Cyber-attacks are becoming more frequent. The number of attacks is increasing and the headlines are piling up. The risk is not eliminated with outsourcing to the Cloud. Cloud service providers also have to rethink and provide answers to questions about security measures. For companies, outsourcing creates a new interface that must be managed.

Cloud service providers can be assessed and their service quality evaluated on the basis of various standards. In Germany, an assessment according to the BSI C5 Cloud standard or according to the IT expert committee of the IDW (FAIT) number 5 is recommended. Corresponding certificates are provided by auditors. Certificates according to ISAE 3000 or ISAE 3402 should be mentioned here.

In addition to the assessment and the resulting selection of a suitable service provider, it is also important to increase the company’s resistance to damage (resilience).

The pandemic in particular has shown how important digital skills and a functioning digital infrastructure are for SMEs. Never before have technologies been implemented so quickly and become a strategy for functioning business processes in many areas. With the rapid development, data is becoming a central component of value creation. For this reason, it is important that companies develop strategies and measures to sustainably protect their operations against cyber attacks. Entrepreneurs owe this not only to their own company, but also to their customers, because your customers also expect companies to develop confidence-building measures in the digital transformation.

We help you to secure your company with a customised early warning system, comprehensive security measures and forensic analysis methods against threats from the Internet. We want to build and strengthen your cyber resilience and develop a preventive, forward-looking cyber strategy for your company. Internally IT-secure and externally trust-building in the digital transformation.

If you have any questions or need a partner for your cyber strategy, please do not hesitate to contact us.

Attention, the US law Cloud ACT (Clarifying Lawful Overseas Use of Data Act) allows US authorities to access all your data – even without a court order. All data stored by US companies, even abroad, is treated as if it were stored on servers in the US. This law applies to internet providers, IT service providers and cloud providers based in the US and their clientele. If a company in Europe is part of a US company or exchanges data with US companies, it is subject to the Cloud Act.

The Cloud Act affects both personal and corporate data of commercial information, trade secrets and other intellectual property. No safeguards against access by US authorities are provided by technical encryption, trustee models or bilateral agreements. This creates a legal conflict with the GDPR.

Cloud providers with headquarters and data centre in the EU offer maximum security and are DSGVO-compliant. Also look for test certificates such as ISO27001, ISAE3402, C5, PS860 i. V. m. PH 9.860.1

We advise and audit cloud providers for compliance with legal security-relevant requirements.

The IEC 62443 series was developed to secure industrial communication networks and Industrial Automation and Control Systems (IACS) through a systematic approach.

It currently comprises nine standards, Technical Reports (TR) and Technical Specifications (TS), with four parts still under development. IACS can be found in an increasing number of sectors and industries, many of which, such as energy supply and distribution, transport, manufacturing, etc., are central to critical infrastructure (PH 9.860.2: The Review of Measures to be Implemented by Critical Infrastructure Operators Pursuant to Section 8a (1) BSIG).

IACS also include Supervisory Control and Data Acquisition (SCADA) systems, which are often used by organisations operating in critical infrastructure industries, such as power generation, transmission and distribution, gas and water supply networks. Ensuring risk mitigation and resilience is therefore essential.

Prevention of illegal or inappropriate access

In IEC 62443 publications, “the term ‘security’ is considered to be the prevention of illegal or unwanted intrusion, intentional or unintentional interference with the proper and intended operation of, or inappropriate access to, confidential information in Integrated Administration and Control System (IACS).”

Security “includes computers, networks, operating systems, applications and other programmable, configurable components of the system”.

IEC 62443 standards cover all aspects of cyber security at all stages and are a cornerstone of a secure-by-design approach.

Therefore, a broad overview of the IEC 62443 publications is necessary as they are relevant to all industrial communication networks and IACS users, including plant owners, system integrators, equipment manufacturers, suppliers, plant operators, maintenance professionals and all private and governmental organisations involved in or affected by cyber security of control systems (IEC / TS 62443-1-1 Industrial communication networks, network and system security – Part 1-1: Terminology, concepts and models).

