Risk assessment, Security concepts, Security for safety, Recovery concepts
For us, security engineering is the way from a security problem to a solution (i.e. a security concept).
The first step is always the same: Together with you, we understand and model your systems and what you do with them. This creates a model representing a common understanding of your most important functions. For many of our clients, this model becomes so important that they keep pulling it out and updating it for years, even long after the project is complete.
For your functions, we consider what can go wrong in a risk analysis. Our risk analysis methodology is flexible and can be adapted to all regulatory requirements - whether they stem from your organization or external bodies. We can prepare the risk analysis or do it together with you, but we prefer to have you, the system experts, with us. A pleasant side effect: workshops on risk identification are wonderful awareness trainings!
What the result looks like depends entirely on your individual problem. Perhaps you need a comprehensive security concept for your network, or you want to integrate security into the specifications of a new system, or have an existing concept reviewed, or set requirements for your suppliers according to a standard – or maybe want to carry out a risk analysis only for your safety systems - whatever it is, we’ll figure it out.
Read more about our security engineering methodologies in our info center.
ISMS, Incident management, Risk management, Business Continuity management, Data protection
A security management system (information security management system, ISMS) is more than a pile of paper. We start small and define goals with you: Does your management system have to pass an audit (see regulations)? In a gap analysis, we go through you what you already have - because that is often more than you think. A security management system should not be set up as a completely new organizational island, but should be integrated into your current way of working.
Our goal is for your management system to start being operative as early as possible - and then continue to grow from there. This works after just a few weeks with our support - and the more confident you become, the more we retreat to the background.
The same applies to the operational effectiveness of your security management: A security management that is not integrated into your organizational structure and processes does not deserve the name. Together with you, we weave your security management seamlessly into your hierarchies and processes; informally as well as formally. This is the only way to establish a living security management and not a paper tiger.
For us, security management that is not technically effective is not an option. That is why security management is closely linked with security engineering. You will get to know methodologies, processes, and tools that help you to truly become more secure, not just on paper: risk management, incident management, business continuity management, change management, training.
And if you like, we can also integrate data protection into your security management as part of a Privacy Information Management System (PIMS), as it is called in the international standard ISO/IEC 27701:2020.
Read more about our security management methodologies in our info center.
Penetration test, Systems, Network, Web applications, OT, ATT&CK®
Are your security measures effective? A security test can bring clarity. During a test, we create model-based security characteristics of your target systems, which contain both effective measures and security gaps. We proceed systematically, based on open source standards and methods such as OSSTMM and OWASP.
We look at your network as a whole, individual systems or even individual applications, including web applications. If you like, we can also include your OT in the security tests - but carefully. We know how important your automation systems are to you and how we have to deal with them in order not to risk their availability. If you are not sure what a meaningful scope for your security test is, we will find out together on the basis of network modeling and attack modeling (e.g. on the basis of MITRE ATT&CK®).
In order for you to make the best use of your security test results, , we prepare them as you like. At a minimum, each test result includes a classification of what it could mean for you in your context. In addition to immediate measures to close security gaps in the short term, we always make recommendations for improvements in order to avoid similar gaps in the long term. And if it helps, we will transform your test results in a way that you directly use them in your information security management.
Read more about our security test methodologies in our info center.
Incident, Playbook, First Response, Incident Response Team, PSIRT
What do you do if a security incident happens? To make sure no time goes to waste and no unnecessary mistakes occur in the event of an incident, we help you to “think ahead” as much as possible.
We have a team that has dealt with incidents over and over. Our Incident Response Team (IRT) is at your side, helping you hands-on with incident management, keeping a cool head and everything together. Along the way, we take care of reports and formalities that must be observed in the event of an incidents. Our IRT only sees its work as done when you can work normally again and know what to do so that a similar security incident is not likely to happen again.
Also, we are happy to pass on our knowledge as a first responder to you. In collaboration with you and based on our experience, we do the “thinking ahead” individually for your organization and prepare your employees for incident response. Together we develop concepts for security incidents, emergencies and business continuity, write recovery plans and playbooks and use table-top exercises to practice using all of these concepts in the event of an incident.
If you are a manufacturer of automation solutions, we will work with you to set up a modified form of an IRT, a Product Security Incident Response Team (PSIRT): What do you do if vulnerabilities are found in your products? What do your customers need from you now?
Read more about our incident response methodologies in our info center.
ProZert, Product Certifications, BSZ , 62443, Readiness, Common Criteria
The name of our subsidiary adfidetia represents what is important to us when certifying your product security. “Fides” is Latin for trust - and product certification creates value only if it increases your customers' trust in your product.
In order for a certificate to actually create trust, there must be a reproducible and technically sound test of the certified properties. This is exactly what adfidetia does as an accredited test laboratory of TÜV NORD.
Before each certification, we determine your position on the road to certification readiness, and whether you are only concerned with the "readiness" for certification or whether you want to go to the full way through to the certificate, and if so, which standard and which certification scheme make sense for you. We help you on your way through the jungle of Common Criteria, Accelerated Security Certification (BSZ), ISA / IEC 62443 and legal requirements.
And if all of this is still a pipe dream for you, we will first work with you to improve the security in your product development process – because, as you may have learned by now, admeritia knows a thing or two about security engineering…