IT Security Management
IT Security Management based on established standards
Reduce risks, contain threats – make your IT organization secure
By using information technology, you expose the information required in a company to potential sources of danger. As part of IT security management including risk prevention, business processes therefore have to be designed and operated in such a manner that security is ensured across the board.
Based on our tried and tested smartfield analysis, we use a questionnaire to conduct targeted surveys of your employees and/or external service providers, and we also inspect the available documentation. This methodology makes it clear which gaps exist with respect to standards such as ISO/IEC 27001, the BSI IT baseline protection (BSI), and/or the minimum requirements for risk management (MaRisk BA) from the German Central Bank and the Federal Financial Supervisory Authority (BaFin). Following this, we then point out the risks that have been identified and assessed, and make suggestions as to how you can reduce these risks and close the gaps in relation to the standards.
Introducing an ISMS in 8 steps
We advise and support you in the introduction of your Information Security Management System
Are you planning on introducing an Information Security Management System (ISMS)? We guide you through all the steps, right up until the certification phase has been successfully completed. The required effort involved can be determined after an initial Smartfield Analysis; this follows, among other things, the structure of your IT organization, its level of maturity, and your employees' level of involvement.
Benefit from our years of experience
Our experience in the field of IT security starts with our own software development and stretches to system operation in our Germany-based data centers, including high availability through mirrored operation as an option. This offering uses a number of customers from different industries including banks, insurance companies, and global players in the travel sector.
PASS has been certified according to ISO/IEC 27001 since 2012; the ISMS developed in-house also conforms to standard 100-1 of the German Federal Office for Information Security (FOIS/BSI). Our method for analyzing, assessing, and managing opportunities and risks corresponds with standards ISO/IEC 27005, BSI 100-3, and the minimum requirements for risk management according to MaRisk (BA) and MaRisk (VA).
External Information Security Officer (ISO)
Independence and IT expertise – all combined in one person
The information security officer (ISO) plays a key role in your company's IT security management; their independence must therefore be guaranteed. On the one hand, they should have sound IT knowledge; on the other hand, they must not be employed by the IT organization. PASS can supply an experienced employee as an external information security officer upon request to provide you with temporary support in the following tasks and to the desired extent:
- consultation in all security-relevant issues and projects
- updating directives, guidelines, security-relevant concepts and process descriptions, e.g. as a result of external requirements that have changed, audit results, or security incident evaluations
- implementing new or changed organizational measures
- regular inspection of scope and update of risk analysis
- planning, implementation, and tracking risk management measures, including checking their effectiveness
- analyzing information security incidents; planning, implementing, and tracking the resulting control measures
- planning and implementing awareness-raising and training measures
- conducting regular internal audits to check the effectiveness of the information management system
- reporting to management level, organizing management reviews
- support with external audits
Standards such as ISO/IEC 27001 take into account potential threats to IT security goals such as confidentiality, availability, and integrity caused by, for example, information technology, physical, organizational, and personnel weak points. The associated catalogs of measures and hazards are the result of extensive organizational experience, which has been honed to produce the standard.
The potential for risk posed to IT security goals is never static; instead, it is constantly evolving. While known risks can be reduced by taking appropriate measures, technological advancements are often accompanied by new vulnerabilities and threats. That is why the security of an information network must be reclassified on a regular basis - by conducting new analyses and assessments of all risks.