Information security officers for credit institutions

Certificate Course “Infor­mation Security Officer for Credit Insti­tu­tions” — November 19 to 22, 2019

BAIT-Compliance: Use of an Infor­mation Security Officer (ISB)

The German Banking Act (KWG) and MaRisk require banks to ensure the integrity, avail­ability, authen­ticity and confi­den­tiality of data in their IT systems and processes. However, secure and efficient IT is also essential for the economic success of a bank. The new “Banking Super­vision Require­ments for IT” (BAIT) formulate concrete expec­ta­tions. Among other things, the Federal Financial Super­visory Authority (BaFin) is calling for the newly created function “Infor­mation Security Officer for Credit Insti­tu­tions” (ISB) in its guideline. They control the infor­mation security process and report directly to the management.

6th Certificate Course “Infor­mation Security Officer (ISB) for Credit Insti­tu­tions

In cooper­ation with Bank-Verlag, SRC has already success­fully completed five certificate courses on “Infor­mation Security Officer (ISB) for Credit Insti­tu­tions”. After the great response and the continuing demand, we are pleased that Bank-Verlag has made another date possible for this four-day certificate course.

From 19 to 22 November 2019, you will once again have the oppor­tunity to receive further training as an “Infor­mation Security Officer (ISB) for Credit Insti­tu­tions” on the premises of Bank-Verlag GmbH in Cologne.

Training by skilled experts

In cooper­ation with Heinrich Lottmann (TARGOBANK AG & Co. KGaA) and Alexandros Manakos (HSBC Germany) the SRC experts Sandro Amendola, Florian Schumann and Dr. Deniz Ulucay will give lectures. In this course, the experts inform you compre­hen­sively about the norms and standards according to ISO and IT-Grund­schutz, as well as about all legal/regulatory require­ments relevant to you as an ISB. In addition, the topics IT Risks and Emergency Prevention as well as Business Conti­nuity Management are dealt with.

After passing the final exami­nation, you will receive the certificate “Infor­mation Security Officer for Credit Insti­tu­tions”.

Optionally, you have the oppor­tunity to acquire the basic IT knowledge required for the course in a one-day intensive seminar in Cologne on 18 November 2019 prior to the event. This course deals with the basics, terms, encryption and IT security techniques in infor­mation technology.

Aspects of Common Criteria Certifications

Aspects of Common Criteria Certi­fi­ca­tions — Guest lecture at the Vienna University of Technology

Aspects of Common Criteria Certi­fi­ca­tions — this is the topic of the lecture that the experts of the SRC evalu­ation body for Common Criteria will address at the Vienna University of Technology. The lecture will take place on 10 May 2019 as part of the lecture IT Security in Large IT Infra­struc­tures at the Institute of Infor­mation Systems Engineering.

Common Criteria in science

With the help of Common Criteria for Infor­mation Technology Security Evalu­ation (CC), IT products can be evaluated regarding their security according to general criteria. As an inter­na­tionally recog­nised standard, Common Criteria is of interest to the scien­tific world. Initially, an evalu­ation is carried out by an evalu­ation body accredited by the German Federal Office for Infor­mation Security (BSI). SRC is accredited as such a CC evalu­ation body. The BSI then carries out the certi­fi­cation.

Guest lecture for students

The SRC experts will discuss the Aspects of Common Criteria Certi­fi­ca­tions at first hand. The lecture informs the students about the basic approach for product certi­fi­ca­tions according to Common Criteria. Infra­struc­tures in the European Union that rely on Common Criteria certi­fi­cation will be highlighted. The formal side including the respon­sible certi­fi­cation and recog­nition bodies will also be considered. The comparison of Common Criteria with other concepts concludes the lecture. Certi­fi­ca­tions according to technical guide­lines of the BSI, ISO27001 or the criteria of the Payment Card Industry (PCI) will be considered.

NextGenPSD2 certification

NextGenPSD2 certi­fi­cation | SRC launches audits for XS2A

Are you ready to certify your NextGenPSD2 imple­men­tation?

The revised Payment Services Directive (PSD2) requires banks to allow autho­rized third parties access to customer data. These third party payment service providers (TPP) are to be granted access via a programming interface (XS2A) with the customer’s consent. With this data, TPPs will be able to offer innov­ative payment initi­ation and account infor­mation services. The NextGenPSD2 certi­fi­cation promotes the imple­men­tation of a uniform standard.

