Information security:
computing everywhere needs security everywhere

The world becomes increasingly digitized and globally interconnected, with mobility and cybercrime on the rise, information security and IT security are becoming an absolute necessity. Not only have major international corporations become the target of hackers, but mid-sized companies as well are falling prey to industrial espionage by perpetrators both internal and external. Even though laws and regulations like the Control and Transparency in Business Act (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich, KonTraG) and data protection laws are also increasingly demanding the implementation and documentation of IT security measures, risks are often identified too late or addressed inadequately. Security incidents can cause customers to lose trust, triggering millions of euros in losses and lasting damage to a company’s reputation. IT has also permeated more and more areas of life – for instance the “Internet of things” and “connected vehicles”. There too, IT security is a must.

What is more, companies often underestimate the complexity of implementing the rather interdisciplinary area of information security. This is why we offer you independent consulting on all aspects of information security. Real security calls for a holistic view of the essential components. That’s why we first analyze your individual need for protection and then use it as a basis to develop solutions tailored to your companies individual security requirements.

Our experts have gathered comprehensive experience through numerous projects in a variety of areas. They have been certified as Lead Auditors or Certified Information Systems Security Professionals (CISSP) and/or ISO 27001; their knowledge is always at the cutting edge. Our customers include well-known companies and DAX-listed corporate groups. Their trust best affirms our expertise.

Get in touch

Mark Schmidt

Mark Schmidt
Head of msg Information Security

Our consulting portfolio

Customized consulting on governance, risk & compliance (GRC)

Governance, risk & compliance (GRC) means managing companies on the basis of risk and complying with statutory as well as contractual obligations. We assist you in establishing a custom-tailored risk management system for your company in order to detect and assess security and IT risks, and handle them appropriately. Depending on the risk level, it is important to put various technical or organizational measures in place to mitigate risk. However, risks can also be prevented completely by means of alternative processes or systems or be accepted up to a certain level of criticality.

Support from management is the basis for information security in every organization; it provides the necessary resources, defines the strategy and requires all employees to comply with security policies. We help you to find the right strategy, to prepare policies and to set up an information security management system (ISMS) to continuously improve your information security. We use proven rules and procedures to ensure your company’s information security is appropriately managed, monitored and optimized on an ongoing basis.

IT compliance is closely related to this. We conduct a comprehensive compliance check to investigate which statutory and contractual obligations are relevant for your organisation and to what extent your company already meets them. We offer you an extensive overview of your IT compliance based on a gap analysis. We follow recognized best practices from standards such as ISO 27001 ff., the IT-Grundschutz Catalogues of the German Federal Office for Information Security in IT (BSI) or the Control Objectives for Information and related Technologies (COBIT).

In order to find the correct, economically most viable measure, it is important to determine precisely the individual need for protection of your data – after all, too little security is negligent, while too much is not financially viable. Our information security experts help you to identify your “crown jewels” and provide you with competent consulting and individualized support in these matters.

Application Security throughout the entire Software Lifecycle

More and more business processes are being supported by IT systems or moved directly to the cloud. This makes it crucial for the company’s underlying applications to be secure. Application security should therefore be a fixed component of every application development process.

Our Information Security unit offers you expert, comprehensive security consulting that goes beyond mere penetration tests and security source code reviews, covering the entire software lifecycle. During the process of determining your needs for protection, we first identify the specific protection needs of your data. On this basis, we define measures that track the entire software development process – from abuse case modeling through security by design and privacy by design all the way to security audits. In this, we also focus on the security of the full “user + data + application + infrastructure” package.

Csm 2012 12 13 Grafik AppSec Web EN 758f6e70ac

Comprehensive security consulting throughout the entire software development process

We conduct protection needs analyses and develop security concepts, consider infrastructure security and secure coding, and use the Secure Software Development Lifecycle (S-SDLC) to optimize your application security system comprehensively and efficiently. Our experts not only have extensive expertise in web application security, but we are also very well-versed in mobile applications and complex IT systems in corporate settings.

