IT Security Planning

Planning without execution is useless, execution without planning is fatal

Information security is top priority

It is within the responsibility of the management that every business area is working goal-oriented and operational risks are detected early as well as kept to a minimum.

Due to the increasing dependency of business processes from information technology, the demands for guaranteed information security from both the inside and the outside are growing. Therefore it is mostly depending on the engagement and support of the management if information security is reached and maintained. Apart from providing financial and human resources, clear goals and guidelines have to be defined by the management.

When planning and selecting measurements for information security, a well-grounded risk management becomes an essential factor, as its results will form the fundament of dealing with risks if necessary in order to successfully realize the universal security goals and requirements specified by the management.

Please profit by our yearlong experience from a multitude of successful projects in strategic planning of information security and technical realization of IT security.

Protection of IT assets
Compliance defines the first planning phase of information security. Which legal regulations have to be kept in mind and what demand for protection of your internet application’s IT assets will result from these
Threat Analysis and Risk Assessment
The risk assessment is based on the fundament of a threat analysis under consideration of possible vulnerabilities. Categorization is influenced by technical and economic effects.
Security Controls and Risk Mitigation
Risks can be reduced by selecting Security Controls. The efficiency of controls has to be checked by a rotational extensive monitoring. KPIs help to make information security measurable.

Ongoing risk management for e-commerce applications

The risk management system implemented into our hosting infrastructure (RMS) allows for automated determination of the security level according to changes within the technical environment or on occurrence of security-relevant events. The crucial advantage of this technique of an ongoing risk evaluation is the fact that immediately after identification of vulnerabilities measures to fix them can be initiated and realized.

Other than with the classic periodically conducted risk management, ongoing risk management requires a high integration of the operational software systems, so we can register technical assets for monitoring and risk management immediately after they have been launched within our systems. Considering the classification of the demand of protection by our customers and various other values of influence such as firewall and installed software, the RMS automatically gives an evaluation of the technical risks regarding internet applications hosted within our infrastructure.

The evaluation of existing security measures and the deducted security level are undergoing a continuous update process. Monitoring systems, security reports, KPI trend analyses and audits (for example controls of installation and configuration) supply valuable information for a realistic and up-to-date risk evaluation.

Ongoing Risk Managament

Vulnerability analysis

A vulnerability analysis contains the evaluation of vulnerabilities in regard of their potential of damage towards privacy, integrity and availability as well as its probability of occurrence. For vulnerabilities in software and applications, official registers such as OWASP or CVSS are used as a classification source of inherent occurrence probability in dependence with exploitability (EXP) and collateral damage potential (CDP).

Threat analysis

The results from the vulnerability analysis are automatically aggregated by the system, using the worst case principle. This means, that the vulnerability with the highest probability of occurrence and damage value determines the threat risk level of the protection goals.

Risk analysis and technical risk evaluation

During a technical risk analysis, the demand of protection of assets is scaled with the calculated threat risk levels. These are aggregated based on allocation tables (assets and threats) using the worst case principle and then compared with the demands for privacy, integrity and availability. Aggregation also considers specified security measures designed to eliminate vulnerabilities of specific assets or asset groups.

Business Risk Analysis

Results from the technical risk analysis are so-called Risk Weighted Assets, which can then be incorporated into a business risk analysis, and therefore act as an interface to our customer’s risk management.

Aside from the technical risk evaluation following predefined protection goals, business risk factors such as corporate profit, competitive capability, reputation and customer expectations are also of decisive significance. Additionally, your internet application and therefore your company also have to fulfill legal requirements.

Based on Risk Weighted Assets, we are able to conduct specific risk evaluations considering business impacts and make well-grounded decisions on how to deal with these risks.