Most banks and API providers in Europe implement the XS2A interface using the NextGenPSD2 framework of the Berlin Group. This is an open and Europe-wide harmo­nized solution for imple­menting the PSD2 require­ments for the XS2A interface.

The correct imple­men­tation of the XS2A interface relieves the institute from imple­menting a fallback interface solution. The NextGenPSD2 Imple­men­tation Support Program (NISP) offers the partic­i­pants a testing framework with test concept, test case catalog, compliance best practices and test tool require­ments. The imple­menting institute evaluates its own work. As a result, the imple­men­tation is completed. It remains to be seen if this self-assessment will be considered suffi­cient by the super­visory authority (NCA).

Why should you undergo the NextGenPSD2 certi­fi­cation?

The self-assessment of the NextGenPSD2 imple­men­tation already offers a high level of quality. However, different inter­pre­ta­tions of the speci­fi­cation can lead to inter­op­er­ability problems. There is currently no documented agreement between banks and third-party providers on the exact imple­men­tation of the XS2A interface. This increases the proba­bility that the respon­sible super­visory authority of the banks will refuse the exemption from the imple­men­tation of a fallback interface solution.

SRC has extensive and detailed expertise from its involvement in the speci­fi­cation and imple­men­tation of the XS2A interface as part of NISP. On this basis, we have developed the NextGenPSD2 certi­fi­cation for you.

How does the NextGenPSD2 certi­fi­cation process work?

Require­ments for the NextGenPSD2 certi­fi­cation are the test case catalogue, the imple­men­tation profile and the test speci­fi­cation of the imple­menting institute. SRC uses these require­ments to carry out a complete functional, security and perfor­mance audit of the NextGenPSD2 imple­men­tation.

Audit Validation

During validation, the imple­men­tation is reviewed with respect to the require­ments of the documen­tation.

Functional part

In the functional part, the test speci­fi­ca­tions are executed and the results are verified.

Non-functional part

In the non-functional part, the avail­ability of the imple­men­tation (stress test) is deter­mined and evaluated at relevant points.

Security test

In the security test, methods of penetration testing are used. It is evaluated if the imple­men­tation of the XS2A interface offers suffi­cient protection against fraud attempts on customer data and trans­ac­tions.

The certi­fi­cation is documented in a final report. If all require­ments are at least suffi­ciently fulfilled, the institute receives an SRC certificate. With this certificate, the conformity of the imple­mented XS2A interface can be demon­strated to third parties and the super­visory authority. Based on the first certi­fi­cation, regression audits can be carried out in the future.

SRC consulting services for devel­opment optimization or for creating the test speci­fi­cation can be used to prepare for the NextGenPSD certi­fi­cation.

Why SRC?

As a co-editor of the NextGenPSD2 Framework and the NISP Testing Framework, SRC has a deep under­standing of the NextGenPSD2 standards and all tasks associated with testing. In addition, SRC has many years of experience in devel­oping test environ­ments with many licensed auditors for multiple functional and security evalu­a­tions according to formal certi­fi­cation schemes. As a result, SRC is able to carry out a high-quality audit with manageable effort.

Are you inter­ested in NextGenPSD2 certi­fi­cation? Then please contact us at info@src-gmbh.de.

Certificate_Course_ISB

Certificate Course “Infor­mation Security Officer for Credit Insti­tu­tions” — May 7 to 10, 2019

The German Banking Act (KWG) and MaRisk require banks to ensure the integrity, avail­ability, authen­ticity and confi­den­tiality of data in their IT systems and processes. But secure and efficient IT is also essential for the economic success of a bank.

The new “Banking Super­vision Require­ments for IT” (BAIT) formulate concrete expec­ta­tions. Among other things, the Federal Financial Super­visory Authority (BaFin) has issued a guideline calling for the new function of the “Infor­mation Security Officer ” to be set up. He or she controls the infor­mation security process and reports directly to the management.

In cooper­ation with Bank-Verlag, SRC has already success­fully completed three certificate courses for the “Infor­mation Security Officer (ISB) for credit insti­tu­tions”. After the great response and the continuing demand, we are pleased that the Bank-Verlag has made another date possible for this four-day certificate course.

From 7 to 10 May 2019, you will once again have the oppor­tunity of further training in Cologne to become an “Infor­mation Security Officer (ISB) for credit insti­tu­tions”.