The IEC 62443 series of standards is divided into four parts, which cover the following:

  • General (IEC 62443-1.* – one part of four published).
    The general documents provide an overview of the industrial safety process and introduce essential concepts.
  • Policies & Procedures (IEC 62443-2.* – three parts of four published)
    The Policies & Procedures documents emphasise the importance of policies – even the best safety is useless if employees are not trained and committed to support it.
  • System (IEC 62443-3.* – all three parts published)
    Since safety can only be understood as an integrated system, the system documents provide important guidance on the design and implementation of safe systems.
  • Components (IEC 62443-4.* – both parts published)
    Since you cannot build a solid building from weak bricks, the component documents describe the requirements that must be met for safe industrial components.

Information technology (IT) and operational technology (OT)

International IEC standards such as ISO / IEC 27001 and IEC 62443, together with testing and certification (conformity assessment), are important tools for a successful and holistic cyber security programme. Such an approach increases stakeholder confidence by demonstrating not only the use of security measures based on best practices, but also that an organisation has implemented the measures efficiently and effectively. This must be integrated into an overarching strategy that encompasses people, processes and technology. This not only looks at the technical measures themselves, but also the organisation around these measures, which ensures that cyber-attacks are detected in a timely manner.

Implementation challenges

Although IEC 62443 has many benefits and advantages, implementing the standard also brings some challenges.

However, the standard is not complete. Some of the specifications in the standard have not yet been published.

Nonetheless, the standard is very comprehensive: with a total volume of more than 800 pages so far and further specifications which will be published successively, a considerable amount of time and effort is required to read and understand the complete standard.

With our auditing standard in accordance with IDW PS 860 (IT auditing outside the audit of financial statements), we ensure compliance with legal or regulatory requirements.

The exam notes are intended for

  • Cloud / Cybersecurity
  • Examination of the principles, procedures and measures in accordance with the EU General Data Privacy Regulation and the Federal Data Privacy Act (PH 9.860.1)
  • Audit for operators of critical infrastructures (PH 9.860.2)
  • Conformity with GoB requirements

Einhaltung von Industriestandards und anerkannter IT-Frameworks

  • PCI-DSS
  • ISO standards
  • COSO, COBIT or ITIL

With our attestation, we ensure that the mechanisms, implemented measures and controls are subjected to an appropriateness test (time consideration) and that the criteria are suitable. We examine the implementation of the controls and measures to ensure cyber security and subject them to an effectiveness test (period consideration), thus ensuring that the controls and measures were effective during the period.

The pandemic has made home the new workplace for many of your colleagues. A familiar environment, but is it safe?

Most work is done via home internet service providers (ISPs), i.e. unsecured routers. Neighbours can listen in on your phone calls and pick up sensitive information. Maybe your life partner also uses the same work device and uses it for other business. In short, there is no other popular place for cyber-attacks like the home of your employees.

Hackers use well-known methods such as phishing emails almost daily. The fraudsters are keeping up with the times and shamelessly exploiting the pandemic. They direct your employees to websites to supposedly sell mouth-nose coverings, medical face masks as well as particle-filtering half masks (FFP) or lead the “victim” to websites to read the latest news (e.g. how to recover from the virus). Hackers even developed an app that posed as the “World Health Organisation WHO”. This app was confusingly similar to the original. It was deceitful and extracted information directly from the user’s mobile phone. Old-fashioned security measures – such as firewalls – have reached their limits in stopping cyberthreats of this kind.

But what can be done? We need to rethink the issues around cyber security so that employees can work safely from a distance.

Unfortunately, it is not possible to completely avoid cyber-attacks. However, not every threat is a big threat per se. It is important that your staff are made aware so that they can take timely action to prevent the most dangerous cyber-attacks. This makes the difference between a successful remote workforce and a vulnerable one. The company is advised to have a “home office policy” in place, because companies have a burden of proof. Companies need a clear procedure in case of data breaches and IT problems.

In order to prevent irreparable and possibly expensive data privacy breaches (according to DSGVO and / or BDSG), we recommend the following courses of action:

Work data remain work data

  • Switch off laptops / work devices outside working hours
  • Lock screen as soon as you leave the workplace (even if only for going to the toilet and back)
  • Lock screen to protect it from unauthorised third parties (flatmates, family members, friends, etc.)

