Every other year, operators of critical infrastructures have to prove to the German Federal Office for Information Security that they have implemented security measures to current technological standards. Regardless of which audit basis you choose, you are required to implement an ISMS according to ISO 27001, a BCMS and a risk management system in order to control the actual technical and organisational measures. And this is where TTS trax’ strengths come into play.
Once you have decided on a sector-specific safety standard as the basis for testing, TTS trax can provide you with comprehensive assistance in preparing for the BSIG §8a audit.
Model the KRITIS scope by capturing business processes, information and enterprise assets
Define the KRITIS protection goals by assessing damage potentials and deriving the protection requirements.
Take into account the sector-specific threat situation by means of individual risk catalogues
Configure individual risk management parameters to take into account B3S-specific and company-specific requirements.
Consider sector-specific measures using individual measure catalogues
Implement an information security management system using the extensive functions for supporting ISMS processes
Build a business continuity management system with the BCM module (from Release 3.0)
Building an ISMS
The increasing importance of information security in general as well as new legal, regulatory and customer-specific requirements motivate companies in almost all sectors to set up and operate an information security management system (ISMS) in accordance with the requirements of ISO 27001. Due to the scope and / or complexity of the required topics, such as the implementation of risk management, IT-based support for ISMS activities is almost indispensable.
TTS trax can support you throughout all phases of the process, starting with the setup, operation and audit of your ISMS.
Capture and manage the master data of all assets such as business processes, information assets to be protected and supporting assets, e.g. hardware, software, networks, personnel and locations.
Perform protection needs assessments based on assets and protection goals and automatically determine the criticality of business processes and the protection needs of supporting assets. Forms for cyclical assessment requests greatly simplify these queries for you.
Identify, analyse, and assess relevant risks to your supporting assets as part of risk assessments, and address the risks by planning risk reduction measures.
Bundle, control, and monitor measures and tasks including the definition of priorities, time estimates, and efforts. Track the implementation of measures and tasks using email-based forms and workflows.
Create the Statement of Applicability (SoA) for Annex A of ISO 27001 and export it, including document control, as evidence for audits.
Get the current status of your actual risk situation and the implementation of measures at any time via the dashboard and other views.
Record and manage requirements from the continuous improvement process (CIP), such as findings from audits, security incidents, and management review results.
Define, capture, and report metrics to improve the quality of the ISMS.
Configure TTS trax to your needs and specifications by customising security objectives, damage categories and damage impact categories, and / or using your own risk matrix.
Establishing Risk Management
It is no longer a matter of choice: every company has to protect itself against cyber attacks and data loss/manipulation. Information processing gained tremendous importance and methods and procedures for processing business-relevant information have become correspondingly more complex. The threat level is growing as are legal and contractual requirements, including liability issues.
Where the effects of measures are uncertain, any management should include opportunity and risk management. In this context, it is important to weigh up returns and risks before making a decision. The goal in establishing an effective risk management should be to implement an enterprise-wide process that ensures that all risks to business processes can be fully identified, assessed, tracked and treated. Without the support of an efficient tool, this task is hard to accomplish.
With TTS trax, you are able to analyse your risks based on a model of ‘information processing versus threats to information processing’ and plan and track measures for an appropriate risk level. TTS trax is based on practical experience and has proven its effectiveness in a wide range of companies across sectors. This success is first and foremost due to the fact that a lot of emphasis has been placed on achieving a high level of transparency of the actual risks relevant to liability and on supporting control of the implementation of measures in operations. A sophisticated forms system, drill-down overviews, task-specific views and reports, as well as an intelligent filter system are just a few reasons why TTS trax not only meets the common standards when establishing a risk management, but actually realises an operational development and helps securing the fate of a company in a risk-based manner.
That way TTS trax turns the compulsory exercise of risk management into real added value for the company.
Accompanying digitalisation projects
With the increasing digitalisation of all business processes, the risk of security incidents naturally increases as well. That is why it is crucial that risks are identified early on in a project and that suitable measures are planned. Regardless of whether you proceed according to the waterfall model or an agile approach, with TTS trax you can work on risks and measures throughout the different project phases or sprints.
Create a new risk assessment for your project and define the scope of the assessment.
Evaluate risks based on predefined catalogues for your company or individually
Treat risks with appropriate measures and schedule the implementation of those measures
Determine the status of implementation through automated workflows
Check existing risks or measures in the event of changes in the project
Use the various reporting options for risk communication with project management or steering committees at any time
If you use TTS trax during the project, you can evaluate the current status of the risks at the push of a button during go-live.
With TTS trax, the risks of your digitalisation strategy become transparent and comprehensible, and a decision about a go-live is supported in the best possible way.
Establishing data protection management
When commonalities count instead of differences
Within any company, there are several disciplines that need to be properly managed on the basis of a systematic approach. Whichever corporate discipline is considered, a model of all relevant processes and procedures is required first in order to be able to manage. With regard to information security and data protection, a model of information processing and data processing respectively is needed. Ideally that model should be one and the same!
In TTS trax, much emphasis has been placed on integrating data protection with information security activities. This supports a large part of the GDPR requirements, e.g. it is possible to
keep a register of processing activities
determine whether data protection impact assessments are necessary
plan and perform risk assessment and risk management through remedial measures, and
update and report on the implementation status of measures.
Overall, this opens up significant potential for savings and, above all, leads to consistent assessments and results.
Management of crises and emergencies
Trax supports you with the BCM module in analyzing the impact of emergency scenarios on business processes in order to develop a planned and organized approach to emergencies and thereby ensure the continuity of business operations.
In the Business Impact Analysis, you systematically identify your organization's requirements for BCMS response and recovery processes. You define possible BCM scenarios, such as a power outage or ransomware attack, that could lead to the disruption of your critical business activities. In the threat analysis you examine the impact of the scenarios on your business activities and develop appropriate strategies to prevent damage. In the end you develop contingency and emergency plans while defining and tracking the associated measures.