In a team with Heinrich Lottmann (TARGOBANK AG & Co. KGaA) and Alexandros Manakos (HSBC Trinkaus & Burkhardt AG) the SRC experts Sandro Amendola, Florian Schumann and Randolf Skerka will give a lecture on the norms and standards according to ISO and IT-Grund­schutz, as well as on all legal/regulatory require­ments relevant for you as an ISB. In addition, the topics IT Risks and Contin­gency Management as well as Business Conti­nuity Management will be discussed.

After passing the final exami­nation, you will receive the certificate “Infor­mation Security Officer for Credit Insti­tu­tions”.

On 6 May 2019 you will also have the optional oppor­tunity to acquire the basic IT knowledge required for the course in a one-day intensive seminar in Cologne prior to the event. This course deals with basics, terms, encryption and IT security techniques in infor­mation technology.

 

 

Associate QSA

Associate QSA — quali­fying as a QSA

SRC offers mentoring programme for future Security Evalu­ators

The QSA accred­i­tation — the previous, unstruc­tured path to becoming a highly qualified Security Evaluator

Extensive experience is required to audit environ­ments in which payment card data is accepted and/or processed for compliance with the PCI DSS security standard. To date, there has been no standardised way of fulfilling the relevant prereq­ui­sites for admission as a PCI DSS assessor (Qualified Security Assessor, QSA) which are compre­hensive profes­sional experience, PCI DSS-specific training and testing as well as at least two other accred­i­ta­tions in the field of infor­mation security and IT auditing.

Associate QSA — the accom­panied path to QSA

With the new Associate QSA programme of the Payment Card Industry Security Standards Council (PCI SSC), an oppor­tunity has now been defined through which new talents with a basic level of profes­sional experience can advance towards QSA approval.

Associate QSA will be accom­panied by an experi­enced QSA mentor. The devel­opment and increasing audit experience of the Associate QSA are regularly reflected and documented. In this way, it is monitored and ensured that the employee has compre­hensive experience in all relevant areas until he or she obtains QSA accred­i­tation.

SRC provides training

The SRC team is known for not consid­ering test standards as check­lists to be processed, but for deriving their appli­cation from complex environ­ments and for supporting the customer in the imple­men­tation and inter­pre­tation as practi­cally as possible. This requires compre­hensive expertise and experience in combi­nation with a constant exchange with other experts.

SRC therefore welcomes the defin­ition of a step-by-step procedure for the training and support of Associate QSA, which contributes to the devel­opment of an appro­priate quali­fi­cation. SRC has thus regis­tered as an Associate QSA company and has already approved the first employee as an Associate QSA. In this way, the quality of the audits in the constantly changing payment trans­action environ­ments is to be guaranteed also in the future.

Akkreditierung

SRC receives accred­i­tation for Conformity Assessment Body (KBS) according to ISO 17065

Last month, the German Accred­i­tation Body (DAkkS) granted SRC Security Research & Consulting GmbH accred­i­tation for its Confomity Assessment Body (KBS) according to ISO 17065.

This accred­i­tation applies to the confomity assessment of (qualified) trust service providers who wish to have trust services qualified in accor­dance with the require­ments of Regulation (EU) No. 910/2014 (eIDAS).

The eIDAS Regulation contains binding Europe-wide regula­tions in the fields of “Electronic Identi­fi­cation” and “Electronic Trust Services”. The Regulation creates a uniform framework for the cross-border use of electronic means of identi­fi­cation and trust services.

As an EU regulation, it is directly applicable law in all 28 EU member states as well as in the European Economic Area.

Smart Metering

Chances & Risks of Smart Metering

SRC’s contri­bution to the Expert Round­table on the security perspective for Smart Metering

On August 22, 2018 Dr. Deniz Ulucay and Dr. Jens Oberender, Senior Consultant at SRC, took part in the Expert Round­table in Cologne. It was organised by eco — Verband der Inter­netwirtschaft and dealt with the topic “Smart Energy: Not without my Smart Meter?”

The meeting was attended by repre­sen­ta­tives of companies respon­sible for imple­menting the Energy Ordinance. Suppliers for Smart Meter Gateways were repre­sented as well as network operators and startups, for example in the field of visual­i­sation. In this context, Dr. Oberender made an impulse contri­bution. Based on the experience of the evalu­ation body in evalu­ating security modules and Smart Meter Gateways, the Senior Consultant describes oppor­tu­nities and risks in Smart Metering. Using a risk-based approach, he described the previous activ­ities of the standard­isers and the business oppor­tu­nities to be exploited, but also their risks.

The complete presen­tation can be downloaded here as PDF. If you have any further questions on this topic, please do not hesitate to contact us.