Do not slack on passwords

  • It is recommended to use at least twelve characters (including special characters and numbers)
  • It is recommended to change the password regularly (every 30 days)

Reboot

  • This is important so that the antivirus software updates itself regularly
  • This process minimises the vulnerability of (mobile) devices

Beware of suspicious e-mails

  • Do you know the sender?
  • Does the message look like spam?
  • Employees should delete and report phishing attempts immediately

The best offensive against cyber-attacks is a good defence strategy. This starts with conducting an IT analysis. This is how your company arms itself against data breaches:

  1. The necessary anti-virus software must be provided by the employer for all end devices, such as laptops
  2. All employees who work remotely must attend regular (every twelve months) training sessions on information and cyber security. Employees must be informed about current threats in a timely manner.
  3. Recommend multi-level authentication to ensure that employees confirm their identity via their phones before accessing confidential files.
  4. set up an encrypted VPN connection to ensure access to secure information
  5. Appoint a Data Privacy Officer / Information Security Officer to be able to report potential cyber-attacks.

 

On-premise or cloud-based solutions such as software-as-a-service (SaaS) platforms offer advantages, of course, but also risks that are reflected, for example, in the areas of data management, data security, data privacy, transaction integrity and others. Especially when information flows in and out of these newly coupled IT landscapes. As part of this transformation, it is important to ensure that risks and controls are embedded in new business processes.

By assessing risks and designing effective controls during implementation, your organisation can achieve the following:

  • You avoid inefficiencies and potentially compliance breaches.
  • Reduce the control design effort
  • Ensure that the company gets value from its investment

Independent Consulting + Audit Professionals can help your company build its adapted and new risk management system. We help you on your journey to a digitally integrated environment that allows you to better leverage new technologies and the flexibility of your cloud. We help you add value to your technology ecosystem by identifying, assessing and mitigating risks related to systems, security, data, reporting and programmes.

Our approach starts with a comprehensive understanding of your business processes, focusing on what you want to achieve through implementation and focusing on your specific business risks.

We have extensive industry-specific technology expertise, including systems and applications. Our experience with systems and applications, including on-premise, cloud and hybrid environments, supports our holistic view of your business. Whether you use cloud-based platforms such as Salesforce and ERPs as for example SAP, Navision and Oracle, we can optimise your systems to give you greater security, control and meet compliance requirements.

When you create an IT audit checklist, you create a system for assessing the sustainability of your organisation’s information technology infrastructure. You are reviewing your IT policies, procedures and operational processes. It is important to understand where you are right now, what your strengths are and what your weaknesses are, as this will help identify opportunities for the company to grow. An IT audit can help identify potential security risks and re-evaluate their software and hardware.

Companies are responsible for regularly reviewing their information technology procedures. This process helps protect customers, suppliers, shareholders and employees. With an IT audit checklist in place, companies can conduct a comprehensive risk assessment on a quarterly or annual basis. This assessment can be used to create an annual audit plan that covers all significant areas of a company over a period of time. Strategic, forward-looking aspects should also be included.

The IT assessment checklist can include everything from network faults to inadequate data flows, logging inaccurate information that could potentially compromise the company’s data. Another benefit of an IT audit checklist is that it provides a guideline for your employees. When employees understand what is required to protect data and what areas they need to focus on, they can proactively identify potential risks or weaknesses. Once identified, it is easier to put a plan in place to address any procedural errors. Furthermore, it is possible to prepare employees for internal or external audits with an internal IT audit checklist. This creates transparency and sets the course for a smooth audit process.

If you already have an IT audit checklist, you may wonder whether it is still effective. However, today’s technology is evolving rapidly and older audit procedures need to be updated. To keep up with this, you need to decide what your IT management priorities are. An IT audit checklist can serve as a guide. Updates are made to the checklist based on past audits, which have the potential to identify new weaknesses or new problem areas.

For example, if your company is expanding, you may be considering purchasing additional hardware and granting new employees access to confidential information. This type of expansion requires a close look at your IT operations and processes. Alongside the process, update your IT audit checklist to ensure you don’t lose sight of your new and updated procedures and processes.

Many companies are growing so fast that they can’t keep up with documenting IT processes and procedures, and there is a risk that procedures are handled differently and hide risks in them for your corporate IT audit checklists, this means that they may not reflect the IT reality of the business.

Part of updating your IT audit checklist is to identify the current risks to your business, create processes and procedures to address them, and then include all of this information in the IT audit checklist. Management may not be sure what new risks the company is exposed to. In order to minimise unidentified risks, countermeasures can be taken with the help of subject matter experts from the IT environment or IT auditors to assess the current technological situation and identify the potential risks. Because some risks are industry-independent, many companies also have similar risks.

