IT Security & Cyber Security

With the help of information technology (IT), the operational, planning and control systems used in organizations are ongoing digitization and connections with each other.

Mobile and stationary systems of digitized companies communicate with each other horizontally and vertically via a common IT infrastructure in order to process and store data.

The main objective is always to realize the efficient implementation of business processes along the value chain and protect them appropriately against risks.

Especially the company’s critical assets and processes must be identified and evaluated in order to monitor their performance and defend them against unauthorized activities.

IT Security

IT Security (ITSec) aims to ensure correct performance and constant availability of all IT systems involved in providing business services and to guarantee integrity as well as confidentiality of digital company data.

Cyber Security

Cyber Security (CySec) extends the protective measures of IT-Security to the cyber space surrounding an organization. Due to the necessary communication and data transfer via the Internet, the attack surface of every company increases. Cyber-Security focuses on necessary methods and tools based on a dedicated analysis of the cyber threat landscape. This includes various types of threats such as Malware, Ransomware, Botnets, DDos as well as Man-in-the-Middle attacks and Social Engineering with Phishing attacks. In addition, possible attacker types are considered in order to avoid their attack and spying attempts.

Information Security

Information Security (InfoSec) considers all digital as well as analogue data and includes all technical and non-technical protective measures to ensure the organization’s information protection goals of availability, confidentiality, integrity and authenticity (VIVA). Technical and organizational measures (TOM) are implemented by Information Security Management (ISM) with the help of IT- and Cyber-Security.

Cyber Security Risks

Risks are calculated from the probability of damage and the determination of the amount of damage for a possible cyber attack. Simply considering the risks of cyber attacks is not enough. It is important to start further down or up.

During the processes of digitization, almost every organization is struggling with the challenges of defining or designing its strategic security goals and functional processes in order to avoid unwanted cyber security incidents.

There is insufficient awareness among the responsible employees of

relevant compliance and governance requirements
appropriate analyses of company’s processes and related IT assets
comprehensive process and risk-related collection and evaluation of company threat data, e.g. possible attackers with attack types and targets
actual company needs to adapt organizational and technical security measures and to create an appropriate level of protection
the baseline due to insufficient understanding of the actual and target states
the need for budget as well as capable and experienced staff at all levels
the efficient selection, integration and application of appropriate security tools
Security Standards e.g. ISO27XXX and 22301, BSI 200-X & C5, NIST, BAFIN, CSA, NIST 2

Basic Check

The iAP Basic Check contains important questions based on the standards of the German Federal Office for Information Security (BSI). The aim of the iAP Basic Check is to take an initial assessment of your information security level and evaluate if basic cyber security requirements are met.

The iAP Basic Check focuses on:

The iAP Basic Check is usually used to assess if basic cyber security requirements are met and to determine security-related criticalities in a cost-effective manner.

Further information can be found in our brochure iAP CYBER SECURITY TESTS (PDF).

Vulnerability Scanning

The iAP vulnerability scan is the most common form of security assessments. It is used when an examination of the IT infrastructure components is desired to determine vulnerabilities.

The iAP Vulnerability Scan considers:

Hardware and Software
Networks
Operating Systems
Applications
Configurations

The iAP Vulnerability Scan should be carried out regularly by every organization and always as soon as IT systems have been reinstalled or massively changed.

Further information can be found in our brochure iAP CYBER SECURITY TESTS (PDF).

Information Security Management

Building an Information Security Management System (ISMS) is a complex process. The aim of an ISMS is to ensure the confidentiality, integrity, availability and authenticity of relevant analogue and digital company data. In principle, an ISMS is established in a process-oriented and risk-based manner according to the needs of an organization in several phases along the PDCA, which can be represented abstractly as follows:

Planning with defining of the company goals and requirements with determination of the scope and desired certification, e.g. according to ISO 27001
Initialization by management, creating conditions and releasing resources
Creation of the ISMS guidelines and the organizational structure with responsibilities, competencies and communication channels, employee involvement and information documentation as well as control measures
Structural analysis of relevant information, processes, and the IT system landscape
Risk management with determination of protection requirements, risk analysis, modeling of appropriate protective measures within a security concept
Establishment of protective measures with implementation planning, consolidation, monitoring metrics and reporting
Monitoring and control to determine the effectiveness of the protective measures according to the necessary KPIs using internal and external audits and penetration tests
Optimization and continuous closure of security gaps through corrective actions

The duration of the introduction of an ISMS depends on the size of the company, the desired level of security, the current status of the information base and existing protective measures, as well as the client’s financial and human resources and the management tools in use.

