flowing through digital channels demands that companies ensure safe handling of sensitive user data, along with their own internal processes. An efficient, effective system of technical and organisational security measures is the key to defending against cyber-attacks.
Companies have to develop tactics for uncovering and defending against potential cyber-attacks. Moreover, they have to know exactly what to do, and be able to do it fast, if the case of an attack. Decisive elements to this are having in place a powerful system of risk identification/assessment with a tried and tested cyber incident response plan for emergency cases, as well as a clear understanding among all staff members as to why cyber-security is important and what role each individual plays.
Certitude supports you in developing a strategy which takes your cyber-risks, weak spots and any specific cyber-securityneeds into consideration. With our integrated approach and a tailor-made set of measures, we help you manage your cyber-risk in the right way for you.
/ Developing and running software securely
Security is an important component of the security strategy for both developers and users of the applications. It is often of high priority for users when deciding to buy, and security flaws can wreak havoc on the reputation of developers. The sooner in the software development cycle security aspects are taken into consideration, the cheaper and more effectively they are dealt with. Unfortunately, security is often not considered at all, or at best very late in the process, and the resulting architectural flaws are often difficult and expensive to remedy, if even possible.
Security should also be a key issue for Software-as-a-Service (SaaS) providers, as customers entrust their sensitive data to such providers. The damage caused by hackers in such cases is usually very high, affecting several or even all customers. Security leaks can also spread between customers if isolation is insufficient, which could then expose external customer data.
Security is no less important for users of purchased software. Since applications usually cannot be protected, at least not completely, by firewalls or other security infrastructure, they are a popular target for attackers wanting to break into corporate networks. Even an apparently secure application can have security gaps if configured incorrectly. In addition, danger does not only come from external attackers - internal role-allocation and need-to-know restrictions usually have to be mapped and enforced by applications, especially for critical business processes.
Certitude helps you evaluate your current security levels, as well as conducting vulnerability tests in the form of threat analyses, penetration tests or code reviews. It is especially recommended for software development projects to include security considerations at the earliest possible stages of development. Certitude supports you by planning a secure architecture, as well as training up the developers in spotting and avoiding common vulnerabilities and risks, and works with you through the entire lifecycle to ensure the long-term security of your software.
/ Technical and organisational preparedness for security breaches
Attackers often only need to find one small gap in defences to cause significant damage, while a company has to be ready on all fronts of security, with little to no room for error. Although comprehensive security strategies and a high cyber-security maturity level significantly reduce the probability and extent of potential damage, a certain amount of risk can never be completely ruled out.
Unfortunately, attackers have normally been inside the corporate networks for an average of several months before an attack is detected. Inappropriate reactions often also destroy evidence along the way, making it impossible to clearly determine the extent of the damage. While inside, attackers tend to build backdoors within the network, so that if they are detected and locked out, they can regain access later. Unclear allocation of responsibilities and muddied communication channels can lead to delays in responding, as well as potentially allowing leaks of sensitive information about the incident to the media. Here we can see how the damage of an attack is quickly exacerbated by mistakes and lack of awareness.
Not only can even those companies who have implemented extensive security measures still not completely rule out security incidents in the long-run, they must, in fact, expect them. Due to the extent of the potential damage, it is not long before a return on investment for these basic preparations is seen.
Certitude supports you in ensuring that you are ready for security incidents, both organisationally and technically. This includes setting up security monitoring to detect attacks, creating guidelines and processes for the handling of incidents, and devising tools for rapid response. Our goal is to prepare your employees, business processes and technologies for incidents, so that you can detect and react to attacks quickly and appropriately, thus limiting any damage.
/ Ensuring business continuity
Minor disruptions are commonplace for all companies – brief power failures, staff shortages, malfunctioning applications/devices. For these types of small disruptions, causing minimal damage, there are normally simple solutions in place that make up a part of everyday business life.
But how well would your company cope with more serious and longer lasting disruptions to operations? Are you aware of the vulnerabilities of the company and what effect certain scenarios would have? Is this information clearly communicated through your strategic and operational management?
Any company can, sooner or later, face an emergency or crisis of some kind. Risk-conscious companies therefore take preventative steps in the form of Business Continuity Management (BCM) before such an incident occurs. BCM aims to maintain critical business processes at all times or, when processes are more seriously affected, to return these to normal operation as quickly as possible.
BCM consists of developing strategies, contingency plans and measures to protect and/or make alternative operations possible for activities or processes whose interruption would mean serious damage or losses the company may otherwise not recover from. To this end, risks that pose a threat and their potential effects are analysed and minimised. The BCM risk management process maintains critical business processes and prevents reputation damage and compliance or financial losses. Certitude gives you hands-on support in setting up and further developing your BCM.
