Enterprise Security Management.
Today, many different business processes would hardly be conceivable without reliable and ad-equately protected IT systems. A secure IT infra-structure is indispensable for business continuity, and thus for sustained business success. For their part, disturbances lead to production downtimes or workflow delays. Data losses result in high re-covery costs. And security incidents have an un-settling effect on customers and business partners, harming a professional reputation.
It is not enough to implement solutions in a punc-tual manner. An integrated approach is required, with calibration of all individual measures. Safe-guarding networks, systems, and IT applications is only one aspect of this process.
An adequate security level can only be attained by factoring in your processes, procedures, and organizational methods. After all, a chain is only as strong as its weakest link. Security must be continuously planned, implemented, managed, and controlled.
The integrated management of information security is the proper means of recognizing possible dan-gers, introducing countermeasures and adapting to continually changing requirements. The result: Risks become controllable. Legal regulations such as the Corporate Sector Supervision and Trans-parency Act (KonTraG) already require corporate management to introduce and operate a risk management system. This includes IT security in
Risk management and IT.
More than just security products
and services.
a concert of inter-coordinated measures from all areas. In the IT security sector, T-Systems offers a comprehensive range of services. Our experts can advise you and offer solutions in all the as-pects shown below.
The world of IT security.
Topics and aspects from
practical applications.
The ISO 2700x series of standards is based on best practice approaches that were compiled, internationally harmonized, and standardized by British industry task groups in the 1990s. The series identifies eleven subject areas on informa-tion security, as well as 130 controls to ensure IT security. The following examples show areas in which T-Systems consultants can provide support.
Security policy.
To start with, security first requires objectives and strategies, as well as security principles and concrete guidelines. Your company must specify which security requirements exist and which security standard should be achieved. Then authorizations, clearances, and responsibilities need to be clarified. It is important that manage-ment authorizes a predefined, legal framework for action. For only then can a company guarantee that these objectives and principles are given sufficient consideration, that the necessary steps are integrated into daily practice, and that instruc- tions are adhered to. Practice shows that pro-cesses for inspection and monitoring (audit) are required.
Organization.
Information security is business-relevant. Therefore, it must be anchored in the company organization in such a way that it can influence all relevant corporate areas. A management forum is given the task of establishing fundamental directions, providing assistance, and coordinating measures for the protection of information security. Only then can consistent and appropriate deci-sions be made, leading to a targeted improvement of the security standard. The security organiza-tion plans analyses, controls, and audits. It also clarifies which role internal revision or external bodies will play in the overall process.
The human factor.
Without the active collaboration of your employees, even the best intentions will not have any impact. Work contracts, job descriptions and functional characteristics should not only outline IT security requirements, but also clearly designate responsi-bilities. After all, nothing is possible without proper knowledge, sensitivity, and understanding. It is therefore particularly important to inform employ-ees through training courses and other measures. Security is teamwork.
In need of protection?
The inventory and classification of assets is part of the business basics. In the information era, assets also include intangible values, such as IT applications and data. If these are not listed as inventory, or only inadequately, the financial statement will not be the only aspect thrown off-kilter. From experience, such values are subject to considerable risks, for their critical importance to success is frequently only noticed when they are impaired or lost altogether. Asset inventory and classification are a prerequisite for risk analysis. Based on this information, adequate safeguards can be implemented in the context of risk management.
Access control.
Controlling access to IT systems and applica-tions also means that rights must be clearly de-fined and limited for all users. Just as important is the question: Who is allowed to assign and re-voke these rights? Documentation, logging, and auditing are further requirements. Identity and access management (IAM) frequently becomes a considerable challenge, particularly within heterogeneous e-business architectures and dynamically changing business processes.
Security incident and
emergency planning.
IT security is a continual process. Those who stand still eventually drop behind. For this reason, designated vulnerabilities and security incidents must be compiled and communicated in such a way that they can be dealt with quickly and in the most preventative way possible. High recovery costs following a system crash or data loss are among the most serious damages caused by un-foreseen occurrences in the area of IT systems. Emergency plans, including realistic emergency drills and measures for maintaining business operations, are therefore fixed components of risk management.
Further aspects.
