Security and Compliance - What sofision llc can do

Details

IT security is a central but still less popular topic. Mostly people are going to link it with restrictions and high costs. The benefits are difficult to measure and can only be guessed according to potential scenarios. In addition, even with high safety precautions, the residual risk cannot be ruled out entirely. With arrangements for compliance similar doubts are faced, but requirements are often easier to associate with a direct benefit to the business based on policies and regulations, but also on improving quality.

The differentiation of security, compliance and legal (legal department) is often somewhat opaque. As an analogy to the fire protection in buildings, one could describe this as follows:

  • The security is responsible for the measures against the outbreak or to limit the fire, this includes fire extinguishers, fire protection systems, extinguishing systems and the fire department.
  • Compliance creates regulations and control mechanisms to minimize the likelihood of a fire and to comply with official guidelines. This includes smoking bans, materials usage and retention policies, evacuation plans, etc. You can view compliance as a counseling instance. Compliance is more of a passive role.
  • The legal department, on the other hand, provides insurance that mitigates damage in the event of security and compliance fails. In addition, it provides the insurance conditions whose compliance is mandatory.

Sofision gmbh sees itself as link between specialist departments, infrastructure, security and legal. It brings the professional and technical know-how to develop practical concepts for the implementation of IT security and compliance and to integrate them into the system landscape.

Sofision gmbh is a business-oriented consultant and advises careful consideration of investment and, particularly, of purchasing that does not bring proven benefits to previously clearly defined use cases. Especially the topic of GDPR (General Data Protection Law) of the EU, has recently led many companies to make purchases that have subsequently turned out to be barely useful. Authorities are increasingly issuing unambiguous formulations of rights and obligations without enforcing any framework for the practical implementation. Even if the reasons of the authorities are comprehensible and its open attitude leave companies the freedom to design accurate solutions while minimalizing the bureaucracy, the people in charge see themselves often confronted by nearly insoluble tasks. The CISO suddenly sees itself in the role of interpreting laws and the legal expert knows exactly what needs to be achieved, but finds it difficult to estimate the scope and the company-specific implementation.

Sofision llc sees the challenges of future IT security in modern heterogeneous environments, more and more in the direction to reduce technical restrictions but developing guidelines instead, demand to follow them and control for compliance. This brings the need of user awareness corresponding trainings and the placement of appropriate control mechanisms. IT security is an issue that affects everyone, just as the road safety is the task of every single road user. Of course, the technical base protection, such as malware defense and firewalls are indispensable, but these are standard equipment and can hardly be considered as central challenges of IT security. In addition, can modern analysis and monitoring tools and their operation teams, e.g. an SOC, operating specifically there where the conventional mechanisms would not work or just be too late. It is essential to align the scope of security mechanisms with the threat situation and the potential risk. Organizational actions and the use of reasonable placed tools and appropriate trained operators already minimizes the security risk considerably. However, the active detection of company-specific security vulnerabilities is a serious task, which is hardly noticed by many companies. Although this task can be delegated to the individual application managers and system engineers, they need to be aware of it.

The sofision llc sees the implementation of IT compliance mostly in process design. Essential requirements must be defined and integrated into the IT environment. Sluggish paper processes should be replaced if possible, by digital automation. Central dashboards provide clearly structured overviews and user-specific control mechanisms. Achieving compliance does not begin with the purchase of software - which is by the way in any project not recommended. The first step is to determine the requirements based on existing guidelines, regulations and laws, and then prioritize them based on frequency, potential effort and relevance. After that the involved target systems and data stock needs to be determined. Finally, one should become aware of the various user groups and corresponding requirements. On the basis of the knowledge gained and the corresponding specifications, it makes sense to check whether already established software can be extended by the required functionalities. An existing identity management, a BI platform or an ERP could offer a good choice. Even a web shop or an intranet platform could could be worth a closer look, especially if they are already connected to existing data sources by an Enterprise Service BUS. By using an existing System it's important to make sure they meet the safety requirements according to the sensitivity of data. If no appropriate existing solution is available or as an alternative, clear functional requirements can be obtained by existing specifications and delivered to potential vendors with the target to receive comparable quotations.