IT security & data protection | LEXTA - Part of Accenture

IT security and data protection

It is difficult for companies to control the many risks that arise due to the steadily increasing degree of IT penetration, digitalisation and, last but not least, the increasingly extensive obligations in relation to compliance and accountability. An adequate level of information security (IS) can help to counter the many kinds of threats your company faces.

Here, LEXTA takes a pragmatic approach, focusing on the specific requirements of your company and your market environment, with the aim of establishing a package of measures that will suit your needs.

Drawing on experience gained in a range of IS projects, including in relation to critical infrastructure, we play our part in preparing your company for the challenge of future risks. Our strength is the ability to see the bigger picture: we believe that information security should not only cover IT security but should also include all of a company’s data plus the security of operational technology and process IT. As a result, we also help our customers to integrate information security into the challenges that result from increasing digitalisation.

OUR SERVICES FOR IT SECURITY

Demands made by internal stakeholders, environmental influences and the current state of the company IT landscape are all important factors for the IT strategy and therefore need to be considered.

IT security planning

Only an IS strategy that is aligned with the concrete requirements of the company can form a basis for implementing suitable measures capable of ensuring an adequate level of information security. The support we provide here targets many influential factors, such as those from the market environment and regulations derived from legislation or the policies of your company or your suppliers. Our aim is to create a uniform level of awareness of information security within your company and define employee guidelines for implementing your strategic requirements – such as implementing a risk management system, for example. In the process, you can also draw on our expertise in the area of IT security benchmarking, compare your various maturity levels with those in other companies, and receive a cost/benefit assessment of any information security measures already in place within your enterprise.

Our service portfolio also includes the organisation of management workshops on the latest IT security and data protection issues. In addition, we also help your IT security officers (CISOs) to establish and adapt suitable aspects of IS governance (organisation, roles, committees and processes) and we also offer CISO coaching.

Introducing an ISO 27001 IT Security Management System

In over 50 projects to date, LEXTA has supported its clients in various sectors with their implementations of information security systems (ISMS) according to ISO 27001. Here, we draw on the expertise gained by our employees and third parties in carrying out ISO 27001 audits and our dialogue with regulatory authorities or certification bodies to align your implementation with current market standards and your specific requirements. Our methodology is based around five phases:

1

Preparation and status quo analysis

This phase includes comparing your existing documentation, measures and processes to requirements from the standard, and analysing these in terms of aspects such as completeness, correctness and market practice. At the same time, we also work with our clients to define the key cornerstones of their IS strategy.

2

Determination of need for adjustment

In the next phase, we then use a GAP analysis to identify existing deviations, and draw up need for adjustment specifications as well as an action plan.

3

Establish compliance with standard

As a next step, we then work with our client to deploy the action plan with the aim of closing the gaps identified. Examples here could include the establishment of an asset inventory, the updating of the risk analysis or the creation of IT security documentation. Here, we draw on tried-and-tested best practices and LEXTA templates to ensure our methodology is both efficient and pragmatic.

4

Conduct pre-audit

After the ISMS has been set up and conformity with the standard has been achieved, we then hold a ‘dress rehearsal’ for the actual certification (pre-audit) in close cooperation with all stakeholders and responsible persons. Here, we also consider specific auditor requirements and are therefore in a position to master key challenges prior to the actual certification audit.

5

Certification

If the pre-audit has gone according to plan, we then organise an information event with the relevant persons in advance, with the aim of preparing your company for the certification audit. Here, we provide behind-the-scenes support to our client, and review and evaluate the final audit report. If this shows deviations from the norm, LEXTA will of course provide help in the ensuing process to eliminate these deviations.

Ensuring continuity of the ISMS

The challenges – and the inherent risks – that companies face are ever-changing. LEXTA can provide you with a wide range of services that are designed to ensure information security measures are always kept up to date. In audits and reviews, we can quickly and efficiently identify and resolve areas where an ISMS needs to be modified whilst at the same time providing you with support for updating and aligning your IS documentation with best practices. At the same time, we are able to review the suitability of the technical measures deployed in your IT security by conducting weak point analyses. Your company can also use social engineering tests to counter the increasing volume of attacks that do not use IT vectors at all – such as the ‘CEO Fraud’ method. Starting with various collections of information, we then utilise cleverly orchestrated telephone calls and associated activities with the aim of achieving a previously agreed target. As a result, you receive a highly personalised evaluation of the respective measures and the resulting potential for optimisation.

Business continuity management

Floods, large-scale hacker attacks or a fire in the data centre are all potential dangers to your business that can quickly assume alarming proportions. To ensure you are well prepared for such emergencies, LEXTA provides you with support for setting up your business continuity management system. Here, we work with you to develop the strategies, plans and processes that you need to protect your company from lasting damage in a ‘worst-case scenario’, and so to enable you to continue to conduct business as before. Our systematic approach to preparations is optimally tailored to your company’s specific needs here by means of tried-and-tested procedures and templates. We can also work with you to develop appropriate alternative scenarios for use in emergencies and disasters, and test these by means of drills. In relation to this, reviews of the end-to-end availabilities of your various systems are another option, with the aim of identifying and eliminating vulnerabilities, and so improving your options for action.

Rollout and audit of an ICS for data protection compliance

With effect from May 2018, the EU General Data Protection Regulation (GDPR) imposes significantly higher fines for data breaches than the earlier German Data Protection Act (BDSG). Besides the financial risk, such breaches also often work to damage a company’s reputation. With LEXTA’s help, companies can adjust to the provisions of data protection legislation and set up an internal control system (ICS) that is specifically designed for data protection.

1

Scoping and initial situation

In the first phase, we define the scope of the internal control system and any general conditions, as well as the data protection strategy. Existing sets of documentation, measures and processes are also reviewed, analysed and evaluated. Working together with the designated contact persons, LEXTA also discovers any deviations from the standard and their resulting needs for adjustment. Based on these needs, we work with you to define work packages and an implementation road map.

2

Setup of the ICS and establishment of GDPR compliance

At the start of the second phase, we then use the checklist of measures produced to create a detailed implementation plan. We then start to set up a risk-based data protection management system that is oriented on the targets of transparency and appropriateness; this is worked on in parallel to the implementation of the defined measures. We also help you to develop the necessary processes and content – for the risk analysis, for example, and the data protection impact assessment.

All of the necessary documents can be created and kept up-to-date by using tried-and-tested LEXTA templates and checklists.

3

Proof of compliance and safeguarding continuity

Proof of compliance can be established by LEXTA in a subsequent audit, so as to verify the correct implementation of specifications and measures, and to remedy any defects, as necessary.

We are also happy to offer workshops where we work together to identify the options and potential for your business in relation to IT security and data protection.