Customized IT security audits

We use customized IT security audits to close possible IT security gaps in your company. In doing so, we screen – as needed – your applications, processes, systems or entire organization.

Compliance Audits
In our compliance audits, we look at your whole organization, focusing on compliance with laws and standards such as ISO/IEC 27001, the Federal Data Protection Act, IDW PS 330, the Payment Card Industry Data Security Standard (PCI-DSS), MaRisk and the Sarbanes-Oxley Act (SOX), as well as on your individual requirements, such as those arising from contracts.

Risk-based audits
Production or service downtimes, loss of customer data or industrial espionage are risks that can give rise not only to significant monetary burdens but also to lasting damage to your reputation. Our risk and vulnerability analyses uncover threat scenarios for your company and help you eliminate or mitigate ensuing risks.

We follow three steps in our customized security audits:

  1. First we analyze documents for IT security strategy and IT security guidelines and policies, procedural instructions, system documentation and security-related contractual obligations.
  2. On this basis, we conduct targeted interviews with your security officers and selected employees on security-related questions in your company.
  3. When assessing your systems on-site, we spot-check the practical implementation of the information security guidelines and specifications. We can also inspect the physical security of your data center. In short, we will compile a report based on your management requirements and gladly present it on request.

The information security expertise of our consultants guarantees efficient audits and independent results. We work with you to identify appropriate testing standards, deliver test results and point out areas where improvements make sense.

Information Security: Training to Meet Your Needs

msg offers information security trainings on crucial information security subjects geared precisely to your needs. Our portfolio of training courses for both end users and security officers (CISO) comprises courses on application security, security in software development, information and data protection in projects, privacy by design and security awareness training. We also provide lecturers for courses leading to information security officer certification for the Bavarian IT security cluster.

Our lecturers and training managers are well-versed in the relevant aspects of IT security and the latest developments. They have gathered broad experience from various projects, and many of them are certified as ISO 27001 Lead Auditors or Certified Information Systems Security Professionals (CISSP).

We also offer coaching and support for security officers, information security officers (ISO) and data protection officers. Several of our employees have worked or are currently working as internal or external security officers in global companies and draw on extensive experience, which they will gladly pass on to you.

Our focus

Professional Penetration Tests make for greater security

Do you know how secure your applications and systems are? Professional penetration tests of web apps, systems or your IT infrastructure as a whole enable us to form a precise picture, identify vulnerabilities and point out technical measures to purposefully eliminate security gaps. Our work benefits you in two ways: it increases the level of your security and raises the awareness of your software developers.

The experts in our information security unit have broad experience with penetration tests and security source code reviews you can count on.

We monitor the test object in accordance with your individual requirements. Moreover, will not make a customized offer before having first determined key criteria such as protection needs, exposure, technology, known interfaces and the corresponding BSI criteria for penetration tests.

Csm PenTest EN 2c4b0d1a45

Evaluation of framework parameters according to the criteria of the German Federal Office of Information Federal Office for Information Security in IT (BSI)

1. Preparation

Together we will coordinate targets, agree on time periods, the type of test and the procedure used. We also identify contacts, inspect existing documents in a whitebox test and, if necessary, interview product managers.

2. Fact-finding and evaluation
3. Evaluation
4. Qualified attacks
5. Final analysis

Mobile Security: Security for smartphones, tablets and apps

Mobile work processes call for a comprehensive mobile security plan. By connecting to insecure networks, smartphones, tablets and apps undermine the conventional security architecture of many companies that relies on firewalls to safeguard the corporate network. The risk of loss and theft, the use of private devices (“Bring your own device”) and the possibility of detection all make the use of mobile devices one of the biggest threats to sensitive corporate and customer data and for users’ privacy.

Mobile security covers not only devices, platforms and apps but also organizational aspects, administrative processes and compliance. This makes it important to tie the security of mobile end devices to a company-wide security concept, and to do it right from the start. Especially during app development, it is important to take security measures similar to those used in conventional software development into account, such as security by design, data economy and encryption. To this end, msg has developed a guide and a procedure for testing the security of mobile apps.

