The core task of the IT security consulting team is to eliminate technical weaknesses and security gaps by developing suitable solutions together with our customers.
Organizational aspects such as guidelines, requirements and processes must then be taken into account as a complementary measure.
Our motto is to first reduce the risk of occurrence through concrete measures in order to proactively work on further ideas and possibilities regarding security.
The two terms information security and IT security consulting are often interchanged or even interpreted in the same way. But what is the difference? Information security, for which there are various standards on the market, is not limited to IT security, but considers information of any kind that is worth protecting (so-called information assets).
Information security also includes, for example, paper documents and their disposal in accordance with special DIN standards, right through to personnel security to prevent incidents such as those at Unister TOP Management in 2018.
IT security consulting, on the other hand, is explicitly concerned with the security of IT systems and components - other assets are not considered as a matter of principle. The aim here is to consider only business risks with a high probability of occurrence (hacker attacks, fire in data centers, loss of smartphones due to theft, etc.).
ProSec accompanies you with our consulting on both ways, be it in information security on the way to an information security management system (ISO27001 & BSI Grundschutz) or on the more technical level with IT security consulting.
According to theory, a top-down approach is prescribed for IT security. From our practical experience, we believe the bottom-up approach is more appropriate. Why?
Vulnerabilities as a security risk usually do not arise in concepts, but in the implementation and maintenance of the up-to-dateness of the IT environment.
This is exactly where we start, in order to improve the security level of a company sustainably in the first step by eliminating specific weak points. This gives us time to work out the concepts, processes and specifications together, based on practical experience, and to implement them in a targeted manner.
In this way, we want to avoid toothless paper tigers and ensure that compliances work as they should. Pragmatism instead of bureaucracy.
A cyber attack can not only affect your IT systems,
but also on your finances or your corporate image.
Currently (as of January 2022), there are over 50 information security management systems on the market. All of them offer advantages and disadvantages, and in the end they all try to do the same thing - to create transparency in all risks for the respective target group of the system and to enable the company to sustainably increase its own information security level and keep it alive.
We basically accompany 3 ISMS systems:
ISO/IEC27001 is a recognized international standard for information security management systems. It defines the requirements for establishing, implementing, operating, monitoring, maintaining and improving a documented information security management system (ISMS).
The ProSec ISMS distinguishes itself very simply from existing standards, we do not try to reinvent the wheel, but deliberately use all the controls from systems that have proven themselves and "mix" working components from all current but also upcoming systems and that 100% transparent. This has the advantage that the effort for certification of various systems is lower and the ISMS remains generic and, above all, does not lose sight of the essentials. Minimize technical risks, validate them quickly and briefly in a cyclical manner (based on the MGMT "Lean Start-up" method) and transfer them sustainably into internal company processes.
Many of our business partners, be it the federal government or medium-sized businesses, repeatedly make the mistake of approaching the topic of information security TOP down in the form of a management system (ISO/BSI, etc.). This always results in the fact that during our Quality Assurance process it comes out that the theoretically built systems can unfortunately be certified in the end, but never really have a protection against e.g. hacker attacks (tested by us by means of penetration tests) or are even able to detect these attacks really qualified and then react accordingly (cf. Incident Response).
After a penetration test, many of our business partners are sensitized and fall into actionism and an emotional compulsion to act. Unfortunately, this always results in considerable failures and problems in IT. In addition, the thought arises that a penetration test, which usually leads to a complete takeover of the IT within 8 test days at ProSec, gives the impression that the solutions to the problems are just as quick and easy as our "hacks". This is a fallacy, because often it is exactly mirrored. The more hacks lead to success, the more fundamental the problems in IT are and the longer and more complex their solution is.
Please trust us here, as emotional actionism and underestimating the topic leads to a wrong attitude in TOP management - "IT security is a matter for the boss".