It is difficult for companies to control the many risks that arise due to the steadily increasing degree of IT penetration, digitalisation and, last but not least, the increasingly extensive obligations in relation to compliance and accountability. An adequate level of information security (IS) can help to counter the many kinds of threats your company faces.
Drawing on experience gained in a range of IS projects, including in relation to critical infrastructure, we play our part in preparing your company for the challenge of future risks. Our strength is the ability to see the bigger picture: we believe that information security should not only cover IT security but should also include all of a company’s data plus the security of operational technology and process IT. As a result, we also help our customers to integrate information security into the challenges that result from increasing digitalisation.
Demands made by internal stakeholders, environmental influences and the current state of the company IT landscape are all important factors for the IT strategy and therefore need to be considered.
Only an IS strategy that is aligned with the concrete requirements of the company can form a basis for implementing suitable measures capable of ensuring an adequate level of information security. The support we provide here targets many influential factors, such as those from the market environment and regulations derived from legislation or the policies of your company or your suppliers. Our aim is to create a uniform level of awareness of information security within your company and define employee guidelines for implementing your strategic requirements – such as implementing a risk management system, for example. In the process, you can also draw on our expertise in the area of IT security benchmarking, compare your various maturity levels with those in other companies, and receive a cost/benefit assessment of any information security measures already in place within your enterprise.
Our service portfolio also includes the organisation of management workshops on the latest IT security and data protection issues. In addition, we also help your IT security officers (CISOs) to establish and adapt suitable aspects of IS governance (organisation, roles, committees and processes) and we also offer CISO coaching.
In over 50 projects to date, LEXTA has supported its clients in various sectors with their implementations of information security systems (ISMS) according to ISO 27001. Here, we draw on the expertise gained by our employees and third parties in carrying out ISO 27001 audits and our dialogue with regulatory authorities or certification bodies to align your implementation with current market standards and your specific requirements. Our methodology is based around five phases:
Preparation and status quo analysis
This phase includes comparing your existing documentation, measures and processes to requirements from the standard, and analysing these in terms of aspects such as completeness, correctness and market practice. At the same time, we also work with our clients to define the key cornerstones of their IS strategy.
Determination of need for adjustment
In the next phase, we then use a GAP analysis to identify existing deviations, and draw up need for adjustment specifications as well as an action plan.
Establish compliance with standard
As a next step, we then work with our client to deploy the action plan with the aim of closing the gaps identified. Examples here could include the establishment of an asset inventory, the updating of the risk analysis or the creation of IT security documentation. Here, we draw on tried-and-tested best practices and LEXTA templates to ensure our methodology is both efficient and pragmatic.
After the ISMS has been set up and conformity with the standard has been achieved, we then hold a ‘dress rehearsal’ for the actual certification (pre-audit) in close cooperation with all stakeholders and responsible persons. Here, we also consider specific auditor requirements and are therefore in a position to master key challenges prior to the actual certification audit.
If the pre-audit has gone according to plan, we then organise an information event with the relevant persons in advance, with the aim of preparing your company for the certification audit. Here, we provide behind-the-scenes support to our client, and review and evaluate the final audit report. If this shows deviations from the norm, LEXTA will of course provide help in the ensuing process to eliminate these deviations.
The challenges – and the inherent risks – that companies face are ever-changing. LEXTA can provide you with a wide range of services that are designed to ensure information security measures are always kept up to date. In audits and reviews, we can quickly and efficiently identify and resolve areas where an ISMS needs to be modified whilst at the same time providing you with support for updating and aligning your IS documentation with best practices. At the same time, we are able to review the suitability of the technical measures deployed in your IT security by conducting weak point analyses. Your company can also use social engineering tests to counter the increasing volume of attacks that do not use IT vectors at all – such as the ‘CEO Fraud’ method. Starting with various collections of information, we then utilise cleverly orchestrated telephone calls and associated activities with the aim of achieving a previously agreed target. As a result, you receive a highly personalised evaluation of the respective measures and the resulting potential for optimisation.
Floods, large-scale hacker attacks or a fire in the data centre are all potential dangers to your business that can quickly assume alarming proportions. To ensure you are well prepared for such emergencies, LEXTA provides you with support for setting up your business continuity management system. Here, we work with you to develop the strategies, plans and processes that you need to protect your company from lasting damage in a ‘worst-case scenario’, and so to enable you to continue to conduct business as before. Our systematic approach to preparations is optimally tailored to your company’s specific needs here by means of tried-and-tested procedures and templates. We can also work with you to develop appropriate alternative scenarios for use in emergencies and disasters, and test these by means of drills. In relation to this, reviews of the end-to-end availabilities of your various systems are another option, with the aim of identifying and eliminating vulnerabilities, and so improving your options for action.
With effect from May 2018, the EU General Data Protection Regulation (GDPR) imposes significantly higher fines for data breaches than the earlier German Data Protection Act (BDSG). Besides the financial risk, such breaches also often work to damage a company’s reputation. With LEXTA’s help, companies can adjust to the provisions of data protection legislation and set up an internal control system (ICS) that is specifically designed for data protection.
Scoping and initial situation
In the first phase, we define the scope of the internal control system and any general conditions, as well as the data protection strategy. Existing sets of documentation, measures and processes are also reviewed, analysed and evaluated. Working together with the designated contact persons, LEXTA also discovers any deviations from the standard and their resulting needs for adjustment. Based on these needs, we work with you to define work packages and an implementation road map.
Setup of the ICS and establishment of GDPR compliance
At the start of the second phase, we then use the checklist of measures produced to create a detailed implementation plan. We then start to set up a risk-based data protection management system that is oriented on the targets of transparency and appropriateness; this is worked on in parallel to the implementation of the defined measures. We also help you to develop the necessary processes and content – for the risk analysis, for example, and the data protection impact assessment.
All of the necessary documents can be created and kept up-to-date by using tried-and-tested LEXTA templates and checklists.
Proof of compliance and safeguarding continuity
Proof of compliance can be established by LEXTA in a subsequent audit, so as to verify the correct implementation of specifications and measures, and to remedy any defects, as necessary.