Synergon System Integrator
English pages/Solutions/IT Security/IT Security Consultancy
Increase font sizeDecrease font size
Print
IT Security Consultancy

Information is the most valuable resource and capital of organizations in our knowledge-based economy. Information has to be protected and insured in the same way to our physical, financial values.

Similarly, to insuring traditional values, the IT security related expenses may seem to be redundant costs, as long as there is no trouble. Afterwards, we will only regret how much less expensive prevention and security measures would have been.

Since the price of perfect protection is infinite, the objective is not the achievement of perfection, but the optimal level of security, the calculation of which shall be based upon due consideration of the potential damage value of the various risk factors and the cost of the measures required for prevention. Accordingly, the properly considered information security expenses can be regarded as an appropriate financial investment.

The objective is to minimize the cost spent on security and the damages.

Events threatening information may arrive from outside the organization, however, in accordance with the results of surveys the vast majority of damaging information (intentionally or incidentally) occurs within the organization. Lack of information protection may cause severe losses; information technology related risks have become unequivocally a business risk now.

Potential hazards

  • inappropriate decisions

  • loss of business

  • legal consequences (fines, compensation)

  • loss of time

  • loss of confidence, image impairment

  • high restoration costs

  • inoperability encumbering business activity

What does Synergon offer?

Synergon Information Systems Plc. offers a complex service package with the following elements so that an optimal and cost-effective level of security can be created and maintained:

IT security assessment

The initial step of the complex security solution is the identification of requirements resulting from the business and operational environment.

This can be followed by a business/information system, risk analysis, which aims at identifying the inadequacies which may cause potentially serious damage to the organization meaning high risks and also determining the tolerable value of the residual risk.

These are required for the implementation of the risk proportionate protection principle: optimal security costs - together with an adequate level of protection.

The organization’s information security strategy and conception comprise of the security objectives to be achieved and the conceptional implementation plan which will be elaborated in the knowledge of the requirements and risks.

Risk analysis

The risk analysis may follow based on the result of the audit with the objective of identifying the security holes and inadequacies which may cause potentially serious damage to the organization and so mean high risks. These are required for the implementation of the risk proportionate protection principle: optimal security costs - together with an adequate level of protection.  

The output of risk analysis is a report comprising of all the risk factors in existence in a given situation.

Risk management

The following step is the elaboration of the protection measures and the implementation of the required controls – so that the explored risks can be decreased to an acceptable level.

These are classified into three groups:

The physical protection measures serve for the protection of the equipment, offices and the employees performing the information process. These involve, for example safeguarding, fire alarms, access control systems and video monitoring systems, or even the uninterrupted power supplies, protected cable racks or air conditioning devices.

The logical protection measures and solutions ensure the confidential management, preservation of integrity and continuous availability of data. Some examples, without limitation: virus protection, firewalls, intrusion detecting systems, authentication systems, open code infrastructure for the implementation of digital signature and encryption, content filtering, a virtual private network for confidential communication, saving/archiving systems, etc.

The administrative security measures document the security expectations (Information Technology Security Policy), regulate the security environment, define the authorizations, responsibilities as well as the activities to be and not to be performed (Information Technology Security Regulation). The significance of business continuity plans aiming at managing unexpected events should be especially emphasised, since the organization can maintain operability after the occurrence of even the most diverse external or internal incidents through the elaboration of these plans.

IT Security Regulation

The security level intended to be achieved develops through the implementation of the information technology security developments, however, this level is not constant but decreases with time.

That is why the development of the security management cycle is required, aiming at maintaining the expected security level and to identify and initiate the required changes in the protection system in the event the level decreases.

The Information Technology Security Regulation is responsible for determining the safety management system framework. The ITSR specifies the information system security organization required for the operation of the security system as well as the tasks and responsibilities in relation to the operation of the system.

The procedural instructions define the concrete rules required for the implementation of the general security rules conceptualised in the ITSR at the level of the certain information systems.

The procedural instructions ensure that the tasks to be performed for the protection of information will be defined for each employee concerned, broken down to their individual position.

Training

It is not necessary to emphasize the importance of training since the majority of security events are due to human interference and even within this the unintentional human errors represent a serious proportion. Increasing security awareness can efficiently decrease this type of risk. Security training for users shall also be organised parallel with the introduction of protective measures and follow-up trainings shall be organised annually.

IT audit

The information system audit is performed either in cooperation with the financial audit or independently, based on the recommendations of COBIT (Control Objectives for Information and related Technology).

After the exploration of the situation, the customer’s internal control environment is scrutinized. This is followed by testing the general information system controls, from observing the regulation, through the proper unbundling of tasks as far as the environment controls.

The audit of the application systems includes but is not limited to the examination of the hardware, software platforms, network and telecommunication infrastructure, operation practice, physical and logical accesses, input, procession and output controls as well. The efficiency, effectiveness, integrity, reliability, availability and legal conformity of the information system are mapped.

