KRITIS 2018

Critical Day 2018 | Knowledge and experience in a lively exchange

The Critical Day

On 25 April 2018 the first Critical Day took place at the SRC Conference Centre. This was the premiere of a series of events that offers a top-class platform for exchange. This is primarily aimed at repre­sen­ta­tives of companies that operate a critical infra­structure (KRITIS). The Critical Day serves above all to establish personal contacts and to exchange experi­ences and best practices on IT and physical security of critical infra­struc­tures.

The Schedule

After the arrival of the first partic­i­pants, a lively exchange on the topics began. At the start of the Critical Day, the fully booked hall documented the partic­i­pants’ need for infor­mation.

Top-class speakers gave an overview of the topic KRITIS. Isabel Münch, Head of CK3 and repre­sen­tative of the Federal Office for Infor­mation Security (BSI), explained the proce­dures and processes in the super­visory authority. Randolf Skerka, Head of SRC and respon­sible for the topic of auditing according to §8a (3) BSIG, described the first experi­ences from the perspective of the auditing body. The Klinikum Lünen was the first to provide proof of the audit according to §8a (3) BSIG. Ralf Plomann, Head of IT at Klinikum Lünen, gave impressive insights into the devel­opment of hospital organ­i­sation in prepa­ration for the audit. Prof. Dr. med. Andreas Becker, who made it clear that sound industry expertise is an essential and indis­pensable corner­stone of a meaningful exami­nation, rounded off the morning.

The expert presen­ta­tions gave the partic­i­pants a 360° view of the require­ments of the BSI audits, which were largely and with good reason vaguely formu­lated.

At the end of the morning the visual artist Frank Rogge described his view on the questions of criti­cality in the field of artistic creation.

The afternoon was completely dedicated to the main interests of the partic­i­pants. Under the moder­ation of Jochen Schumacher, co-organiser at SRC, the afternoon was arranged.

The partic­i­pants indepen­dently organized the various contents for nine sessions.

The most signif­icant results of the afternoon

From the session ” Submitting certi­fi­cation findings to the BSI ” it became clear that the BSI does not expect, for example, any “classical” findings or devia­tions formu­lated down to the last technical detail. A roughly described framework of devia­tions and a description of a course of action in the test report is useful. Never­theless, an appro­priate measure must be in place for each risk within a critical infra­structure. This is of enormous impor­tance for the BSI.

The BSI wishes to cooperate closely with the various Kritis companies. The aim is to strengthen the security of IT in Germany.

In the session ” IT Security Awareness in the company ” Ralf Plomann presented the method and imple­men­tation of measures at the Lünen Hospital. The individual approach would be very important here. Every individual in the company would be respon­sible for IT security. In the individual address, every employee would have to be picked up where he is at the moment. According to Plomann, this is especially the case because almost no one would read guide­lines any more. Therefore, more creative approaches should be chosen. Ralf Plomann’s wish for the future: “Awareness for IT security should start at school from upper secondary level”. In the course of the next session, a clear trend towards e‑learning platforms for improving awareness emerged.

In another session, the partic­i­pants focused on the safe and simple defin­ition of the scope. The pyramid model was partic­u­larly favoured in the discussion. The service classified as critical is the best starting point for defining the scope. For example, when it comes to the critical infra­structure of a sewage treatment plant, the defin­ition of the scope requires identi­fying and deter­mining which systems clarify the water, what effects a failure would have and how this failure can be compen­sated by other methods to maintain the critical service.

With this method you system­at­i­cally move to the outer perimeter. If you get to systems that are no longer critical, the limit of the scope is reached.

Conclusion of the first “Critical Day” from SRC’s point of view

An example of the fasci­nating atmos­phere was the contin­u­ation of the bilateral commu­ni­cation of the partic­i­pants between the individual sessions. The feedback proved that the partic­i­pants were able to make many new contacts and gain insights from other KRITIS projects.

The overall positive response of the partic­i­pants shows us as SRC that the Critical Day is a useful hub for the exchange of infor­mation on KRITIS projects between the partic­i­pants. Our thanks goes to all partic­i­pants who contributed funda­men­tally to the success of the Critical Day with their open-mindedness and commitment.

We regard the Critical Day as a successful exper­iment. This motivates us to start preparing for a follow-up event.