Experience shows that the establishment of a resilient ISMS take a few months up to 2 years. iAP provides to every client full support in setting up, optimizing and auditing the ISMS.

Use our contact sheet for an initial consultation.

OSINT Analysis

The iAP OSINT Analysis determines information about your company that are accessible on the Internet, Deep Web and Darknet from the perspective of a cyber criminal in order to find security gaps and possible attack points. Current threats such as DDoS, phishing, exploits and data breaches are taken into account.

The iAP OSINT analysis considers:

Attack Surface
Infrastructure Stability
User Data Forwarding
DNS Infrastructure Configuration
Mail Server Encryption

The iAP OSINT analysis should be carried out by every company as it is a very cost-effective service to list the vulnerabilities visible to experienced hackers.

Further information can be found in our brochure iAP CYBER SECURITY TESTS (PDF).

Penetration Testing

The iAP penetration tests are earmarked in different versions according to the actual needs of the client. These are individual and in-depth analyses of the IT systems, including a vulnerability scan.

Areas for iAP penetration tests:

iAP penetration tests are used if a review of the IT-Security systems is desired. They can be performed as “white tests” with accurate system information, “grey tests” with limited system information, or “black tests” without access information.

Further information can be found in our brochure iAP CYBER SECURITY TESTS (PDF).

Business Continuity Management (BCM)

A dedicated Business Continuity Management (BCM) is a vital aspect of every company. The aim of BCM is to adequately safeguard critical business processes, i.e. to manage and thus maintain operational continuity in the event of exceptional workloads. The BCM gives organizations transparency and security of availability, not only in an emergency or crisis.

A BCM with its emergency and disaster recovery plan can only be effective if it is fully process-oriented and risk-based. A strategy and action plans are needed to avoid damage and loss to the organization in an emergency. BCM are designed step by step and individually. Standards such as ISO 22301 can help, as there are many things to consider:

Definition and delimitation to existing management systems
Consideration of the individual framework conditions with internal and external requirements as well as influencing factors, interfaces and communication channels
Determination of the operational continuity requirements for processes, information and connected IT systems for e.g. recovery times or maximum downtimes
Carrying out a dedicated risk and business impact analysis with a target/actual comparison
Development of the business continuity strategy with solutions
Business Continuity Planning
Creation of a risk treatment plan with measures and methods for incident management or restart and recovery
Setting up required resources and deploying capable personnel
Carry out emergency trainings

Without a dedicated BCM, an organization is unable to act or is characterized by uncertainty in case of serious and time-critical events. Unnecessary costs are caused and it can finally lead to unwanted collapse of business operations. iAP is a competent partner for all questions regarding BCM.

Cyber-Insurance Readiness

A risk analysis is used to identify cyber risks and evaluate the likelihood of their occurrence and the extent of their impact. These risks can be accepted, reduced, avoided or even transferred to a risk taker. This taker can be a cyber risk insurer, that takes the monetary risk from damages due to cyber attacks. This risk transfer is tied to the insurer’s specifications. Cyber insurance readiness means that the insured (policyholder) meets the requirements of the insurer.

iAP supports any client during implementing the specifications and requirements of their cyber risk insurer.

iAP Cyber Security Audit

Don’t leave your security to chance. Get a realistic overview of your security level and your partners.
Don’t rely on trust only, proof it!

Basic Ccheck, OSINT Analysis,
Vulnerabilities Assessment, Penetration Test

The iAP cyber security audits are based on true needs of an institution and can be used individually or combined.
Our proactive security measures are based on the recommendations of the German Federal Office for Information Security (BSI) and the Open Web Application Security Project (OWASP).

The clients’ IT systems are examined in various ways, internally, externally or in combination, depending on the respective requirements and purpose, in order to uncover security gaps before they can be exploited by cyber criminals.
The center of auditing are the IT systems relevant to perform critical business processes in order to ensure their availability, confidentiality and integrity.

Every iAP cyber security audit is an evidence-based investment to increase the security level of the corporate IT infrastructure.

7 Reasons for iAP security audits

Identify gaps and weaknesses in your cyber security
Protect critical business processes and maintain business continuity
Ensure availability, confidentiality, integrity and authenticity of your information
Prevent costly impacts of cyber attacks
Avoid production downtime, loss of reputation, payment of damages and ransom, leak of your knowhow
Ensure compliance requirements
Reduce costs of cyber insurance

Productinformation iAP Cyber Security Audits (PDF)