headeritrisikomanagement

IT- Risk Management

IT risk management is the conscious management of the corporate and organisational risks arising out of IT utilisation

The rapid spread and deep penetration of IT in all corporate divisions, as well as in business and manufacturing processes, has brought about numerous benefits but also new corporate threats and risks. Today, the boundaries between business, office and manufacturing IT are barely visible.

Thus, these IT-related threats become even more relevant for enterprise-wide risk management.

                                                                                                  

@-yet considers these threats and the associated risks in terms off

          Business Continuity          Business Security          Business Compliance


The resulting @-yet portfolio is designed  

  • to recognize vulnerabilities, threats and risks
  • to minimize them via targeted organizational and technical measures
  • to avoid critical situations and
  • to investigate criminal activity (computer forensics).

@-yet combines the management of different hazards and risks in a unified Risk and Information Security Management System (ISMS).


@-yet objectives

  • Align IT processes, IT organization, IT infrastructure, and manufacturing IT with business needs, opportunities, and business risks
  • Protect data and know-how.

@-yet philosophy

Create top-down transparency, manage security, and counter vulnerabilities with targeted measures

Vulnerabilities may result in threats and ultimately in business risks. The assessment of such business risks requires:

  • Knowledge of how business and manufacturing processes depend on the used information, data and IT, and what requirements are placed on IT
  • Knowledge of the nature, role, ways and locations of information, data, and IT dependencies
  • Knowledge of the critical IT infrastructure, existing vulnerabilities and threats regarding
                                     Continuity
    , Security and Compliance

  • Assessment of the probability of different threat scenarios that arise from business specifics and IT design (technology, organization)
  • Knowledge of the damage and consequences potentially resulting from said threat scenarios.

Risk identification
@-yet consistently pursues this approach and

  • records, documents and models IT in a transparent relationship with the business and manufacturing processes
  • uses the proven, optimized methods of  GAP Impact and Risk Analysis to determine the criticality of business and manufacturing processes and IT structures, as well as undertakes a risk assessment exercise
  • fits these methods to the company specifics
  • considers the various threats of
    • organizational origin (horizontal security processes, IT processes such as design, documentation, change, operation)
    • technical origin (such as IT architecture, IT solutions) and
    • physical origin (buildings, data centre infrastructure).

Risk handling and security management
While risk analysis results provide companies with a valuable and implementable action plan, this merely represents a static view of the situation. Sustainable security can only be achieved through the introduction of security processes and their integration into business and IT service management processes that touch these processes as they unfold.

  • @-yet advises companies and designs and deploys IT risk and information security management systems tailored to their business requirements.
  • @-yet ensures that the IT security perspective is built into all major business and IT processes
  • @-yet helps those responsible for the information and IT security to understand the security situation and organize security accordingly
  • @-yet supports the design and optimization of effective IT service management processes that ensure secure IT operation.

Business Continuity

Security against failure and accidental emergencies

IT failures (internal, supplier), planning errors, sabotage and cyber-attacks, data loss, force majeure and other events lead to failures and company-threatening emergency situations. Please note that an emergency situation outside of IT may require special IT solutions.

@-yet approach
Establish a business relationship based on transparency, assess risks, ensure technology and organizational availability, and seek protection against emergency risks. Consolidation of technical solutions, organization and processes.

  • Introduction of requirements management
  • Introduction of SLAs, IT availability, IT continuity, change processes and their integration into enterprise-wide BCM, risk and ISMS processes
  • Business Impact Analysis (BIA)
  • Load testing
  • Availability of technical and organizational solutions (applications, infrastructure, business processes)
  • Backup solutions
  • Emergency preparedness concepts
  • Emergency manuals
  • Technical solutions for securing emergency situations.

@-yet results

  • IT failures and IT emergencies remain within an acceptable range
  • IT is technically and organizationally prepared for potential emergencies as well as integrated into the business continuity strategy.

Business Security

Security against intentional attacks (espionage, sabotage), unauthorized modification, and loss of know-how

Vast and globally available IT infrastructures, web servers, websites, Internet communication, mobile devices and removable storage media offer new attack surfaces. The risk connected to industrial espionage, sabotage, knowledge acquisition, manipulation, falsification, unauthorized access, etc. grows exponentially.


@-yet approach

Identify vulnerabilities and threats, assess risks. Align the defence strategy and information protection with corporate organisational and technological particularities

  • Penetration testing, social engineering, source code audits, audit of web-based processes and IT infrastructures
  • Holistic audit of the security situation (requirements and business specifics, processes, organization)
  • Datacentre infrastructure audit (buildings, DC equipment)
  • Data and information classification
  • Policies and guidelines
  • Security concepts
  • Awareness-strategies, know-how protection concepts, ISMS integration
  • Technical solutions (encryption / PKI, protection of mobile devices, anti-virus, identity, permissions, hardening of applications and IT infrastructure)
  • Design and implementation of processes for the comprehensive monitoring and management of security
  • Implementation and optimization of IT processes.

@-yet results

  • Effective and comprehensive protection of the company, processes, information and know-how.

Business Compliance

Compliance with laws, contracts, and internal regulations (policies)

There is growing number of legal provisions and regulations governing information management and thus determining IT design. On the other hand, IT services are increasingly outsourced to third parties (outsourcing, cloud). As a consequence, the legal position and the resulting liability risks and consequences are complex and difficult to grasp.

@-yet approach
Recognize the applicable legal provisions, resulting risks and consequences, and the appropriate risk mitigation measures.  
In close consultation with specialist lawyers and data protection bodies:

  • Law compliance audit
  • Advice on legal issues and privacy
  • Contract audits
  • Internal policies and regulations
  • Specifications for the IT organization and operations
  • Technical solutions (PKI, logging, mail, archiving)

@-yet results

  • Liability protection
  • Legally compliant IT

IT-forensics

Secure traces, determine criminal acts, and prevent repetition

IT forensics is devoted to unravelling criminal incidents in the business environment and dealing with the investigation of suspicious incidents involving IT systems. Ultimately, it aim is to identify the perpetrators and fill the security gap. 

@-yet contacts the public authorities deemed relevant for information and prosecution purposes. 

@-yet support for analysis and preservation of evidence:

  • Definition of the specific procedures for suspected criminal activity, if necessary - in close cooperation with the authorities
  • Comprehensive and jurisdictional preservation of evidence
  • Thorough evidence analysis and evaluation
  • Preparation and documentation of attack scenarios.

 

end faq

© 2013 @-yet GmbH. All rights reserved.