Transakt entspricht dem EBA-RTS

Transakt complies with the EBA RTS

SRC confirms that the mobile banking solution Transakt by Entersekt meets the PSD2 require­ments

Read more

Information Security Officer for Credit Institutions

Certificate Course “Infor­mation Security Officer for Credit Insti­tu­tions” — November 6 to 9, 2018

The German Banking Act (KWG) and MaRisk require banks to ensure the integrity, avail­ability, authen­ticity and confi­den­tiality of data in their IT systems and processes. However, secure and efficient IT is also absolutely essential for the economic success of a credit insti­tution.

The new “Banking Super­visory Require­ments for IT” (BAIT) formulate concrete expec­ta­tions. Among other things, the Federal Financial Super­visory Authority (BaFin) has issued a guideline calling for the new function of the ” Infor­mation Security Officer ” to be set up. He or she controls the infor­mation security process and reports directly to management.

In cooper­ation with Bank-Verlag, SRC has already success­fully offered three certificate courses to become an “Infor­mation Security Officer (ISB) for credit insti­tu­tions”. After the great response and the continuing demand, we are pleased that the Bank-Verlag has made another date for this four-day certificate course possible.

From 6 to 9 November 2018, you will again have the oppor­tunity to receive further training in Cologne to become an “Infor­mation Security Officer (ISB) for credit insti­tu­tions”.

Teamed up with Heinrich Lottmann (TARGOBANK AG & Co. KGaA) and Alexandros Manakos (HSBC Trinkaus & Burkhardt AG), the SRC experts Sandro Amendola, Florian Schumann and Randolf Skerka will give a lecture on the norms and standards according to ISO and IT-Grund­schutz, as well as on all legal/regulatory require­ments relevant to you as an ISB. In addition, the topics IT risks and emergency precau­tions as well as business conti­nuity management will be dealt with.

After passing the final exami­nation, you will receive the certificate “Infor­mation Security Officer for Banks”.

Optionally, you will have the oppor­tunity to acquire the basic IT knowledge required for the course in a one-day intensive seminar in Cologne on 5 November 2018 prior to the event. This course deals with the basics, terms, encryption and IT security techniques in infor­mation technology.

CSCUBS 2018

SRC supports the 5th Computer Science Conference for University of Bonn Students — CSCUBS 2018

SRC is pleased to support the 5th Computer Science Conference for University of Bonn StudentsCSCUBS 2018, which will take place on May 16, 2018.

Promotion of research and scien­tific exchange

CSCUBS 2018 is organised by PhD and Masters students. Its goal is the promotion of research in computer science, as well as the scien­tific exchange between students, researchers and practi­tioners. “The CSCUBS is an initiative from among the students that SRC gladly supports,” says Detlef Kraus, autho­rized signatory at SRC. “And especially the profes­sional exchange between research, practice and teaching is urgently needed if our society wants to meet the challenges of IT security with confi­dence,” Kraus continues.

Starting point for personal and profes­sional exchange

The 5th Computer Science Conference for Students of the University of Bonn (CSCUBS 2018) provides a platform for university projects, disser­ta­tions and results from research, devel­opment and practice in the field of computer science. The conference will take place on 16 May 2018 at the University of Bonn. SRC supports the event not only as a sponsor. We will also be present with a booth to offer a point of contact for personal and profes­sional exchange.

Presen­tation of a project result at CSCUBS 2018 included

SRC will also present one of its many projects at the CSCUBS. Practice often provides surprising research approaches and exciting insights. The CSCUBS is a welcome platform for SRC to present our work to an inter­ested, young and competent circle of experts and to exchange ideas. Perhaps the many discus­sions will also provide qualified starting points for using the expertise gathered at CSCUBS 2018 in joint project work.

Critical Day

Critical Day 2018 | on April 25, 2018, critical infra­structure operators meet at SRC

Critical infra­struc­tures and their signif­i­cance | Critical day 2018 makes an exchange possible

Critical infra­struc­tures (KRITIS) are organ­i­sa­tions and facil­ities of major impor­tance to the public sector, the failure or impairment of which would result in sustainable supply shortages, major public security disrup­tions or other dramatic conse­quences. These critical infra­struc­tures are exposed to various dangers. Among other things, there are also various scenarios in which the security of infor­mation technology systems in critical infra­struc­tures takes centre stage. The starting point for the conference “Critical Day 2018” with accom­pa­nying barcamp.

Profes­sional “networking” with each other

With the aim of estab­lishing personal contacts and stimu­lating profes­sional exchange, the critical day offers a regular meeting place for people respon­sible for the protection of critical infra­struc­tures. The target group of the critical day are those people who work in a company or insti­tution that supplies the population with essential goods and services. Furthermore, the critical day addresses people who deal with the topic of critical infra­struc­tures in a practical, advisory, regulatory or scien­tific way. The first critical day will take place on 25 April 2018 at the SRC Conference Centre with accom­pa­nying barcamp. Tickets are now available.

