Today, business processes depend on the reliable and proper functioning of information and communication technologies. Therefore, many rating agencies already evaluate IT security as part of a company’s operational risks. However, the actual threats as well as the impact resulting from successful cyber attacks are not always immediately obvious: For example, know-how theft through unauthorized access to and copying of data does not lead to immediate business interruption and might only be recognized at a much later point in time.
According to surveys, more than 70 percent of larger companies in Germany have already been affected by cyber attacks. In this context,the number, complexity and professionalism of the attacks are increasing.The business activities of modern companies with a high degree of dependency on IT can be brought to a complete halt (see, for example, the cyber attacks with WannaCry in May 2017 and with NotPetya in June 2017) – with all the consequences related to this. Recent studies show that advanced persistent threats (APTs) target increasingly ever smaller companies. The opinion that is nevertheless still widespread in many companies “Well, nothing has happened so far” might thus result in serious problems if the existing security concepts are not regularly and adequately adjusted to the changed threat situation.
“Cyber security should be given top priority.”
For this reason, the Federal Office for Information Security and ISACA Germany Chapter e.V. decided to jointly develop a practical approach for the assessment of cyber security in companies and government agencies. The “Cyber Security Check” helps to determine the cyber security status based on the cyber security risk assessment (see chapter 4.2, step 2) and thus to respond to current threats from cyberspace effectively.
Given the relevance and importance of this topic, all levels, i.e. from the executive/senior management of an organisation, information security managers / IT security officers, corporate security managers, IT administrators and IT auditors through to the end users, should be concerned with cyber security. This guide describes the structured implementation of a cyber security check at companies and government agencies and can be used by different roles:
- Accountable Managers who have no security expertise can use this document as an orientation aid and as directions for action if they want to initiate or implement a cyber security check.
- IT security officers and other parties responsible for information security should use this guide in particular to gain an overview of the issue, to look at the security aspects to be assessed and to make
themselves familiar with the procedure to be followed when implementing a cyber security check.
- Auditors and consultants are provided with a practical guide containing specific guidelines and instructions for the implementation of a cyber security check and for the preparation of the report. The standardization of the approach ensures consistent high quality. In addition, it should increase the transparency for companies and government agencies when comparing different offers in the tendering and contracting process of the “Cyber Security Check” service.