ADWEKO supports financial service providers in IT security management of their system landscape.
Every IT system landscape is subject to various risks, which increase with the growing importance of IT. In addition to internal risks, such as operating errors or misuse, the importance of external risks, such as hacker attacks, is growing. In order to take account of these growing risks, the regulator continues to develop the supervisory requirements and regularly redefines the supervisory focus areas.
Supervisory security management focuses on the protection of information that is processed by or with IT. The respective information is to be evaluated with regard to its protection requirement for the respective protection goals “confidentiality”, “integrity”, “availability” and “authenticity” and, depending on the protection goal, corresponding target measures for the protection of this information are to be implemented for the processing IT assets (applications, processes).
ESTABLISHMENT OF A CENTRAL IDENTITY AND ACCESS MANAGEMENT SYSTEM
Implementation of a central authorization management tool with automated processes for granting and revoking authorizations, SoD management and recertification
MANAGEMENT OF INDIVIDUAL DATA PROCESSING
Define a lifecycle for IDV with processes for identification, protection needs assessment, development and replacement. Introduction of an IDV management system to ensure the completeness of the IDV inventory
STRUCTURE OF THE INFORMATION NETWORK
Establishment of a complete and always up-to-date information network as an overview of the IT assets (information, processes, applications, infrastructure, buildings, service providers) and for determining the protection requirements
The information network is an essential building block in information security management. The various IT assets and their interfaces and dependencies are documented here in order to be able to determine the protection requirements of the IT assets. In addition to the classical consideration of the processed information objects for the protection goals confidentiality, integrity and authenticity and the supported processes for determining the availability requirements, accumulation risks and technical dependencies should also be taken into account when determining the protection requirements.
Depending on the protection requirements of the IT assets, target measures of different strengths should be defined on a risk basis and ideally described in a comprehensive catalogue of target measures.