Secure Your Business E-Book

Vineyard Management Consulting GmbH

Vineyard Management Consulting GmbH is an experienced Management Consulting company with focus on:

Change Advisory

Management of Complexity

Optimization of Projects

Networking with People

We have constantly enhanced our expertise and competence in numerous global projects in the sectors banking, insurances, telecommunications, automotive, and information technology.

Our Management Consultants have a project and professional career experience of more than 10 years leveraged by continuous investments in their personal development. During the successful delivery of our customer projects we emphasize on social aspects and intercultural specifics as well as on positive and target oriented communication.

Our core competencies are

Transition Management

comprises the strategy definition and the implementation planning to viably establish the change in the company context.

People Management

is often an implicitly required aspect in our projects, i.e. the steering and personal development of project members/staff and groups in terms of a value oriented coaching.

Complexity Management

means the capability for our Management Consultants to analyze, assess, and change complex structures, processes and IT systems. Vendor- and SW solution selections and management of RFI, RFP and RFQ processes.

Project Management

is in our view a core competence to ensure the sustainable implementation of large-scale projects. The key elements for a successful delivery are long-term experience as interim, project and program manager, classic project management instruments according to e.g. PMI, Prince2, Six Sigma or CMMI and the ability to connect sector specific knowledge, people and deliverables.

Preface & Acknowledgements

A couple of strong trends like digitalization and cyber security issues are facing the daily life of all of us – this is true for our business and private life. Secure your business is more important than ever as cybercrime becomes more and more organized, and not only an individual hack like it was around the turn of the century.

As a starting point the first article deals with information management and how to overcome the typical obstacles when introducing a company-wide solution. Based on the product “m-files” a strategical and tactical approach is presented to improve information governance beyond the regulatory requirements. Following with an article about effective policy writing in information security a good practice approach is outlined how mapping a control system to ISO27001 helps for governance and control set optimization purposes.

Network segmentation is a complex program for the majority organizations. Based on a look at the treat landscape to mitigate related risks by network segmentation the relevant technologies and approached are presented focusing on the most important part: the conceptual solution to keep the business and security interest in a balance.

How can security standards deliver value? Based on a short summary regarding the SANS20 and ISO27001 standards project good practices are demonstrated to tackle the data leakage risk. The following contributions to this book are about network device security, email spoofing risks mitigation by DMARC and how small and medium enterprises should establish a reasonable IT security risk management.

The next article is dealing with the topic of holistically manage cybersecurity based on the market drivers and company-specific constraints, while the final article reports about a data center transition approach and how related risks can be effectively managed.

The field of cybersecurity is huge and the trends are very dynamic. In this context we belief that the selected articles are providing relevant insights, in particular for the regulated industries.

We wish our readers inspiring insights and new impulses by reading this book. Many thanks again to all colleagues and cooperators contributing to this Vineyard book.

Hofheim/Taunus, November 2018

Carsten Fabig Alexander Haasper

Managing Director and Management Consultants of Vineyard Management Consulting GmbH

Table of Contents

Improving information governance with intelligent Information Management

1 A new era of legislation leads to increased governance and compliance requirements

2 The importance of a strategic approach to content management

3 The evolved, intelligent approach to information management

4 Putting intelligent information management into practice

5 Case studies

6 Conclusion

Vita: Martijn Iseger

Effective policy writing in information security of German financial institutes

1 Innovation and changes in information security requirements

2 Effects on SFO, compliance costs and solution approach

3 Procedure for mapping SFO documents to ISO 27001

4 Recommendations for well-formulated requirements in the SFO

5 Summary and recommendations

Vita: Tarik Eren

Vita: Rainer Sponholz

How network segmentation can be leveraged to help mitigate today’s cyber security threats

1 Why is Network Segmentation relevant: threat landscape and security models

2 Designing and implementing Network Segmentation: technologies and best practices

3 Why Micro-segmentation is being emerging and how companies can leverage it

Vita: Hervé Le Goff

Added value and risk reduction by security frameworks and standards

1. Relevant trends, typical customer challenges and problem statements

2 SANS20 and ISO27001 as leading standards in Information and cyber security

3 Selected good practice approaches

4 Summary and outlook

Vita: Alexander Haasper

Network device security - Can you trust your vendor?