In order for you not to experience any unpleasant surprises with mobile end devices in your company, our skilled and experienced experts offer you an individualized security consultation and support you with the following services:

  • Penetration tests for mobile apps and end devices (iOS, Android)
  • App validation (audit of the app for compliance with the required performance, for example no transmission of data to third parties)
  • Secure development of mobile apps
  • Security Source Code Reviews
  • Guidelines and security concepts for mobile end devices in the company
  • Compliance Checks (for example data protection, internal requirements)
  • Mobile Device Management (MDM)

Data protection + privacy by design = competitive advantage

In the era of big data and global networking, data protection and privacy by design are becoming more and more important. The principle that personal data must be protected wherever it is being processed presents companies with heterogeneous system landscapes with a highly complex task. The European General Data Protection Regulation, due to come into effect in 2018, will introduce additional requirements such as privacy by design.

Privacy by design (PbD) makes data protection the “standard operating mode” and places it in the domain of product and software design. Other key aspects of PbD define data protection as the default. This will allow for added transparency comprehensible for lay people and also give users a say in decisions. Supporting technologies and methods include encryption, access controls, anonymization and pseudonymization as well as automatic deletion of data after an agreed period. The implementation of data privacy friendly software design ultimately establishes the new discipline of privacy engineering.

When faced with these challenges, you can rely on our expert information security team: Our experienced auditors check the current status of data protection in your company in an integrated way. Depending on your needs, we audit the implementation of the Federal Data Protection Act or compliance with EU GDPR regulations and other best practices or standards such as ISO 29100. Together with you, we define required measures and guide you through an efficient and effective implementation.

Privacy by design represents one of our core competencies. Our consultants shape this issue in renowned international institutions like the Internet Privacy Engineering Network (IPEN) founded by the European regulatory body or the International Association of Privacy Professionals (IAPP). With the establishment of the OWASP Top 10 Privacy Risks Project our experts took part in the development and establishment of a meanwhile well-known global Standard recommended by regulatory bodies. Our experts coach your product managers, project heads and developers, and assist you in developing software that fosters data protection.

Consistent data protection gives you clear competitive advantages, avoids high penalties for violating GDPR rules of up to 4% of global sales and substantial damage to your brand making it a worthwhile investment into your company's good name. After all, increasing numbers of customers are calling for products that support data protection while turning their backs on data hoarders.

Powerful Identity & Access Management (IAM)

IT security rules, supervisory and compliance requirements and new service scenarios like cloud services and mobile applications are placing ever higher requirements on the protection of key data and information from unauthorized access. In this situation, a powerful identity & access management (IAM) system that manages users and their access authorizations within the company becomes the backbone of the security infrastructure in every company. It calls on the IT organization, specialized areas and security officers to work hand in hand on the basis of a defined set of rules derived from IAM guidelines and processes – this is the only way to guarantee consistency in the IAM and optimization of procedures and processes.

Within the context of IAM, Access Management (AM) ensures that the right users have the necessary access authorizations at the right time. Identity Lifecycle Management (ILM) observes one user and that user’s accesses over his or her entire lifecycle in the company. Access Governance & Compliance (AGC) guarantees that the appropriate authorizations are assigned in compliance with governing law. Validation, Audit and Controlling (VAC) continuously monitors the security status and documentation of the IAM.

Csm IAM EN 7de8dff985

Subject areas in Identity & Access Management

Our skilled information security experts advise and support you on all matters in the area of IAM. As you implement, maintain and optimize your corporate IAM, we support you throughout all project phases with our proven IAM modular toolbox. Your benefits:

  • Reliable, audit-proof statutory compliance
  • Streamlined specialized and IT processes
  • Improvement (usually around 20% to 30%) in user and access data
  • Better security and lower expenditures (for example, for access certifications) make for optimized costs
  • Transparency and sustainable IAM/IAG reporting

Further information

Strengthen your information security und IT security