Enterprise Security Management. IT risks put business at risk.

Transcription

1 Enterprise Security Management. IT risks put business at risk.

2 Risk management and IT. More than just security products and services. Today, many different business processes would hardly be conceivable without reliable and adequately protected IT systems. A secure IT infrastructure is indispensable for business continuity, and thus for sustained business success. For their part, disturbances lead to production downtimes or workflow delays. Data losses result in high recovery costs. And security incidents have an unsettling effect on customers and business partners, harming a professional reputation. It is not enough to implement solutions in a punctual manner. An integrated approach is required, with calibration of all individual measures. Safeguarding networks, systems, and IT applications is only one aspect of this process. An adequate security level can only be attained by factoring in your processes, procedures, and organizational methods. After all, a chain is only as strong as its weakest link. Security must be continuously planned, implemented, managed, and controlled. The integrated management of information security is the proper means of recognizing possible dangers, introducing countermeasures and adapting to continually changing requirements. The result: Risks become controllable. Legal regulations such as the Corporate Sector Supervision and Transparency Act (KonTraG) already require corporate management to introduce and operate a risk management system. This includes IT security in a concert of inter-coordinated measures from all areas. In the IT security sector, T-Systems offers a comprehensive range of services. Our experts can advise you and offer solutions in all the aspects shown below.

3 The world of IT security. Topics and aspects from practical applications. 2 3 The human factor. Security incident and emergency planning. The ISO 2700x series of standards is based on best practice approaches that were compiled, internationally harmonized, and standardized by British industry task groups in the 1990s. The series identifies eleven subject areas on information security, as well as 130 controls to ensure IT security. The following examples show areas in which T-Systems consultants can provide support. Security policy. To start with, security first requires objectives and strategies, as well as security principles and concrete guidelines. Your company must specify which security requirements exist and which security standard should be achieved. Then authorizations, clearances, and responsibilities need to be clarified. It is important that management authorizes a predefined, legal framework for action. For only then can a company guarantee that these objectives and principles are given sufficient consideration, that the necessary steps are integrated into daily practice, and that instructions are adhered to. Practice shows that processes for inspection and monitoring (audit) are required. Organization. Information security is business-relevant. Therefore, it must be anchored in the company organization in such a way that it can influence all relevant corporate areas. A management forum is given the task of establishing fundamental directions, providing assistance, and coordinating measures for the protection of information security. Only then can consistent and appropriate decisions be made, leading to a targeted improvement of the security standard. The security organization plans analyses, controls, and audits. It also clarifies which role internal revision or external bodies will play in the overall process. Without the active collaboration of your employees, even the best intentions will not have any impact. Work contracts, job descriptions and functional characteristics should not only outline IT security requirements, but also clearly designate responsibilities. After all, nothing is possible without proper knowledge, sensitivity, and understanding. It is therefore particularly important to inform employees through training courses and other measures. Security is teamwork. In need of protection? The inventory and classification of assets is part of the business basics. In the information era, assets also include intangible values, such as IT applications and data. If these are not listed as inventory, or only inadequately, the financial statement will not be the only aspect thrown offkilter. From experience, such values are subject to considerable risks, for their critical importance to success is frequently only noticed when they are impaired or lost altogether. Asset inventory and classification are a prerequisite for risk analysis. Based on this information, adequate safeguards can be implemented in the context of risk management. Access control. Controlling access to IT systems and applications also means that rights must be clearly defined and limited for all users. Just as important is the question: Who is allowed to assign and revoke these rights? Documentation, logging, and auditing are further requirements. Identity and access management (IAM) frequently becomes a considerable challenge, particularly within heterogeneous e-business architectures and dynamically changing business processes. IT security is a continual process. Those who stand still eventually drop behind. For this reason, designated vulnerabilities and security incidents must be compiled and communicated in such a way that they can be dealt with quickly and in the most preventative way possible. High recovery costs following a system crash or data loss are among the most serious damages caused by unforeseen occurrences in the area of IT systems. Emergency plans, including realistic emergency drills and measures for maintaining business operations, are therefore fixed components of risk management. Further aspects. Security measures such as firewalls, solutions for secure dial-in and communication, anti-virus and filter solutions, and intrusion detection and prevention systems are basic components of a security infrastructure. Additional measures include comprehensive, increasingly automated solutions for security and vulnerability management. Beyond these measures, physical safeguards pose questions concerning the protection of buildings, rooms, and work equipment. Has your company established security measures in system development and maintenance? Has it reviewed all legal and contractual obligations regarding IT security? Are corresponding regulations valid for partners and suppliers as well? Security is a complex issue. The list of aspects could easily be continued. T-Systems experts offer consulting and solutions that cover all the details.