1 Introduction

2 Protecting your data

3 Can you trust your vendor?

4 Securing your network

5 Conclusion, outlook & trends

Vita: Christoph Eckstein

Mitigating risk of cyber-attacks and email spoofing with DMARC

1 Management Summary

2 Email Spoofing – The Scale of the Problem

3 Customer Challenges

4 Email Spoofing Protection with DMARC

5 Summary and Outlook

Vita: My-Ly Nguyen

Cyber security in small and medium enterprises – Manage the owner

1 Digitization and cyber risk

2 The situation in small companies

3 Good practices and summary

4 Recommendations for owners and management bodies of small companies

5 Conclusions

Vita: Michael Kauferstein

Pleading for an integrated management of GRC and information security

1 Need for security improvements increases significantly

2 Why Governance, Risk and Compliance?

3 Top challenges

4 Exciting time to handle GRC and information security

Vita: Carsten Fabig

Customer experience report about the insourcing transition and elaborating a government office for highly-secure network infrastructure

1 Starting point – Secure network infrastructure

2 Insourcing Transition

3 Mixed Operations (Mischbetrieb)

Vita: Volker Kruse

Literature

I. Improving information governance with intelligent Information Management

Organizations are coping with exponentially increasing amounts of content and data, and are reliant on these vast amounts of information like never before. The information explosion is exacerbated by the increasing number of information silos.

Apart from start-ups, most companies are built on a shaky foundation of siloed information hidden in shared network folders, email, business applications such as enterprise resource planning (ERP) and customer relationship management (CRM) systems, file-sharing applications, and even, most riskily, on individuals’ desktops.

When growing amounts of information are stored on increasing numbers of systems that are disconnected, the outcome is challenges in governance and control, and, therefore, compliance.

Compliance is a crucial issue for companies in Europe and around the world as governments impose ever-expanding data management and protection regulations on organizations. The importance of protecting information from data breaches can’t be overstated. Yet, in many organizations, the first challenge is to understand exactly what information is stored on what topics, where that data is stored, who can access it, and what protection measures are in place to secure that information.

While it may be ideal to have a single content repository to store every piece of information in an organization, the reality is that this isn’t possible. Organizations have tried to achieve this across the years but, invariably, these solutions prove unequal to the task. Whether trying to consolidate multiple content repositories or implement a new repository and migrate all information into it, organizations face massive risk and disruption with this approach. The result is rarely, if ever, a long-term answer as people continue to follow old habits and the amount of information organizations deal with continues to grow.

Currently, it’s estimated that around 2.7 zettabytes of data exist, and the data processed by organizations doubles every 1.2 years. More than half of that data is dark data, which means it exists inside organizations but it isn't used, in many cases because staff simply isn't aware of it. Only 0.5 per cent of data is used in operational decision-making.

Dark data presents a significant compliance challenge because it often includes sensitive information that isn’t being stored, accessed, or protected according to data protection regulations. The nature of dark data is that it’s virtually invisible; companies can’t manage what they can’t see.

It’s clear that organizations need a new approach to information management. Simply layering another ECM system into the mix won’t solve the problem, neither is trying to consolidate systems as dependencies on existing systems are difficult to overcome Instead, organizations need to adopt an evolved approach to ECM.

In the rest of this chapter, we will cover three key points:

What is driving organizations to adopt information management solutions to better comply with increasing legislation and regulatory demands

Why traditional ECM solutions fail to provide an adequate answer to these challenges.

What the evolved solution to ECM looks like, and how intelligent information management addresses the problem more effectively.

1 A new era of legislation leads to increased governance and compliance requirements

Across the board, more legislation is being applied to personal and sensitive data. Specifically, the way organizations collect, store, access, use, and protect personal and sensitive data has become a key focus of risk management for organizations of all sizes and in any industry.

Individuals’ information can be compromised by accident or through malicious intent. Regardless of how the information is exposed, the main priority for the affected individual is to protect themselves against identity theft and fraud. Therefore, recent privacy and data security laws around the world aim to empower individuals to manage their own information as well as compel organizations to be transparent about how they treat that information.

Organizations are required to better control their operations, to safeguard sensitive information, and to comply with the wishes of the owners of sensitive data. In Europe, the General Data Protection Regulation (GDPR) includes far-reaching requirements for organizations to secure individuals’ information and to provide full access to that data by the individuals in question. Through so-called data subject requests (DSR), people are allowed to see the information companies have, and can legally request that the information be corrected or removed. This creates new challenges around how organizations manage their data.

