Every other year, operators of critical infrastructures have to prove to the German Federal Office for Information Security that they have implemented security measures to current technological standards. Regardless of which audit basis you choose, you are required to implement an ISMS according to ISO 27001, a BCMS and a risk management system in order to control the actual technical and organisational measures. And this is where TTS trax’ strengths come into play.
Once you have decided on a sector-specific safety standard as the basis for testing, TTS trax can provide you with comprehensive assistance in preparing for the BSIG §8a audit.
- Model the KRITIS scope by capturing business processes, information and enterprise assets
- Define the KRITIS protection goals by assessing damage potentials and deriving the protection requirements.
- Take into account the sector-specific threat situation by means of individual risk catalogues
- Configure individual risk management parameters to take into account B3S-specific and company-specific requirements.
- Consider sector-specific measures using individual measure catalogues
- Implement an information security management system using the extensive functions for supporting ISMS processes
- Build a business continuity management system with the BCM module (from Release 3.0)
The increasing importance of information security in general as well as new legal, regulatory and customer-specific requirements motivate companies in almost all sectors to set up and operate an information security management system (ISMS) in accordance with the requirements of ISO 27001. Due to the scope and / or complexity of the required topics, such as the implementation of risk management, IT-based support for ISMS activities is almost indispensable.
TTS trax can support you throughout all phases of the process, starting with the setup, operation and audit of your ISMS.
- Capture and manage the master data of all assets such as business processes, information assets to be protected and supporting assets, e.g. hardware, software, networks, personnel and locations.
- Perform protection needs assessments based on assets and protection goals and automatically determine the criticality of business processes and the protection needs of supporting assets. Forms for cyclical assessment requests greatly simplify these queries for you.
- Identify, analyse, and assess relevant risks to your supporting assets as part of risk assessments, and address the risks by planning risk reduction measures.
- Bundle, control, and monitor measures and tasks including the definition of priorities, time estimates, and efforts. Track the implementation of measures and tasks using email-based forms and workflows.
- Create the Statement of Applicability (SoA) for Annex A of ISO 27001 and export it, including document control, as evidence for audits.
- Get the current status of your actual risk situation and the implementation of measures at any time via the dashboard and other views.
- Record and manage requirements from the continuous improvement process (CIP), such as findings from audits, security incidents, and management review results.
- Define, capture, and report metrics to improve the quality of the ISMS.
- Configure TTS trax to your needs and specifications by customising security objectives, damage categories and damage impact categories, and / or using your own risk matrix.
It is no longer a matter of choice: every company has to protect itself against cyber attacks and data loss/manipulation. Information processing gained tremendous importance and methods and procedures for processing business-relevant information have become correspondingly more complex. The threat level is growing as are legal and contractual requirements, including liability issues.
Where the effects of measures are uncertain, any management should include opportunity and risk management. In this context, it is important to weigh up returns and risks before making a decision. The goal in establishing an effective risk management should be to implement an enterprise-wide process that ensures that all risks to business processes can be fully identified, assessed, tracked and treated. Without the support of an efficient tool, this task is hard to accomplish.
With TTS trax, you are able to analyse your risks based on a model of ‘information processing versus threats to information processing’ and plan and track measures for an appropriate risk level. TTS trax is based on practical experience and has proven its effectiveness in a wide range of companies across sectors. This success is first and foremost due to the fact that a lot of emphasis has been placed on achieving a high level of transparency of the actual risks relevant to liability and on supporting control of the implementation of measures in operations. A sophisticated forms system, drill-down overviews, task-specific views and reports, as well as an intelligent filter system are just a few reasons why TTS trax not only meets the common standards when establishing a risk management, but actually realises an operational development and helps securing the fate of a company in a risk-based manner.
That way TTS trax turns the compulsory exercise of risk management into real added value for the company.
Mit der zunehmenden Digitalisierung aller Geschäftsprozesse steigt natürlich auch das Risiko für Sicherheitsvorfälle. Deswegen ist es entscheidend, dass Risiken bereits frühzeitig in einem Projekt erkannt und geeignete Maßnahmen eingeplant werden. Ganz egal, ob Sie nach dem Wasserfall-Prinzip oder agil vorgehen, mit TTS trax können Sie Risiken und Maßnahmen projektbegleitend über die verschiedenen Projektphasen oder Sprints bearbeiten.
- Legen Sie eine neue Risikobewertung für Ihr Projekt an und definieren Sie den Scope der Betrachtung
- Bewerten Sie Risiken auf Basis vorgegebener Kataloge Ihres Unternehmens oder auch individuell
- Behandeln Sie Risiken durch geeignete Maßnahmen und planen diese zur Umsetzung ein
- Ermitteln Sie den Stand der Umsetzung durch automatisierte Workflows
- Bei Changes im Projekt überprüfen Sie bestehende Risiken oder Maßnahmen
- Nutzen Sie jederzeit die vielfältigen Reportingmöglichkeiten für die Risikokommunikation mit Projektleitung oder Steuerungsgremien
- Wenn Sie TTS trax projektbegleitend verwenden, können Sie zum Go-Live auf Knopfdruck den aktuellen Stand der Risiken zur Bewertung heranziehen
Mit TTS trax werden die Risiken Ihrer Digitalisierungsstrategie transparent, nachvollziehbar und eine Entscheidung über einen Go-Live bestmöglich unterstützt.
With the compliance module, TTS trax offers many possibilities to audit internal and external stakeholders. You can conduct internal audits, contractor and service provider audits, information security assessments and project audits, etc. by configuring questionnaire templates and creating questionnaires which you can then distribute to the target group via trax’s integrated forms system. Monitor results in real time and have trax generate a detailed report for Management.
When commonalities count instead of differences
Within any company, there are several disciplines that need to be properly managed on the basis of a systematic approach. Whichever corporate discipline is considered, a model of all relevant processes and procedures is required first in order to be able to manage. With regard to information security and data protection, a model of information processing and data processing respectively is needed. Ideally that model should be one and the same!
In TTS trax, much emphasis has been placed on integrating data protection with information security activities. This supports a large part of the GDPR requirements, e.g. it is possible to
- keep a register of processing activities
- determine whether data protection impact assessments are necessary
- plan and perform risk assessment and risk management through remedial measures, and
- update and report on the implementation status of measures.
Overall, this opens up significant potential for savings and, above all, leads to consistent assessments and results.
Trax supports you with the BCM module in analyzing the impact of emergency scenarios on business processes in order to develop a planned and organized approach to emergencies and thereby ensure the continuity of business operations.
In the Business Impact Analysis, you systematically identify your organization’s requirements for BCMS response and recovery processes. You define possible BCM scenarios, such as a power outage or ransomware attack, that could lead to the disruption of your critical business activities. In the threat analysis you examine the impact of the scenarios on your business activities and develop appropriate strategies to prevent damage. In the end you develop contingency and emergency plans while defining and tracking the associated measures.