Consulting and Support with the Creation of Security Concepts
When developing new IT environments or individual components (e.g. web applications, mobile apps or IoT devices), the integration of security measures is an essential part. Depending on the area of application and the associated security requirements, appropriate security concepts must be defined. If there are no or incomplete security concepts, successful attacks on the later productive systems are usually only a matter of time.
In order to avoid this as much as possible, we can accompany you through the entire development process of new IT environments or individual components. Our experienced security architects support you in the development of appropriate security concepts taking into account individual requirements and framework conditions as well as generally recognized standards (BSI basic protection, ISO 27001).
Before suitable security controls and measures can be defined as part of the security concept, it is first important to determine the scope as well as the assets involved and the relevant threat scenarios. This usually takes place within several workshops or interviews combined with the review of existing documentation. The following points are particularly taken into account:
- Definition of the scope / the information system
- Organization, office, institution, department etc.
- Representation of the interfaces to other IT systems
- If necessary, interfaces to external parties
- Structural analysis, among others
- Application level
- IT systems and networking
- Infrastructure level
- Definition of the protection goals
- Confidentiality, Integrity, Availability
- Possibly other protection goals such as audit compliance, authenticity, etc.
- Determination of the protection requirements
- Definition of the required protection categories (e.g. normal, high, very high) for the protection goals
- Identification of threat and attack scenarios
- Analysis of general and specific threats
- Elaboration of attack scenarios
- Definition of measures
- Definition of suitable measures to achieve the protection requirement
- Consideration of internal guidelines or legal requirements and standards
- Risk analysis (residual risk)
- Risk assessment to determine existing residual risks
The defined security controls and measures are heavily dependent on the respective system context. Examples for this are:
- Role and rights concepts
- Authentication methods and processes
- Encryption methods and key management
- Hardening measures
- Patch management and update processes
- Backup and emergency planning
Content of the Security Concept
The specific content of the security concept is based on your wishes and requirements. In general, the following topics can be included:
- Management summary
- Co-applicable documents
- General description of the application / system / infrastructure
- Structural analysis / technical description
- Determination of protection requirements
- Modeling of the measures
- Risk analysis
If necessary, we will use a template provided by you to create a security concept.
As a result, you receive an extensive security concept that documents the results of the components described above and that is used as a control instrument for the later implementation.
We recommend that existing security concepts always be reviewed by an independent third party. Especially when defining new security concepts that are to reliably and sustainably guarantee the security of a system, the four-eye principle is an indispensable method for evaluating the appropriateness and completeness of the specified security controls. For security concepts that were not created by us, we offer our service.