Information is the most valuable resource and capital of organizations in our
knowledge-based economy. Information has to be protected and insured in the same
way to our physical, financial values.
Similarly, to insuring traditional values, the IT security related expenses may
seem to be redundant costs, as long as there is no trouble. Afterwards, we will
only regret how much less expensive prevention and security measures would have
Since the price of perfect protection is infinite, the objective is not the achievement
of perfection, but the optimal level of security, the calculation of which shall
be based upon due consideration of the potential damage value of the various risk
factors and the cost of the measures required for prevention. Accordingly, the
properly considered information security expenses can be regarded as an appropriate
The objective is to minimize the cost spent on security and the damages.
Events threatening information may arrive from outside the organization, however,
in accordance with the results of surveys the vast majority of damaging information
(intentionally or incidentally) occurs within the organization. Lack of information
protection may cause severe losses; information technology related risks have
become unequivocally a business risk now.
loss of business
legal consequences (fines, compensation)
loss of time
loss of confidence, image impairment
high restoration costs
inoperability encumbering business activity
What does Synergon offer?
Synergon Information Systems Plc. offers a complex service package with the following
elements so that an optimal and cost-effective level of security can be created
IT security assessment
The initial step of the complex security solution is the identification of requirements
resulting from the business and operational environment.
This can be followed by a business/information system, risk analysis, which aims at identifying the inadequacies which may cause potentially serious
damage to the organization meaning high risks and also determining the tolerable
value of the residual risk.
These are required for the implementation of the risk proportionate protection
principle: optimal security costs - together with an adequate level of protection.
The organization’s information security strategy and conception comprise of the security objectives to be achieved and the conceptional implementation
plan which will be elaborated in the knowledge of the requirements and risks.
The risk analysis may follow based on the result of the audit with the objective
of identifying the security holes and inadequacies which may cause potentially
serious damage to the organization and so mean high risks. These are required
for the implementation of the risk proportionate protection principle: optimal
security costs - together with an adequate level of protection.
The output of risk analysis is a report comprising of all the risk factors in
existence in a given situation.
The following step is the elaboration of the protection measures and the implementation
of the required controls – so that the explored risks can be decreased to an acceptable
These are classified into three groups:
The physical protection measures serve for the protection of the equipment, offices and the employees performing
the information process. These involve, for example safeguarding, fire alarms,
access control systems and video monitoring systems, or even the uninterrupted
power supplies, protected cable racks or air conditioning devices.
The logical protection measures and solutions ensure the confidential management, preservation of integrity
and continuous availability of data. Some examples, without limitation: virus
protection, firewalls, intrusion detecting systems, authentication systems, open
code infrastructure for the implementation of digital signature and encryption,
content filtering, a virtual private network for confidential communication, saving/archiving
The administrative security measures document the security expectations (Information Technology Security Policy),
regulate the security environment, define the authorizations, responsibilities
as well as the activities to be and not to be performed (Information Technology
Security Regulation). The significance of business continuity plans aiming at
managing unexpected events should be especially emphasised, since the organization
can maintain operability after the occurrence of even the most diverse external
or internal incidents through the elaboration of these plans.
IT Security Regulation
The security level intended to be achieved develops through the implementation
of the information technology security developments, however, this level is not
constant but decreases with time.
That is why the development of the security management cycle is required, aiming
at maintaining the expected security level and to identify and initiate the required
changes in the protection system in the event the level decreases.
The Information Technology Security Regulation is responsible for determining the safety management system framework. The ITSR
specifies the information system security organization required for the operation
of the security system as well as the tasks and responsibilities in relation to
the operation of the system.
The procedural instructions define the concrete rules required for the implementation of the general security
rules conceptualised in the ITSR at the level of the certain information systems.
The procedural instructions ensure that the tasks to be performed for the protection
of information will be defined for each employee concerned, broken down to their
It is not necessary to emphasize the importance of training since the majority
of security events are due to human interference and even within this the unintentional
human errors represent a serious proportion. Increasing security awareness can
efficiently decrease this type of risk. Security training for users shall also
be organised parallel with the introduction of protective measures and follow-up
trainings shall be organised annually.
The information system audit is performed either in cooperation with the financial
audit or independently, based on the recommendations of COBIT (Control Objectives
for Information and related Technology).
After the exploration of the situation, the customer’s internal control environment
is scrutinized. This is followed by testing the general information system controls,
from observing the regulation, through the proper unbundling of tasks as far as
the environment controls.
The audit of the application systems includes but is not limited to the examination
of the hardware, software platforms, network and telecommunication infrastructure,
operation practice, physical and logical accesses, input, procession and output
controls as well. The efficiency, effectiveness, integrity, reliability, availability
and legal conformity of the information system are mapped.