Examples of non-industry IT risks:

  • Brand protection, compliance breaches, confidentiality breaches.
  • Information security breaches
  • Data loss due to increasing number of mobile devices
  • Data theft, productivity loss, hardware damage and costs due to increasing malware epidemics
  • Data Management Systems (DMS) and Cloud Computing
  • Data loss and compliance breaches caused by electronic archiving.

So there are several good reasons to keep an IT audit checklist up to date and to consistently review and improve IT processes and procedural documentation.

Constantly changing IT technology can be compromised for a variety of reasons. In addition, hackers and cyber security threats are constantly evolving. When you create an IT audit checklist, you proactively address the reality of today’s IT world and do your part to protect your business. The checklist highlights areas for review where documents of processes and procedures are missing or may not exist at all. The growth of your business can lead to additional IT risks that you may not have had in the past. Using your checklist, you can identify potential problems and put protection in place before a problem actually occurs. Too many businesses don’t have a regular consistent review, which means they are exposing themselves to potential cyber security risks.

Unfortunately, not every company has an IT department. This means that external support is required to effectively create an IT audit checklist. Basically, an internal audit is provided by external staff.  Even start-ups are often faced with the problem of sharpening processes and procedures to ensure compliance after some time has passed.

We at Independent Consulting + Audit Professionals GmbH have the expertise to make your company audit-proof. We help you create your IT audit checklist, prepare your staff for IT audits so that they can be carried out effectively and efficiently. We help you identify and assess IT risks so you can also proactively address them before hackers and cybersecurity threats damage your business.

Keyfacts

  • Since the introduction of the European General Data Privacy Regulation (GDPR), companies have been subject to strict accountability requirements. Companies must prove that they comply with the data privacy principles of the GDPR.
  • By establishing and maintaining a functioning data protection management system (DSMS), companies can systematically plan, manage and control the legal and operational requirements of data privacy.
  • To enable companies to demonstrate the adequacy and effectiveness of the data privacy management system to supervisory authorities and their customers, the Institute of Public Auditors in Germany (Institut der Wirtschaftsprüfer, IDW) has issued IDW PH 9.860.1, a new auditing note for the audit of data privacy organisations.

Achieve DS-GVO compliance for your company through an effective DSMS

Companies are required to adapt their data privacy-related procedures and measures in order to fully comply with data privacy law requirements. In addition, companies are obliged to be able to demonstrate compliance with the data privacy principles mentioned in Art. 5 (1) DS-GVO (lawfulness, processing in good faith, transparency, purpose limitation, data minimisation, accuracy, storage limitation as well as integrity and confidentiality). The implementation of a data privacy management system is therefore essential to meet the legal requirements. Companies of all sizes and industries face significant sanctions if they violate the new data protection regulations.

Check the adequacy and effectiveness of your DSMS

There is therefore an increased need for an audit of these technical and organisational procedures and measures by an auditor. The IDW Audit Note “Audit of the principles, procedures and measures according to the EU General Data Privacy Regulation and the Federal Data Privacy Act (IDW PH 9.860.1)” specifies the application of the principles of IDW PS 860 with regard to data privacy-specific audits and is intended to support the profession in these audits. The aim is to achieve uniformity in the profession when carrying out audits. IDW PH 9.860.1 contains a catalogue of standard examples for suitable principles, procedures and measures for ensuring and auditing data protection compliance, in particular in the context of adequacy and functional audits. The subject of an audit according to IDW PH 9.860.1 are the criteria of the data privacy objectives derived from the company’s business model, the data privacy culture, its structural and procedural organisation, the framework including risk analyses, training and awareness measures as well as measures for monitoring and improving the system.

Benefits for your company

  • You receive an overview of the adequacy and effectiveness of your DSMS as well as the current implementation status of the data privacy requirements in your company.
  • Needs for action are identified at an early stage and can be addressed in a competent manner.
  • The audit report – with a certificate from the auditor if desired – provides you with valid proof of your company’s compliance with the GDPR. This not only protects you from the supervisory authorities, but also creates trust among your customers and stakeholders and can help you gain a competitive advantage.

We would be happy to discuss your current situation and goals and provide you with a customised audit offer. Please contact us!