IT security
Management
ADWEKO supports financial service providers in IT security management of their system landscape.
Every IT system landscape is subject to various risks, which increase with the growing importance of IT. In addition to internal risks, such as operating errors or misuse, the importance of external risks, such as hacker attacks, is growing. In order to take account of these growing risks, the regulator continues to develop the supervisory requirements and regularly redefines the supervisory focus areas.
Supervisory security management focuses on the protection of information that is processed by or with IT. The respective information is to be evaluated with regard to its protection requirement for the respective protection goals “confidentiality”, “integrity”, “availability” and “authenticity” and, depending on the protection goal, corresponding target measures for the protection of this information are to be implemented for the processing IT assets (applications, processes).
ESTABLISHMENT OF A CENTRAL IDENTITY AND ACCESS MANAGEMENT SYSTEM
Implementation of a central authorization management tool with automated processes for granting and revoking authorizations, SoD management and recertification
MANAGEMENT OF INDIVIDUAL DATA PROCESSING
Define a lifecycle for IDV with processes for identification, protection needs assessment, development and replacement. Introduction of an IDV management system to ensure the completeness of the IDV inventory
STRUCTURE OF THE INFORMATION NETWORK
Establishment of a complete and always up-to-date information network as an overview of the IT assets (information, processes, applications, infrastructure, buildings, service providers) and for determining the protection requirements
Within IT security management, there are numerous interactions between the individual disciplines, which is why we always take a holistic view of IT security management in our projects. Topics such as the management of administrators as part of the authorization management and their monitoring within the operational information security management with the help of the SIEM can hardly be separated from each other.
The establishment of a comprehensive information security management system and the control of its implementation and compliance within the framework of an internal control system that includes both 1st and 2nd line is an essential step towards sustained IT security.
The information network is an essential building block in information security management. The various IT assets and their interfaces and dependencies are documented here in order to be able to determine the protection requirements of the IT assets. In addition to the classical consideration of the processed information objects for the protection goals confidentiality, integrity and authenticity and the supported processes for determining the availability requirements, accumulation risks and technical dependencies should also be taken into account when determining the protection requirements.
Depending on the protection requirements of the IT assets, target measures of different strengths should be defined on a risk basis and ideally described in a comprehensive catalogue of target measures.
OUTSOURCING MANAGEMENT
The outsourcing management has to ensure that the regulated institution has full responsibility for outsourced activities at all times. It must be informed about the outsourced activity as if it were performed within the institution itself. To ensure this, outsourcing management must be involved as early as possible in the purchasing process. This allows each external purchase to be examined for its regulatory relevance. It also enables appropriate management of the relationship with the service provider and the resulting risks, in addition to regular reviews of the same.
The more material the identified risks – and thus the outsourcings – are, the stricter the regulatory requirements that must be met. This applies not only to the contract with the service provider, but also to the operationalization of the relationship. For example, reports on the service provider’s performance must be obtained and reviewed on a regular basis and the results must be reported to management and, if necessary, the supervisory authority.
Outsourcing management has close links to emergency management and information security as well as data protection. Cross-cutting issues also exist with the operational requirements of BAIT, VAIT, ZAIT and KAIT.
MORE ABOUT ITSM?
As ADWEKO we know the pitfalls in IT security management and we know how to design and implement measures on a project basis and how to continue them in the line afterwards.
Talk to
JULIAN PHILIPPI!