/ Sustainable maintenance of infrastructure security
The IT infrastructure of a company is usually made up of a wide range of components and technologies. IT security must be considered at every corner to avoid potential exposure to threats rising quickly. In most cases, Microsoft Active Directory plays a central role in the management of users and devices, and must therefore be especially well protected. However, this is not possible without appropriate network security. This can be achieved through network segmentation and security components such as firewalls and intrusion detection systems (IDS), among others. Physical security is also essential, because once an attacker gains physical access to servers or devices, security can usually no longer be guaranteed.
This all gives us an idea of just how complex this topic is. Long-term sustainable maintenance of infrastructure security is therefore only possible when suitable operational and security processes are integrated into the fabric of the company’s processes. Infrastructure security is therefore not solely a technical issue. That is why it is so important that our expertise is also not solely in the field of infrastructure security - our consultants have operational experience from the field, with their practical and accurate advice always reflecting this.
Certitude supports you in assessing your current security level, for example through target-actual comparisons or penetration tests, as well as in planning and implementing a security concept tailored to your company. Our goal is to achieve an efficient reduction of security risks for you through practical and proven methods.
/ Assessing and managing outsourcing risks
There can be many reasons to outsource IT infrastructure to an external service provider, from the reduction of IT costs and professional management by highly specialised service providers, to access to the most innovative technologies and the ability to concentrate fully on the core business. From an economic point of view, outsourcing the IT infrastructure can represent a significant competitive advantage. But do you also know the risks this can entail for your company and, more importantly, can you assess and manage these risks appropriately?
In addition to classic outsourcing risks such as service failure, risk to reputation, strategic risk or the risk of dependence on the service provider, risks associated with information security must also be analysed and assessed when sensitive or critical elements of the IT infrastructure are outsourced. The results of this analysis must be considered when drawing up the contract with the service provider. In addition, the necessary processes and controls must be implemented to adequately manage risks within the company. This is the only way to ensure that the outsourcing is managed in line with the business strategies, while accounting for the company's risk assessment.
The management of information security in the context of outsourcing preserves the confidentiality, integrity and availibility of information by applying risk management processes to control risks. The efficient development and expansion of your outsourcing management requires know-how and operational experience of IT infrastructure and risk management. Our experts is here for you - let Certitude support you.
/ Protecting sensitive information
Information is, regardless of the business model, a vital operational building block for any business. Nowadays the success of any company is directly connected to how they use information as a resource. The significance of information and its closely related information and communication technology is, without doubt, only set to rise in the future.
The Information Security Management System (ISMS) is a company-wide management system that ensures the security and continuity objectives for information are met and maintained effectively. The ISMS preserves the confidentiality, integrity and availability of information using a risk management process. The management system comprises all policies, methods and procedures needed to achieve the information security goals of your company.
The ISMS defines, in an easily understandable way, which tools and methods the management have at their disposal to control activities oriented towards information security. It takes into account the current threat situation and through this defines what measures will protect the information effectively.
The introduction of an ISMS is a strategic decision for companies. The conception and implementation of this system within your company depend on the goals, security requirements and organisational processes, as well as the size and structure of your organisation.
It is important that the ISMS is fully integrated into the company’s overall control structures and processes, and that information security is already taken into account in the design of processes, information systems and other measures. The implementation of an ISMS must be adjusted to the needs of your organisation. The challenge therein lies in the fact that an ISMS works along the entire value chain and must be consciously adopted by all employees. Information security organisation and information risk management are the tools for implementing your information security strategy.
With the aim of protecting your company's information, an ISMS makes a decisive contribution to risk reduction in the event of an information security incident. A functioning and effective ISMS not only protects the confidentiality, availability and integrity of critical information, it also enables you to use protective measures efficiently to reduce potential damage to acceptable levels.
Efficiently setting up or expanding an ISMS demands operational expertise and experience in information security, IT security, IT infrastructure and risk management. Put yourself in the safe, expert hands of Certitude’s consultants
/ Implementing technical and organisational measures for appropriate data protection
Since 25th May, 2018, the General Data Protection Regulation (GDPR) has been the basis of general data protection law in the EU and Austria. Data protection violations can have drastic consequences for the affected companies and their responsible parties. Under the DSGVO, companies must prove that they comply with the requirements of the regulation – a feat which is not to be underestimated. Simply being found to not have the required processes in place is enough to see companies faced with the threat of penalties.
Data protection violations can have further consequences, such as claims for damages by affected persons, fines or even imprisonment. It is very possible for the executives and other responsible bodies to be held personally responsible if they fail to comply. This is yet to mention the extent to which data protection violations can damage company reputation. Effective and efficient prevention of such violations is therefore essential. This requires the establishment of an adequate and effective data protection management system.
Due to the complexity of the matter, an interdisciplinary approach is required to deal with the organisational, legal and technical sides. Certitude supports you, in the interest of your customers and for you to avoid legal consequences, in identifying the technical and organisational measures needed to satisfy all legal parameters.