IT Security and Data Protection
It is difficult for companies to control the many risks that arise due to the steadily increasing degree of IT penetration, digitalization and last but not least the increasingly extensive compliance and accountability obligations. Adequate information security can help counter the many threats to your company. Here LEXTA pragmatically focuses on the specifics of your company and your market environment, aiming to establish a scope of measures that suits your needs. We contribute the experience we gained in a variety of ISEC projects including KRITIS to preparing your company for future risks. Our strength is the ability to look beyond the horizon – we believe that information security should not only comprise IT security, but also include the company’s entire data and security of operational technology / process IT. We therefore support our clients in integrating information security with the challenges resulting from increasing digitalization.
Internal stakeholder requirements, environmental influences and the company's present IT organization are all important factors for the IT strategy and are taken into consideration.
Planning IT security
Only an ISEC strategy that is aligned with the concrete requirements of the company can form a base for the implementation of suitable measures to ensure an adequate level of information security. In the course of our support we consider a variety of influencing factors, among others from the market environment, legal or customer and supplier requirements. Our aim is to create uniform awareness of information security within your company and define employee guidelines to implement strategic requirements, for example for the implementation of risk management.
In the course of this you can rely on our expertise in IT security benchmarks, comparing respective degrees of maturity to other companies and cost benefit evaluations of ISEC measures already established in your company.
Our service portfolio includes holding management workshops on the latest IT security and data protection issues..
Furthermore, we support those responsible for IT security (CISO) in establishing and adapting suitable ISEC governance (organization, rolls, committees and processes) and carry out CISO coaching.
Implementing IT security management in accordance with ISO 27001
In over 50 projects so far, LEXTA has supported clients in various sectors in implementing information security systems (ISMS) in accordance with ISO 27001. Here we draw on the expertise gained by our employees and third parties in carrying out ISO 27001 audits and the exchange with officials and certification institutes to align implementation with current market standards and concrete needs. Our procedure consists of five phases:
- Preparation and assessment
- Identifying need for adaptions
- Achieving conformity to standards
- Conducting a pre-audit
This phase includes comparing your existing documentation, measures and processes to standard requirements and analyzing these with regards to completeness, correctness and market standards, among others. At the same time we define the ISCE strategy’s fundamental cornerstones in cooperation with our client.
In the following step we identify existing deviations by means of a GAP analysis and determine both the need for adaptations and the action plan.
Next, we close the identified gaps in cooperation with our client based on the action plan, for example by creating an asset inventory, updating the risk analysis or creating IT security documentation. Here we draw on tried and tested best practices and LEXTA templates to ensure an efficient and pragmatic procedure.
After ISMS has been established and conformity with standards has been achieved, we conduct a “dress rehearsal” for the actual certification (pre-audit) in close cooperation with all contacts and responsible persons. Here we also consider specific auditor requirements and are thus able to master key challenges prior to the actual certification audit.
If the pre-audit went according to plan, we organize an information session with the relevant persons in advance to prepare your company for the certification audit. Here we support our client behind the scenes and review and evaluate the final audit report. If this shows deviations from the norm, we of course help eliminate these deviations.
Ensuring continuity of ISMS
The challenges companies face and the resulting risks frequently change; LEXTA can help you keep information security measures up to date in various ways. In audits and reviews we can quickly and efficiently identify and eliminate an ISMS’ needs for adaptation whilst at the same time supporting you in updating and aligning your ISEC documentation with best practices. At the same time we are able to review the technical measures in IT security with regards to suitability by means of vulnerability analyses. Your company can also counter the increasing amount of non-IT-driven attacks such as so-called „CEO-Fraud“ with social engineering tests. Based on collected information, we here aim to reach a previously agreed target through skilled conversations and according actions – giving you an individual evaluation of the respective measures and the resulting adaptation potential.
Business Continuity Management
Floods, massive hacker attacks or a fire in the computer center: potential dangers to a company can quickly assume alarming proportions. To ensure you are well prepared for such emergencies, LEXTA supports you in establishing a business continuity management. Here we develop the necessary strategies, plans and processes you need to protect your company from lasting damages and continue your business processes in an emergency. We optimally tailor our systematic preparation to your company’s specifics using tried and tested procedures and templates. In close cooperation we can also develop alternative scenarios in emergencies and test these in emergency exercises. Connected reviews of end-to-end availabilities are also possible in order to identify and eliminate vulnerabilities and thus improve your course of action.
Implementation and review of internal control systems for data protection compliance
With effect from May 2018, the European data protection regulation (DS-GVO) imposes significantly higher fines for confidentiality breaches than the previous German Data Protection Act. Besides the financial risk, such breaches can often cause damage to a company’s reputation. With LEXTA’s help, companies can adjust to the data protection laws and establish a specifically adapted internal control system for data protection.
- Scope and Situation
- Establish the internal control system and ensure compliance with DS-GVO
- Compliance verification incl. ensuring continuity
In the first phase we define the scope of the internal control system and possible general conditions as well as the data protection strategy. In addition, we review, analyze and evaluate existing documentation, measures and processes. In coordination with the defined contact persons, LEXTA uncovers any deviations from the norm and resulting needs for adaptation. Based on these needs we cooperate with you to define work packages and a road map for implementation.
Based on the resulting action plan we create a detailed implementation plan in the beginning of phase 2. Next we begin to establish a risk based data protection management system based on transparency and suitability targets, conducted in parallel to the implementation of the defined measures. Here we support you in developing the necessary processes and content, for example for risk analysis and the data protection impact assessment.
All necessary documents can be created and updated using tried and tested LEXTA templates and checklists.
Compliance verification can be carried out by LEXTA in an audit to determine requirements and measures have been implemented correctly and to rectify defects, if necessary.