Security, Privacy and Risk

Our aim is to provide to your organization services that will include the best practices to prevent unauthorized or incorrect access, use, disclosure, disruption, modification, recording or destruction of the information resources you manage or access. Trust on your information is crucial, and you must guarantee the inviolability of its Confidentiality, Possession, Integrity, Authenticity, Availability, and Utility.

By identifying vulnerabilities and threats to the information and technological assets, it is possible to implement countermeasures that reduce risks to acceptable levels. This a cyclic process, not only because new threats and vulnerabilities are discovered every day, but also because organizations and their aims can change also. Controls must be chosen considering their productivity, cost, and effectiveness and the value of what is being protected.

A related concept is that of business continuity, which aims to minimize the effects of interruption of critical business functions due to incidents. This requires identifying requirements, specifying objectives (acceptable outage periods and data loss), designing of resilience, incident, emergency, recovery, and contingency management and the implementation and testing of measures (backups, data transfers, duplication, strengthening, exercises, training, monitoring, analyzing, reporting).

 

Risk Management

Risk management of information assets results from the identification of weaknesses (vulnerabilities) with the potential to cause harm to those assets and of dangers (threats) that might exploit those vulnerabilities. A risk is the probability that a threat uses a vulnerability to cause harm. When it does, it has an impact, creating a loss. Our team can perform a risk assessment, identifying probable risks, and proposing adequate controls. Risks can be accepted, mitigated, or transferred (through insurance or outsourcing).

Controls can be administrative (procedures), logical (technical), or physical

In general, the main vulnerabilities are human (users, operators, designers, etc.), thus the need for adequate procedures, policies, standards, guidelines, laws, and regulations, to inform people how to perform operations.

One important aspect is access control, the restriction of information to people who are authorized to access it. Adequate mechanisms shall be provided, guaranteeing 3 processes: identification (who or what is requesting access, typically through a username or a card), authentication (verification of the identity, for example, though a PIN or a password, but also though biometric markers or special cards), and authorization (specifications of access rights and privileges to what resources or actions).

 

Data Protection

The European Parliament and the Council of the European Union (EU) adopted on 27 April 2016   the European General Data Protection Regulation (GDPR) [Regulation (EU) 2016/679], that is to be enforceable from 25 May 2018. Its aim is to strengthen and unify data privacy all over the EU, addressing also the export of data outside the EU.

The Regulation introduces major changes and organizations must comply by the final date, 25 May 2018. Noncompliance might be fined up to 4% of the annual worldwide turnover or 20 M€.

Among the new rules, is accountability, the conduction of Data Protection Impact Assessments, mandatory notification of data breaches to authorities, the appointment of Data Protection Officers, and the strengthening of data security.

The concept of personal data is clarified, resulting in new rights for data owners, such as the right to data portability, the right to be forgotten, and the right to oppose profiling. New concepts and principles are introduced, such as mandatory data owners consent, the principle of privacy by design and by default, and the pseudonymisation of data.

Our technical team collaborates with a legal team to implement all aspects of this Regulation and make organizations compliant.

 

Our Services and Solutions:

  • Access protection
  • Anti-eavesdropping solutions
  • Anti-spam solutions
  • Anti-virus and malware protection
  • Application security
  • APT protection
  • Archiving/Long-term storage
  • Asset management/IT documentation
  • Auditing
  • Authentication
  • Awareness
  • Backup
  • Bandwidth management solutions
  • Banking (IT security solutions)
  • Big data
  • Biometrics
  • BSI IT baseline protection (products and services)
  • Business continuity
  • Cloud (computing) security
  • Compliance/GRC (products and services)
  • Computer emergency response team (CERT)
  • Content security
  • Copy protection/license management
  • Counter-intelligence
  • Cryptography
  • Cyber-physical systems security
  • Data erasure
  • Data leakage/loss prevention
  • Data protection (products and services)
  • Data recovery
  • Denial of service protection
  • Device management
  • Digital/Enterprise Rights Management (DRM/ERM)
  • Document management
  • Document/media protection
  • Early warning for IT
  • E-government
  • Electronic signatures
  • Email security solutions
  • Endpoint security
  • End of life
  • Event management
  • Firewalls
  • Forensics
  • Green IT
  • Hardware security
  • Health services (IT security solutions)
  • High availability
  • Identity and access management
  • Industrial IT security
  • Internet providers
  • Intrusion detection/prevention
  • Inventory management
  • ISMS (ISO-IEC 2700x/BS 7799)
  • IT service management and infrastructure library
  • Laboratory/certification
  • Localization
  • Log management
  • Mainframe security
  • Managed security services
  • Media disposal
  • Mobile device management
  • Mobile security
  • Network access control (NAC)
  • Network monitoring
  • Open source (software and services)
  • PCI DSS (products and services)
  • Penetration tests
  • Public key infrastructure
  • RFID
  • Risk analysis and management
  • Secure printing solutions
  • Secure software development
  • Security management
  • Server-based computing
  • Single sign-on
  • Smart cards (systems and applications)
  • Social Media and Web 2.0
  • Storage solutions/security
  • Systems/Client management
  • Test suites for security products
  • Threat analysis
  • Token systems
  • Trust center (products and services)
  • Trusted computing
  • Unified threat management (UTM)/security appliances
  • USB dongle
  • USB storage media
  • User (rights) management
  • Virtualization
  • VoIP security
  • VPN/remote access
  • Vulnerability and patch management
  • Web application security