Images

CGI offers security from a single source, © CGI

There is therefore much to be said for the use of vendor-neutral services from a single source, which organizations can use to overcome the complex challenges specific to their requirements.

The security of information technology systems in public authorities and companies involves a high degree of complexity. The threat level is not decreasing, but is actually increasing continuously. The German Federal Office for Information Security (BSI) recently emphasized that "the coronavirus-induced surge in digitalization has increased the potential attack surface and thus the risk of successful cyber attacks".

As a service-oriented architecture, CGI's German Secure Network (GSN) offers all possibilities to cover customer-specific requirements in all security areas - modular and scalable. © CGI

According to the IT baseline protection principle, every ISMS first requires the definition of protection objectives. At this stage, it makes sense to work with an external service provider who has a stable ISMS in place at the company for many years. This allows the user to be supported in the initial steps of definition.

Based on the protection goals, the service provider can make recommendations on architecture and tools and design a concrete implementation scenario with the selection of products and solutions. Ideally, the service provider pursues a vendor-independent best-of-breed approach using the perfect and technologically leading solutions for the respective application.

Cornerstone of a comprehensive service offering

Service offerings have proven themselves in practice. This also applies to IT security. A service offering should have a high degree of flexibility, modularity and scalability and thus cover the different and increasing requirements of authorities and companies of all sizes. Flexibility and modularity mean that the provider is only used by the client, for example, for consulting services, for the creation of documentation or for the provision of individual service applications such as software packaging, backup or SharePoint. A common scenario for many companies is that the end devices meet the security requirements, but not the backend. The provider must be able to react flexibly to this initial situation with an integrated security concept. The same applies if a company does not want to use a solution designed for maximum security for all employees, but only for a dedicated group of people.

Practical experience shows that important cornerstones of the service offering are the areas of backend, collaboration, communication, data management, mobile access and end devices. Specifically, the IT solutions must include managed network services such as DMZ network management, core services such as system management and directory services, application services such as Windows application management, anti-virus and collaboration as well as end-user services such as client patch management and client software packaging. In terms of security services, SIEM, SOC and CERT services in particular should be part of the service provider's offering.

When deciding on a service provider, authorities or companies are faced with the challenge that the use of state-of-the-art technologies alone cannot guarantee IT security. It is equally important that the service offering provides a high level of security that is proven by compliance with strict regulations. These include the BSI standards 200-1, 200-2 and 200-3 as well as 100-4 and the BSI-Isi series. The provider must also be able to use products and solutions for authorities, public bodies and non-public bodies such as the classified industry that are certified by the BSI and explicitly approved for use up to the classification level VS-NfD (classified information - for official use only). ITIL-compliant documentation of the services ensures that methodical and substantive good practices are reused. This forms the basis for the sustainability of the solutions created.

Six important cornerstones of a service offering. © CGI

An essential criterion for a comprehensive range of IT security services is the requirement-specific support of different operating models, from on-premises use with self-service management to managed services and full outsourcing including field service. In view of the basic requirements of public authorities and many companies, it is important that the provider of managed services or full outsourcing models guarantees that data storage and administration take place exclusively in Germany and that the service provider demonstrably has no access to the public authorities' or companies' IT security data at any time.

There is no doubt that the challenges in terms of IT security will continue to increase. Instead of using silo solutions to patch up existing potential threats and replace them with foreseeable new vulnerabilities, public authorities and companies should examine whether the use of an integrated service offering that covers customer-specific requirements in all security areas in a modular and scalable manner is not the better approach. Experience shows that this approach reduces costs while guaranteeing the required level of IT security, increases future-proofing and thus protects existing investments and maximizes the cost-effectiveness of new procurements.

Jürgen Nolte, Director Consulting Services at CGI Germany