Our observations and recommendations are presented in the form of an Audit report.
Business continuity and information system disaster prevention plans
Nowadays, companies have to prepare for and react to various events (such as
a lasting power failure, a hacker attack, railway strike, etc.) which constitute
a certain level of risk to their business continuity.
In accordance with our methodology, a risk analysis follows, surveying the business
processes and ranking the critical ones among them, and determining their tolerable
This is followed by the elaboration of the supplementary and loss decreasing
procedures, and the correction and restoration plans.
Upon request, the employees can be instructed according to the business continuity
plan elaborated in the above mentioned manner, putting a special emphasis on training
the key executives.
Assistance is provided in the preparation of the test plan(s) and the elaboration
of the regular supervision, in addition to updating.
ITIL based regulation of operational processes
Nowadays, the efficient operation of information technology infrastructure and
the management of information technology assets are becoming more and more into
the focus of organizations using information technology assets.
Successful management is becoming more and more important in the field of information
technology services, too. However, this requires guidelines and approval of standardized
Organizations require an economically operating and objectively assessable information
technology service, which can swiftly react to needs, has an adequate availability
and is safe and reliable.
This is facilitated by the Information Technology Infrastructure Library (ITIL),
developed by the English Office of Government Commerce (OGC) for the management
of the information technology processes.
ITIL comprises of six series of documents, the volumes of which describe the
processes required for the proper provision of IT services based on best practices,
which are comprised of the description of procedures which have been proven successful
Nowadays the recommendations of ITIL are already used worldwide.
Our consultants perform their work on the basis of internationally accepted and
extensively applied methodologies.
The ISO 17799, ISO 13335, Cobit, Common Criteria and the ITIL can also be found
among the applied methodologies.
Our experts are in the possession of the following certifications:
CISA (Certified Information System Auditor)
CMC (Certified Management Consultant)
Checkpoint Certified Security Administrator
Checkpoint Certified Security Expert
Symantec Certified System Engineer
SUN Certified Solaris Administrator
Trend Micro Validated Technician
Trend Micro Sales Specialist
Nokia Security Administrator
RSA Security Administrator
Optimal protection: By the creation of optimal protection the money spent on
security and the sum of the losses due to the occurring security incidents together
can be kept at the lowest possible level. The money spent on risk management becomes
a return investment this way.
Risk reduction: The money spent on information protection reduces the likelihood
of losses emerging in the future and the damage value of the occasionally occurring
events (by means of reducing the time requirement and cost of recovery) so it
can be considered as an insurance-like investment.
Time and money can be saved by creating order: The regulated and controlled operation
can save unnecessary administration; time and money.
Compliance with external requirements: Compliance with statutory, legislative,
stock exchange stipulations and the expectations of supervisory authorities.
Image improvement: The regulated IT security (e.g. provided with an ISO qualification)
creates confidence regarding customers and so a competition advantage as well.
FREQUENTLY ASKED QUESTIONS
When is it necessary to consider IT security issues?
The problem shall be considered in each event if the organisation uses IT as
a means to achieve its objectives since due to the lack of IT security, serious
economic losses or violation of the law may occur (protection of personal data,
Why is it worth employing the IT security consultancy?
The employment of external experts in the course of IT security projects provides
the following benefits:
our experts know and actively apply the internationally accepted standards and
methodologies in the field of IT security in the course of their work
external experts can assess the situation independently and impartially
our experts have a comprehensive project experience and references in the field
of IT security
we can rely on comprehensive IT expertise in the course of the project.
What hazards can be prevented by means of IT security consultancy?
The objective is: the prevention of all the hazards lurking for the data stored
and handled in the IT systems.
The safety hazards can be grouped in several ways, they may be intentional or
inadvertent, they may occur due to human failures, hardware or software errors
or environmental effects.
What is uniform strength protection?
The weakest link principle: each system is as safe as its weakest link. Consequently
the same level of protection is required at each point of the system. (E.g.: the
application of a firewall for the protection of the Internet connection by a company
is of no effect if in the meantime signing on to the system is possible through
the telephone without a password.)
What does the optimal protection level mean?
The money spent on the protection measures is in balance with the extent of the
What happens if after the deployment of the recommended IT security solution
a kind of loss incident occurs? That is, is there any guarantee (perhaps a loss
There is no guarantee, but the protection measures not only facilitate the prevention
of loss incidents but also reduce the cost of recovery in the event of occasionally
occurring losses (e.g.: the disaster prevention plans are for this).
How long does it take to elaborate and deploy an IT security system?
The work may range from days to months depending on the function of the task.