These types of regulations are in response to the increased threat of information theft by savvy criminals that use electronic systems to steal information ranging from credit card details to enough personal information to impersonate an individual.

This has resulted in an environment in which a well-informed public is increasingly concerned about the safety of their personal information. While many citizens and consumers are willing to use online services in the knowledge that companies and governments are collecting and storing their personally-identifiable information, they also expect that these organizations will take all reasonable steps to protect that information.

Governments and organizations around the world are responding to these expectations by creating legislation and compliance requirements around keeping data secure. As well as GDPR compliance, businesses have been driven by the need to comply with other quality, safety and environmental standards such as ISO9001, ISO14001, REACH, FDA 21 CFR Part 11, and more.

For example, organizations must use version management for important documents like Standard Operating Procedures (SOPs), product manuals, and labels. This lets an organization track the evolution of this information over time, which can be important if, for example, a claim is made that a product caused an accident or didn’t work as intended. By reviewing what the operating manual and labels contained at the time of the incident, the organization can determine its liability or otherwise.

These increased legal requirements translate to a significantly higher degree of information security and control required from organizations. Achieving this efficiently requires technology that helps organizations manage, process, and control information more intelligently.

When businesses have data scattered across the organization in many silos and repositories, it creates inefficiencies and potential for error. Prior to the introduction of expanded compliance legislation, the main victim of this inefficient approach was merely the company itself.When employees couldn’t find the information they needed in a timely fashion, they wasted their time and even failed to respond quickly enough to customer enquiries and opportunities. This led to customer dissatisfaction, lost business, and potentially reputational damage.

Companies have always faced the risk of losing customers if they’re found not to comply with the quality standards their customers require. Furthermore, this can lead to additional work in terms of addressing non-conformance and delivering proof to auditors.

In the new compliance era, the ramifications of inefficient information management go even further. Now, companies can also face fines and penalties for not being able to provide full, comprehensive, and timely access to individuals who request to see their data. With the likelihood of an increasing number of data subject requests, organizations may find themselves overwhelmed. Some may even have to increase their headcount just to cope with the demand. While these new requirements are creating compliance challenges for organizations, information management has long been a critical component of corporate governance and this hasn’t changed.

For companies in highly-regulated industries, compliance relies on extensive documentation. There are also requirements around how long this documentation must be retained, which can create an additional burden for organizations around storage and archiving, as well as accessing this documentation later down the track.

Consequently, content management must be considered within the framework of effective quality and compliance management. Businesses require a centralized system and approach for classifying and storing information, and for managing version control. They can benefit from automated workflows and reduced data silos, and should be able to implement security and permissions rules that grant access only to authorized individuals. Furthermore, businesses need to be able to provide a full audit trail of document access and versions, as well as approvals that are required to prove compliance.

There are four key governance and compliance processes where information management is key:

1. Audit management

Audits are a fact of life for businesses in regulated industries, whether for regulators or for customers. And, organizations like these should be conducting their own audits to ensure quality policies are being followed.

Businesses, therefore, need to be able to quickly and accurately produce documentation that proves compliance. Furthermore, businesses need to be able to link audit findings to corrective actions and change requests in the business, with associated deadlines and reminders to provide better transparency and insight into the processes.

2. Risk management

Identify, assessing, managing, and reducing risks is an essential part of business operations however without clear visibility into documentation across the business, this presents a challenge. When documents are stored semi-randomly and keyword searches return thousands of documents, it becomes all but impossible to assemble and maintain the documents required for risk assessments such as audit reports, standard operating procedures, training and maintenance records, government regulations, and various reports from all business units.

Businesses need a solution to organize supporting documents across departments and business units to provide the operational oversight needed to determine risk. Reducing information silos is just the first step. It’s also important to manage content based on relationships, workflows, and version control rather than on file locations and ad hoc collaboration.

With the right content management system, managing status, approvals, next steps, version control, permissions, and related content becomes streamlined. All related work becomes accessible to authorized people at any time without confusing and time-consuming searches. And, change requests can be initiated via automated workflows so that accuracy, context, and relationships are maintained.