Our observations and recommendations are presented in the form of an Audit report.

Business continuity and information system disaster prevention plans

Nowadays, companies have to prepare for and react to various events (such as a lasting power failure, a hacker attack, railway strike, etc.) which constitute a certain level of risk to their business continuity.

In accordance with our methodology, a risk analysis follows, surveying the business processes and ranking the critical ones among them, and determining their tolerable breakdown period.

This is followed by the elaboration of the supplementary and loss decreasing procedures, and the correction and restoration plans.

Upon request, the employees can be instructed according to the business continuity plan elaborated in the above mentioned manner, putting a special emphasis on training the key executives.

Assistance is provided in the preparation of the test plan(s) and the elaboration of the regular supervision, in addition to updating.

ITIL based regulation of operational processes

Nowadays, the efficient operation of information technology infrastructure and the management of information technology assets are becoming more and more into the focus of organizations using information technology assets.

Successful management is becoming more and more important in the field of information technology services, too. However, this requires guidelines and approval of standardized processes.

Organizations require an economically operating and objectively assessable information technology service, which can swiftly react to needs, has an adequate availability and is safe and reliable.

This is facilitated by the Information Technology Infrastructure Library (ITIL), developed by the English Office of Government Commerce (OGC) for the management of the information technology processes.

ITIL comprises of six series of documents, the volumes of which describe the processes required for the proper provision of IT services based on best practices, which are comprised of the description of procedures which have been proven successful in practice.

Nowadays the recommendations of ITIL are already used worldwide.

Methodology

Our consultants perform their work on the basis of internationally accepted and extensively applied methodologies.

The ISO 17799, ISO 13335, Cobit, Common Criteria and the ITIL can also be found among the applied methodologies.

Our colleagues

Our experts are in the possession of the following certifications:

  • CISA (Certified Information System Auditor)

  • CMC (Certified Management Consultant)

  • Checkpoint Certified Security Administrator

  • Checkpoint Certified Security Expert

  • Symantec Certified System Engineer

  • SUN Certified Solaris Administrator

  • Trend Micro Validated Technician

  • Trend Micro Sales Specialist

  • F-Secure Engineer

  • Nokia Security Administrator

  • RSA Security Administrator

WHY SYNERGON?

Optimal protection: By the creation of optimal protection the money spent on security and the sum of the losses due to the occurring security incidents together can be kept at the lowest possible level. The money spent on risk management becomes a return investment this way.

Risk reduction: The money spent on information protection reduces the likelihood of losses emerging in the future and the damage value of the occasionally occurring events (by means of reducing the time requirement and cost of recovery) so it can be considered as an insurance-like investment.

Time and money can be saved by creating order: The regulated and controlled operation can save unnecessary administration; time and money.

Compliance with external requirements: Compliance with statutory, legislative, stock exchange stipulations and the expectations of supervisory authorities.

Image improvement: The regulated IT security (e.g. provided with an ISO qualification) creates confidence regarding customers and so a competition advantage as well.

FREQUENTLY ASKED QUESTIONS

When is it necessary to consider IT security issues?

The problem shall be considered in each event if the organisation uses IT as a means to achieve its objectives since due to the lack of IT security, serious economic losses or violation of the law may occur (protection of personal data, state secret…).

Why is it worth employing the IT security consultancy? 

The employment of external experts in the course of IT security projects provides the following benefits:

  • our experts know and actively apply the internationally accepted standards and methodologies in the field of IT security in the course of their work

  • external experts can assess the situation independently and impartially

  • our experts have a comprehensive  project experience and references in the field of IT security

  • we can rely on comprehensive IT expertise in the course of the project.

What hazards can be prevented by means of IT security consultancy? 

The objective is: the prevention of all the hazards lurking for the data stored and handled in the IT systems.

The safety hazards can be grouped in several ways, they may be intentional or inadvertent, they may occur due to human failures, hardware or software errors or environmental effects.

What is uniform strength protection? 

The weakest link principle: each system is as safe as its weakest link. Consequently the same level of protection is required at each point of the system. (E.g.: the application of a firewall for the protection of the Internet connection by a company is of no effect if in the meantime signing on to the system is possible through the telephone without a password.)

What does the optimal protection level mean? 

The money spent on the protection measures is in balance with the extent of the potential damage.

What happens if after the deployment of the recommended IT security solution a kind of loss incident occurs? That is, is there any guarantee (perhaps a loss division)? 

There is no guarantee, but the protection measures not only facilitate the prevention of loss incidents but also reduce the cost of recovery in the event of occasionally occurring losses (e.g.: the disaster prevention plans are for this).

How long does it take to elaborate and deploy an IT security system? 

The work may range from days to months depending on the function of the task.

@@portlets.html.upto@@

You can acquire more information about our solutions by contacting us.