Security measures such as firewalls, solutions for secure dial-in and communication, anti-virus and filter solutions, and intrusion detection and prevention systems are basic components of a security infrastructure. Additional measures in-clude comprehensive, increasingly automated solutions for security and vulnerability manage-ment. Beyond these measures, physical safe-guards pose questions concerning the protec-tion of buildings, rooms, and work equipment. Has your company established security measures in system development and maintenance? Has it reviewed all legal and contractual obligations regarding IT security? Are corresponding regula-tions valid for partners and suppliers as well? Security is a complex issue. The list of aspects could easily be continued. T-Systems experts offer consulting and solutions that cover all the details.
From analysis
to concept.
Any risks that exist must first be assessed. To determine the potential risks, business process-es are analyzed and security targets are defined for the implemented information technology. Are systems, applications, data, and networks sufficiently protected against unauthorized ac-cess, manipulation, or viruses? Are technical and organizational measures adequately inter- coordinated? Do security guidelines exist? Are standards adhered to? And finally: does a con-crete need for action exist?
T-Systems has analyzed overall business solutions for prominent companies. These encompass firewalls and routers, web and application servers, as well as background systems. We conduct technical and organizational assessments and audits, and also verify conformance to required standards. A “tiger team” exposes security vul-nerabilities in a “hands-on” manner and tests the level of security that has been attained in net-works, systems, and applications. This “ethical hacking” and security analysis allow the gaps to be closed in an immediate and professional manner. Operative risk management means that the required security standard is established.
From concept
to solution.
In any case, analysis always represents the first step. Solutions are demanded. T-Systems secu-rity experts design concepts that are tailored to the specific needs and requirements of the cus-tomer. The result is a description of the required technical means, starting with the design of the overall architecture and encompassing every layer, all the way to the selection of individual products. As the leading provider of ICT solutions, T-Systems will naturally also integrate the solution. If necessary, we will develop the security soft-ware for your system.
In addition to technology, our integrative approach includes guidelines, standards, organization, and data protection. The sum of these elements is an Information Security Management System (ISMS). T-Systems analyzes, designs, optimizes, and implements IT security processes and realizes effective and transparent security management. In the process, national and international stan- dards can be implemented, such as the ISO 2700x series of standards, the Baseline IT Security Catalogue of the Federal Office for Information Security (BSI), and ITIL.
T-Systems can integrate IT/TC security projects autonomously or take over an “information secu-rity” subproject within your large-scale projects. These and other offers, including dCERT, an information service for vulnerability handling, round out our offer.
T-Systems offers
Security operations
management.
The more complex applications, systems, and networks are, the larger the number and diversity of firewalls, virus protection, intrusion detection, and other security solutions need to be. The prob-lem: how are security and configuration settings controlled, and who decides what is relevant from the ensuing flood of log data? T-Systems can help to ensure consistency as well as differentiate what is important from what is unimportant. T-Systems supports its customers in setting up and operating an innovative system for security information and event management. Such a sys-tem is able to control a range of different security solutions, while recognizing critical events and introducing the appropriate countermeasures.
State-of-the-art technology enables comprehen-sive security management as well as reports that are highly informative. T-Systems solutions not only help companies to collect security informa-tion, but also to correlate and evaluate its various aspects. It can be perfectly adapted to your ICT. Any risks can be recognized quickly and effi-ciently. Reports keep users informed at all times about the company’s security status.
Technical solutions alone cannot guarantee secu-rity. Companies and public authorities frequently lack the necessary level of expertise in many sub-ject and task areas. Adding in-house personnel can push a company to its limits or is often uneco-nomical. Using external consultants can help com-panies overcome the business myopia of those blinded by routine. Additionally, companies profit from the expertise we have gained in numerous client projects, and can depend on the indepen-dence of our evaluation and consulting. The result-ing business efficiency ultimately lowers costs.
Targeted consulting.
Comprehensively protected.
An integrated approach begins with separate ac-tions, which we coordinate individually with you. For this reason, the first step is defining the objec-tive as well as the application area. Do you merely require a penetration testing? On what level should this occur and what factors should it in-clude? Or should security management be inte-grated into a specific area? T-Systems offers indi-vidual service modules or can organize information security for your entire company.
Published by
T-Systems Enterprise Services GmbH Corporate Marketing
Mainzer Landstraße 50 60325 Frankfurt am Main Germany
Contact
T-Systems Enterprise Services GmbH Corporate Customers, ICT Security Rabinstraße 8 53111 Bonn Germany E-mail: [email protected] Internet: www.t-systems.com/ict-security IC T se cu rit y L2 -2 .1 | V al id a s of 1 /2 00 9 | Su bj ec t t o ch an ge s an d er ro rs | S v