Smart Energy

SRC Smart Energy Expert at Round­table in Cologne

On Wednesday, 22 August 2018, an expert round­table will take place in Cologne. Organised by eco — Verband der Inter­netwirtschaft, the expert round­tables are charac­terised above all by high expertise, multi­dis­ci­plinary perspec­tives and high discussion intensity.

In August the motto of the event is “Smart Energy: Not without my “Smart Meter?” and among other things it will deepen the previous round­table on the topic “Smart Home”. For many years people have been talking about smart metering, but the actual devel­opment seems to be far behind the plans and prognoses of that time. New framework condi­tions, new approaches and new success factors will now be discussed in the panel of experts to be held on 22 August 2018.

Dr. Jens Oberender, Senior Consultant at SRC, will discuss in an oral contri­bution on the thematic field “Security and perspec­tives of the Smart Meter” if Smart Meters and their environment can be considered as secure. Dr. Oberender draws on his many years of experience in consulting projects relating to the certi­fi­cation of Smart Meter Gateways.

Cloud Security

SRC expands compe­tencies in Cloud Security

Cloud computing sets high standards for IT security

Cloud computing and cloud security has long since become the norm, and more and more companies are outsourcing parts of their infra­struc­tures and services to the cloud in order to be able to act more flexibly.

However, the security challenges in the cloud go beyond tradi­tional IT security require­ments. For example, it must be techni­cally guaranteed that only autho­rised persons have access to the sensitive data. Special care must be taken to secure the cloud management interface. The biggest organ­i­sa­tional challenge is the distri­b­ution of security respon­si­bil­ities among several parties. This is exactly what must also be taken into account when drafting contracts and fulfilling compliance require­ments.

Incorrect config­u­ration of cloud accounts — billions of data freely acces­sible in the Web

A recent incident also shows how sensitive this issue is. Due to faulty config­u­ra­tions of Amazon Cloud Simple Storage Services (Amazon S3) storage units and web servers, a number of confi­dential documents ended up freely acces­sible to everyone on the net. These included payrolls, confi­dential patent appli­ca­tions and secret construction plans for products in the devel­opment process. According to the report of the security company “Digital Shadows”, about 1.5 billion data have landed on the net. Especially confi­dential data, such as internal reports, photos of department stores or data centers or lists of security holes in internal company software, can be misused by attackers for hacker attacks on the company or for theft.

SRC employees acquire Certificate of Cloud Security Knowledge

SRC accom­panies its customers in these challenges with compe­tence. For this purpose, several employees have acquired the Certificate of Cloud Security Knowledge (CCSK) from the Cloud Security Alliance.

The CCSK is the first Cloud Security Certificate offered by the world’s leading cloud security provider, the Cloud Security Alliance. The Cloud Security Alliance is a non-profit organ­i­sation and develops — in cooper­ation with ENISA — the vendor-independent standard for cloud security. By acquiring the certificate, SRC employees gained the necessary breadth and depth of knowledge to implement holistic cloud security programmes to protect sensitive infor­mation according to globally recog­nised standards.

International Common Criteria Conference

SRC gives lecture on JTEMS at the Inter­na­tional Common Criteria Conference in Amsterdam

From 30 October to 1 November, the 17th Inter­na­tional Common Criteria Conference will take place in Amsterdam. The Inter­na­tional Common Criteria Conference is presented with the support of the Common Criteria User Forum (CCUF). The CCUF provides a voice and commu­ni­cation channel between the CC community and the organ­ising committees of the Common Criteria, CCRA member organ­i­sa­tions (national programmes) and policy makers.

SRC will also actively partic­ipate in this year’s conference. In a presen­tation by our expert Sven-Martin Hühne on the topic “JTEMS — a Payment Scheme Independent Framework for POI Terminal specific Security Evalu­a­tions based on Common Criteria” the JTEMS Framework is presented and the current “state of affairs” is explained. The presen­tation deals with the advan­tages of a CC-based and Payment Scheme independent evalu­ation and certi­fi­cation procedure for POI terminals. The framework is a living example of the active use of the CC method by inter­ested parties from the private sector (German banking industry and UK Finance or Common.SECC). The possi­bility of embedding the JTEMS framework in current discus­sions of the EU Commission for a “European Security Certi­fi­cation Scheme” will also be discussed.

In the panel discussion “The Why and How of Using CC in Private Schemes”, Regine Quent­meier discusses these aspects from the point of view of users from the European banking industry in an exchange with repre­sen­ta­tives of other economic sectors.