Tag Archive for: Information Security

Janine Wolff

Infor­mation Security Management Systeme (ISMS) – myths, miscon­cep­tions and misconceptions

There are several myths, miscon­cep­tions and miscon­cep­tions surrounding Infor­mation Security Management Systems (ISMS) that can lead to incorrect assump­tions or inade­quate implementations.

In our latest blog article, we would like to briefly introduce some of them:

 

Myth #1: ISMS is only for large enterprises

It’s a common miscon­ception that an ISMS is only for large enter­prises. In fact, organi­za­tions of all sizes can benefit from an ISMS as it helps to become aware of threats, mitigate risks and meet compliance require­ments. Regardless of the size of the organi­zation, an effective ISMS helps address infor­mation security in all aspects of business opera­tions, which ultimately helps strengthen overall business success and promote trust.

Myth #2: ISMS is just a technical matter

There is often a miscon­ception that an ISMS is all about technical measures. However, the primary focus is on infor­mation and processes. Through these, both the technical and other organi­za­tional aspects, such as policies, proce­dures, training and awareness programs, then come into consid­er­ation. In other words, an effective ISMS requires a holistic approach that involves people, processes and technology to ensure and improve the security of infor­mation in the organization.

Myth #3: An ISMS is a one-time task

An ISMS is not merely a one-time task. While it is sometimes assumed that an ISMS can be imple­mented once and then operated on the side, it is actually a continuous process that requires constant monitoring, review and improvement to keep pace with changing threats and business needs. This process fosters an enduring culture of infor­mation security in the organi­zation that is focused on proactive risk mitigation and constant adaptation to new security challenges.

Myth #4: Confor­mance guarantees security

Confor­mance to standards such as ISO 27001 does not automat­i­cally mean that an organi­zation is fully protected. An ISMS should be viewed as a continuous improvement process that goes beyond mere compliance. It’s about creating awareness of infor­mation security throughout the organi­zation, improving the ability to respond to changing threats, and ultimately estab­lishing a sustainable security culture.

Myth #5: ISMS is for marketing purposes only

While sales and marketing depart­ments certainly won’t disagree, an effective ISMS primarily helps organi­za­tions mitigate risk, meet compliance require­ments, and build trust with customers and partners. Overall, such a system promotes a security-conscious culture and improves business practices.

Would you have known?

By clearing up these myths, miscon­cep­tions and miscon­cep­tions, organi­za­tions can gain a better under­standing of how to effec­tively implement and use an ISMS to protect their infor­mation and drive business success.

We at SRC Security Research & Consulting GmbH can actively support you in the process from consulting to certi­fi­cation, feel free to contact us.

Contact us:
Christoph Sesterhenn
E‑Mail

TIBER-DE
Homepage Admin

TIBER-DE | Increasing the cyber resilience of the financial system

Digiti­sation of the financial sector — Chances & cyber risks

The increasing digital­i­sation of the financial sector not only provides new oppor­tu­nities, but also leads to increased cyber risks. In particular, attacks on the financial system can have serious conse­quences not only for the affected company, but also for the entire public. For this reason, the central banks of the European System of Central Banks have already launched the TIBER-EU (Threat Intel­li­gence-based Ethical Red Teaming) programme in 2018. TIBER-EU serves as a framework for threat-based penetration tests.

In the summer of 2019, the Deutsche Bundesbank and the German Federal Ministry of Finance (BMF) decided to implement TIBER-DE as a national framework for financial companies to test their own resis­tance to cyber attacks. This imple­mention has now taken place.

To whom is TIBER-DE addressed?

TIBER-DE partic­u­larly addresses critical companies in the financial sector, such as large banks and insurance companies and their IT service providers and payment service providers. In its TIBER imple­men­tation, the Deutsche Bundesbank empha­sises that the purpose of conducting TIBER-DE tests is to “establish a network of national companies belonging to the target group in order to improve the cyber-resis­tance of the financial sector in a sustainable and cooper­ative way, together and by conducting TIBER-DE tests.

What happens in a TIBER-DE test?

In a TIBER-DE test, commis­sioned hackers (“Red Team”) use infor­mation from a threat intel­li­gence provider (“spy”) to test the cyber resis­tance of a company. The primary goal is to identify security gaps in the production systems (“critical functions”) within the framework of an attack scenario that is as real as possible. The TIBER-DE test consists of three phases, which are presented here in a shortened form:

  • In the prepa­ration phase the initi­ation, the kick-off, the deter­mi­nation of the test scope and the procurement takes place. In particular, the corre­sponding contracts with all parties involved are concluded, the test scope is deter­mined and the financial super­visory authority is informed about the intended TIBER-DE test.
  • In the test phase, infor­mation on the threat situation is collected and the Red Team penetration test is conducted on the basis of the previ­ously defined test scope.
  • Finally, the final phase includes the prepa­ration of the test reports, a replay and feedback, a remedi­ation plan for found vulner­a­bil­ities as well as a final report and the attes­tation including the transfer of results.

Risks of the TIBER-DE Test

The TIBER-DE test targets the productive systems with the “critical functions” of an institute in order to realis­ti­cally evaluate their cyber-resis­tance. However, this is also accom­panied by risks, e.g. regarding the confi­den­tiality, integrity or avail­ability of the data or systems. In any case, the institute has to perform a detailed risk analysis and take appro­priate measures to minimise the risks before a TIBER-DE test is performed.

Furthermore, companies are confronted with organ­i­sa­tional, technical and data protection challenges. Critical business processes have to be identified, defensive measures have to be estab­lished and documented. In addition, TIBER-DE tests must be coordi­nated with the various stake­holders concerned, e.g. service providers. Furthermore, a confi­den­tiality oblig­ation must be observed by all parties.

Currently the partic­i­pation in TIBER-DE tests is based on a voluntary basis. Along with the not incon­sid­erable risks this seems to be the reason for the hesitation to perform a TIBER-DE test.

Team up for a successful TIBER-DE test

The experts of SRC can prepare a TIBER test together with you. This includes the company-wide scoping of the critical business processes to be tested and support in estab­lishing compliant reporting channels and processes to control and execute TIBER tests. This means that the internal prepa­ra­tions are now in place to have a TIBER-compliant penetration test performed by a service provider. With the experience gained from countless penetration tests, bank compliance and infor­mation security management projects, we are happy to support you through the entire process of a TIBER test.

Tag Archive for: Information Security