Assessment

Security Concept Analysis

When developing new IT environments or individual components (e.g. web applications, mobile apps or IoT devices), the integration of security measures is an essential part. Depending on the area of application and the associated security requirements, appropriate security concepts must be defined. If there are already gaps or vulnerabilities in the security concept, successful attacks on the later productive systems are usually only a matter of time. We therefore support you in the analysis and evaluation of existing security concepts in accordance with defined requirements and established standards.

We offer a special variant of this concept analysis and evaluation in the form of our Maturity Level Analysis Information Security service, which was specifically developed for the secure operation of IT environments in companies in accordance with ISO / IEC 27001.

Process

As part of a Security Concept Analysis, the client provides a documentation of the IT environment or IT system together with the specified organizational and technical security measures. If there is no complete documentation, the necessary information must be collected as part of interviews or workshops with the relevant contact persons.

All defined security measures and concepts are analyzed and evaluated accordingly with regard to the protection requirements of the information or systems concerned. Depending on the nature of the IT environment or the IT system, this includes:

• Roles and rights concepts
• Authentication processes
• Encryption methods and key management
• Hardening measures
• Patch management and update processes
• Backup and emergency planning

The specified measures are analyzed and evaluated using established standards and security best practices. If available, the security requirements and guidelines of the client can also be taken into account during the test.

Result

As a result of the assessment we will provide a detailed report. Depending on the type and scope of the project, the final report will include the following parts:

• Management summary with a description of the results and the security level
• Description of the project approach, scope, schedule and methodology
• Assessment of defined measures according to the security concept
• Detailed description of identified vulnerabilities and security issues
• Risk assessment of identified vulnerabilities taking into account the IT environment or the application context (risk classification: low, medium, high, critical)
• Description of measures to remedy the vulnerabilities
• If necessary, a description of higher-level strategy, concept and process-related measures or optimization suggestions.

Optionally, the results can be incorporated into planning and implementation of subsequent technical assessments (e.g. a Vulnerability Analysis or a Penetration Test ). This procedure supports the identification of vulnerabilities during a technical assessment and allows a comparison between the target and actual state of the corresponding IT environment or the corresponding IT system on the basis of the defined security concepts. Depending on the level of detail of the security concepts provided, this procedure is then referred to as a gray box or white box test. For the most efficient and complete detection of security risks, we recommend carrying out white box tests and thus providing as many relevant security concepts as possible.