4

5 T-Systems offers security with a system. From analysis to concept. Any risks that exist must first be assessed. To determine the potential risks, business processes are analyzed and security targets are defined for the implemented information technology. Are systems, applications, data, and networks sufficiently protected against unauthorized access, manipulation, or viruses? Are technical and organizational measures adequately intercoordinated? Do security guidelines exist? Are standards adhered to? And finally: does a concrete need for action exist? T-Systems has analyzed overall business solutions for prominent companies. These encompass firewalls and routers, web and application servers, as well as background systems. We conduct technical and organizational assessments and audits, and also verify conformance to required standards. A tiger team exposes security vulnerabilities in a hands-on manner and tests the level of security that has been attained in networks, systems, and applications. This ethical hacking and security analysis allow the gaps to be closed in an immediate and professional manner. Operative risk management means that the required security standard is established. From concept to solution. In any case, analysis always represents the first step. Solutions are demanded. T-Systems security experts design concepts that are tailored to the specific needs and requirements of the customer. The result is a description of the required technical means, starting with the design of the overall architecture and encompassing every layer, all the way to the selection of individual products. As the leading provider of ICT solutions, T-Systems will naturally also integrate the solution. If necessary, we will develop the security software for your system. In addition to technology, our integrative approach includes guidelines, standards, organization, and data protection. The sum of these elements is an Information Security Management System (ISMS). T-Systems analyzes, designs, optimizes, and implements IT security processes and realizes effective and transparent security management. In the process, national and international standards can be implemented, such as the ISO 2700x series of standards, the Baseline IT Security Catalogue of the Federal Office for Information Security (BSI), and ITIL. T-Systems can integrate IT/TC security projects autonomously or take over an information security subproject within your large-scale projects. These and other offers, including dcert, an information service for vulnerability handling, round out our offer.

6 Security operations management. The more complex applications, systems, and networks are, the larger the number and diversity of firewalls, virus protection, intrusion detection, and other security solutions need to be. The problem: how are security and configuration settings controlled, and who decides what is relevant from the ensuing flood of log data? T-Systems can help to ensure consistency as well as differentiate what is important from what is unimportant. State-of-the-art technology enables comprehensive security management as well as reports that are highly informative. T-Systems solutions not only help companies to collect security information, but also to correlate and evaluate its various aspects. It can be perfectly adapted to your ICT. Any risks can be recognized quickly and efficiently. Reports keep users informed at all times about the company s security status. T-Systems supports its customers in setting up and operating an innovative system for security information and event management. Such a system is able to control a range of different security solutions, while recognizing critical events and introducing the appropriate countermeasures.

7 6 7 Targeted consulting. Comprehensively protected. Technical solutions alone cannot guarantee security. Companies and public authorities frequently lack the necessary level of expertise in many subject and task areas. Adding in-house personnel can push a company to its limits or is often uneconomical. Using external consultants can help companies overcome the business myopia of those blinded by routine. Additionally, companies profit from the expertise we have gained in numerous client projects, and can depend on the independence of our evaluation and consulting. The resulting business efficiency ultimately lowers costs. An integrated approach begins with separate actions, which we coordinate individually with you. For this reason, the first step is defining the objective as well as the application area. Do you merely require a penetration testing? On what level should this occur and what factors should it include? Or should security management be integrated into a specific area? T-Systems offers individual service modules or can organize information security for your entire company.

8 Published by T-Systems Enterprise Services GmbH Corporate Marketing Mainzer Landstraße Frankfurt am Main Germany ICT security L2-2.1 Valid as of 1/2009 Subject to changes and errors Sv Contact T-Systems Enterprise Services GmbH Corporate Customers, ICT Security Rabinstraße Bonn Germany info.ict-security@t-systems.com Internet: