Hardly a week goes by without headlines about successful cyber attacks on companies. Not only large corporations, but also more and more small and medium-sized companies are the targets of cyber attacks. Regardless of whether the human factor is used as the attack vector or whether attacks are carried out directly on IT systems, the economic damage is enormous in most cases. In order to prevent such attacks, it is clear that a large number of IT security measures must be implemented in the company. The subject of IT and information security is complex and often not manageable. For this reason, organizations often ask themselves how one can initially approach such a complex topic in practice. Find out more about the first and, above all, essential steps to improve your information and IT security in our blog article.
Step 1: Inventory (GAP analysis) of IT and information security
You should take initial steps long before technical security checks such as vulnerability scans or penetration tests of IT systems are carried out. These serve to obtain a holistic picture of the current security of your IT systems, but also of the critical business processes. Orientation aids for relevant test criteria are provided by the hazard catalog of the Federal Office for Information Security. Please note, however, that a comprehensive view of the entire company and its areas is required when taking stock. Organizational aspects play just as important a role in information security as checking technical systems.
In-depth IT expertise is a prerequisite for taking stock of current information and IT security. IT administrators have this expertise, but inventories and GAP analyzes should ideally be carried out by neutral parties. This increases the chance of identifying organizational weaknesses that your own employees may not recognize. The company is viewed from the outside. A criminal attacker would also take this point of view.
Step 2: Analysis of the current situation and assessment from a technical point of view
If deficits were found in an initial GAP analysis, these must be assessed. How critical are individual weak points for your company? Discuss these and other questions about the assessment with your information security officer, who must have sufficient technical and organizational knowledge of IT and information security.
Even if an ISB is not yet legally required for every company, it is advisable to assign this position explicitly. In-house employees from the IT department or even the IT manager generally do not have the time resources, and this dual role often leads to conflicts of interest.
Step 3: Deriving the necessary measures
After evaluating the deficits and assessing their risks, the necessary measures must be derived. These measures range from employee training to technical security reviews such as penetration tests for critical IT systems.
Step 4: Implementation and ongoing control of the measures
Only after taking all the necessary measures to improve your information and IT security is it about implementation and, above all, about regular reviews and improvements. IT security must not be viewed as a project, but rather as a process that can be continuously improved. Plan – Do – Check – Act are the essential process steps that must be observed urgently.
A continuous process that can always be improved and also measured can only arise if you implement the topic of information and IT security continuously and with the necessary time and technical resources.
If this task is taken seriously, a certifiable information security management system is created in the end. This not only provides companies with ongoing protection of technical systems, but also structured processes and the fulfillment of relevant compliance requirements.
If you need support with GAP analyzes, setting up an ISMS, or support from an external ISB, please contact us.
Thomas Greiner ist Informationssicherheitsmanager & Auditor nach ISO 27001 (TÜV Austria) und absolvierte sein Studium für „Sichere Informationssysteme“. Thomas Greiner bringt mehrere Jahre IT-Erfahrung aus national und international agierenden Unternehmen und Konzernen mit.
Nun unterstützt er unsere Kunden in allen Themen aus dem Bereich der IT-Sicherheit, Cyber-Angriffe oder IT-Risk Management sowie in allen technischen und organisatorischen Angelegenheiten der Informations- und IT-Sicherheit. Als TÜV-zertifizierter TISAX®-Berater führt er unsere Kunden aus der Automobilbranche als Consultant im Vorfeld zum erfolgreichen TISAX®-Audit.
This post is also available in: German