The demand of the Critical Day

The Critical Day aims to provide a world-class platform for repre­sen­ta­tives of affected companies, the public sector, science and research to network and exchange experi­ences on devel­op­ments and best practices in IT and physical security of critical infra­struc­tures. It also plays a role that the partic­i­pants are encouraged to design the second part of the critical day as a barcamp. A barcamp is an open conference with open workshops, the contents of which are developed by the partic­i­pants themselves at the beginning of the conference and will be designed in the further course. Barcamps therefore serve the exchange of content and discussion.

SmartCard Workshop

SmartCard Workshop on 21 and 22 February 2018 in Darmstadt

Focus of the SmartCard Workshop

The SmartCard Workshop will take place on 21 and 22 February 2018 in Darmstadt. It is one of the most important events for smart cards in Germany. The partic­i­pants come from all areas of industry, science and politics. They partic­u­larly appre­ciate the technical orien­tation of the workshop and its extensive neutrality. The workshop offers partic­i­pants and experts a forum to present new operating system concepts and conceivable new features and appli­ca­tions, as well as to discuss the current state of devel­opment, cryptog­raphy, infor­mation security and standard­ization.

SRC expert explains authen­ti­cation proce­dures

This year, SRC expert Sandro Amendola will give a presen­tation on security-related and regulatory issues in the “Regis­tration of App-based authen­ti­cation proce­dures”. Such authen­ti­cation methods play an important role in many digital appli­ca­tions and have become very important for all users of online banking systems, especially due to the regulation of the banking market by the PSD2.

Evening event with award ceremony

A special highlight is the evening event. Each year, one expert is honored with the SmartCard prize for special achieve­ments. The prize is donated by Fraun­hofer SIT.

SRC actively partic­i­pates in SmartCard Workshop

SRC supports the workshop as sponsor and through active partic­i­pation in the Programme Advisory Board.

Image source: Fraun­hofer SIT
PSD2

SRC expert Sandro Amendola contributes to the PSD2 conference meeting

Second EU Payment Services Directive PSD2 comes into force

Banken+Partner” expert panel on PSD2

The second EU Payment Services Directive PSD2 comes into force in January. The business policy, technical and regulatory need for action to be taken by credit insti­tu­tions is diverse and at the same time individual for each bank. Among other things, the insti­tu­tions will have to observe and implement stricter security require­ments for the authen­ti­cation of their customers and prove these to the national super­visory authority. For banks and Sparkassen as service providers and for customers as users, there is a risk that login and payment release will become more incon­ve­nient. At the same time, the interface must be imple­mented for access by autho­rised third parties.

SRC expert discusses complex challenges and evaluates solution approaches

SRC expert Sandro Amendola

Sandro Amendola, Division Manager at SRC Security Research & Consulting GmbH, was one of the experts at the table talk of “Banken+Partner”. Mr. Amendola discussed the oppor­tu­nities and challenges of the PSD2 and outlined possible solutions for banks and Sparkassen.

The challenges for banks and Sparkassen

An example of these challenges are the inter­faces for autho­rised third party providers, which PSD2 requires to be made available by banks. Another example is two-factor authen­ti­cation, which further enhances account access security. Increased security on the one hand is often not possible without making too great a sacrifice in terms of conve­nience and customer friend­liness on the other. The experts present also explained how this security can be achieved without loss of comfort or customers. Finally, the oppor­tu­nities that can be exploited through cooper­ation with the agile FinTechs were discussed.

Possible solutions for banks and Sparkassen

The entire expert discussion, as well as the topics and solutions, can be read in the free e‑paper from “Banken+Partner”. In addition, Sandro Amendola is available for individual workshops and consul­ta­tions on PSD2 and its impli­ca­tions.

Image source: Banken+Partner/Fotografie Schepp

EMVCo certification

SRC’s ITSEF laboratory receives extended EMVCo certi­fi­cation

SRC’s certified Common Criteria security laboratory has recently been enriched by another EMVCo certi­fi­cation. The SRC laboratory has long been approved by the German Federal Office for Infor­mation Security (BSI) for the evalu­ation of hardware and software evalu­a­tions for smart cards and similar devices. After SRC has now success­fully evaluated chip hardware of a well-known and also EMVCo certified manufac­turer, EMVCo confirmed the certi­fi­cation of the SRC security laboratory as EMVCo Security Evalu­ation IC laboratory, which is now also listed as such on the EMVCo website, following a review of the latest findings provided within the scope of an IC security evalu­ation project.

Further infor­mation on the certi­fi­ca­tions for SRC by EMVCo can be found here.

NextGenPSD2

SRC GmbH hosts the NextGenPSD2 Conference 2017 in Berlin

The NextGenPSD2 standard of the Berlin Group

In the context of the six-week public market consul­tation of the Berlin Group on its NextGenPSD2 standard for account access “Access to Accounts” (XS2A), which enables third parties to access payment accounts within the framework of the provi­sions of the revised EU directive for payment services (PSD2), SRC GmbH is also hosting a NextGenPSD2 conference. This will take place on October 25, 2017 in Deutsche Bank’s Atrium in Berlin. The conference offers a detailed program that shows how NextGenPSD2 builds a bridge into the banking system and reduces the complexity of the revised Payment Services Directive (PSD2) and the require­ments for access to accounts (XS2A). It also highlights how Third Party Payment Service Providers (TPPs) can provide innov­ative solutions for customers using modern appli­cation programming inter­faces (APIs) for secure access to bank accounts.

Change in payment trans­ac­tions

The conference offers experi­enced specialists, devel­opers, FinTechs, banks, processors and other experts involved in the PSD2 standard an excellent oppor­tunity to learn in detail how NextGenPSD2 will change daily payment trans­ac­tions in the coming years. A variety of policy insiders, experts and stake­holders will provide infor­mation on the background, goals and details of the open and collab­o­rative NextGenPSD2 XS2A API standard. Accord­ingly, the meeting offers a great oppor­tunity for a compre­hensive expla­nation of the topic and to clarify open questions. The conference will also be honoured with an insightful keynote opening speech by the European Central Bank and offers several panel discus­sions with banks, regulators, FinTechs and consumer organ­i­sa­tions.

Networking in Microsoft Lounge and Digital Eatery

The conference also offers excep­tional networking oppor­tu­nities: On the evening of 24 October 2017 (from 6 p.m.), the Microsoft Lounge and Digital Eatery will open their doors to the partic­i­pants and provide access to a get-together event with delicious cuisine and refreshing drinks at no extra cost.

SRC supports people with a handicap as part of hardware delivery

SRC has been cooper­ating with alster­arbeit in Hamburg for more than two months now. People with handicaps are working on orders for the individual assembly of computer hardware. As a result, they are able to partic­ipate in working life and experience personal profes­sional realization.

The alster­arbeit gGmbH in Hamburg

In 2000, alster­arbeit gGmbH merged from the Alsterdorf workshops and the daycare facil­ities to form the employment agency alster­arbeit. In 2005 the company was trans­formed into today’s alster­arbeit gemein­nützige GmbH. Its aim: to offer people with disabil­ities employment in line with their wishes, abilities and skills. In this way, these fellow human beings can partic­ipate fully in profes­sional life.

IT manufac­turing at alster­arbeit-it

alsterkontec is the production site for packaging, assembly and technology of alster­arbeit in Hamburg. Besides a wide range of different services, alsterkontec also offers the area of IT manufac­turing, the alster­arbeit-it.
It is a manufac­turer of high-quality and reliable IT hardware. In addition to the production of PAOLA computers, which are certified according to DIN ISO 9001:2008, the IT teams also handle the finishing and individual config­u­ration of notebooks from well-known manufac­turers such as DELL and LENOVO.

SRC employee recom­mends alster­arbeit gGmbH

The cooper­ation with alster­arbeit gGmbH resulted from a private recom­men­dation from the SRC staff. When the SRC management was made aware of the impec­cable work of the people employed at alster­arbeit gGmbH, they decided without hesitation to order and receive notebooks via alster­arbeit-it in the future in order to support the chari­table work of the gGmbH and of course to support the people with handicaps working there.
There is no quality deviation from classic suppliers and dealers, whether in hardware or delivery processing — quite the contrary. The hardware supplied to SRC by alster­arbeit-it is charac­terized by relia­bility and high quality. This is due to the fact that the IT teams of alster­arbeit-it not only have highly motivated and excel­lently super­vised employees but also specialists for sales and project management and that they support their customers with know-how and flexi­bility in the planning and imple­men­tation of their projects. Should there be any problems with the hardware, the alster­arbeit-it tech center in Bad Oldesloe, 30 minutes by car from Hamburg, quickly provides profes­sional help through the experi­enced service team.

For more infor­mation about the work of alster­arbeit gGmbH, please visit the website of alster­arbeit gGmbH and its IT manufac­turing division.