3. Compliance and policy management

Organizations need to work efficiently and cost-effectively; most can’t justify allocating excessive resources just to manage compliance. A technology solution can bridge the gap between compliance requirements and the resources available to manage them.

Standard operating procedures (SOPs) are an important compliance tool but managing and documenting SOPs can be onerous. It’s essential for all employees to be aware of SOPs and for the organization to be able to prove that employees are aware of them and followed them properly if an incident occurs.

With the right ECM system, organizations can simplify this process. Employees can access SOPs and confirm they’ve understood the material, as well as receive alerts when SOPs are updated. SOPs can even be integrated into workflows which can be automated, including generating reminders and audit trails as required.

Powerful ECM systems can link or relate SOPs to other documents such as operating manuals without concern about file locations and naming conventions, putting more information into the hands of employees and improving their ability to comply with all governance requirements.

4. Change management

Effective change management depends on efficient, transparent, and auditable processes. Streamlining these processes helps organizations improve compliance and performance. For example, if an incident occurs or an audit reveals an area for improvement, it’s important to keep all relevant documentation together for transparency, traceability, and future reference. This process occurs within ECM systems, avoiding silos and eliminating the risk inherent in relying on individuals to keep track of the change management process.

2 The importance of a strategic approach to content management

Organizations need to take a strategic approach to content management using new tools that improve the management, processing, and control of information. Traditional ECM systems have been unsuccessful in this endeavor despite offering, on the surface, a workable approach.

If it were possible to replace all existing systems with a single ECM solution then the information management problem would, for the most part, be solved. This is true despite the fact that most ECM systems aren’t adequate when it comes to managing employee training and SOPs, non-compliance reporting and CAPAs, managing audits, and triggering tasks. Even without these capabilities, a single ECM system could work in theory.

However, in practice it has been demonstrated many times that this approach is flawed. Simply replacing existing disparate systems carries too much risk because there are too many dependencies on them. Users and processes that depend on these systems would be massively disrupted and links would be broken; it would be impossible for the business to continue operating smoothly in the near term.

The biggest challenge with a traditional ECM system, regardless of its core and additional capabilities, is that the business must first migrate all information into these systems before they can work at all. It’s not the technology implementation or even the cost of the system itself that staggers companies; it’s the sheer disruption and chaos caused when vast amounts of information need to be located and moved to the new system.

Consequently, organizations default to the status quo in which information remains stored in multiple systems with varying amounts of integration and visibility.

M-Files surveyed hundreds of professionals and found that many employees use personal file sharing and sync solutions for storing and sharing confidential company information. Almost half (46 per cent) admitted they had shared sensitive or confidential information this way, while 70 per cent said either their company didn’t have policies or they didn’t know of any policies to prohibit the use of personal file sharing and sync solutions for storing and sharing company documents.

A global study of more than 300 business users conducted by M-Files in conjunction with Dimensional Research showed how information silos are affecting businesses. One quarter of respondents said they look for a document on a weekly basis and are unable to find it. Two thirds said they found different versions of documents in different systems or locations and, more than 40 per cent of the time, it wasn’t readily apparent which one was the most recent version.

When asked how long it takes to find a document, 45 per cent of respondents said they spent three minutes or more, while 15 per cent took up to 15 minutes. This is unproductive time that can’t be gained back.

Two thirds of respondents were aware of the negative impact these data and information challenges have on their productivity, and 35 per cent acknowledged that using an outdated or inaccurate document had resulted in a negative outcome, such as a lost deal, contract breach, or customer satisfaction issue.

These figures clearly show the importance of a strategic approach to information management can’t be overstated. Many organizations (61 per cent of those surveyed by M-Files) have already tried to make sense of the rapidly expanding universe of information by implementing ECM and document management systems. These efforts are usually characterized by huge, monolithic software implementations that require significant upfront investment and a highly-disruptive information migration component. Often, the net result is that staff members can’t find or manage the information they need any easier than they could previously. Companies are often unable to meet all their information management requirements with a single system and proliferation of information management systems introduces new challenges.

Depending on the age and maturity of the organization, this process is often repeated every five or 10 years with a new ECM system overlaid on top of the old one. M-Files research revealed that 53 per cent of organizations are forced to use more than three separate content management systems to manage their non-structured information. These implementations are expensive, risky, and disruptive without necessarily delivering measurable benefits. Worse, each new implementation can create another silo of information that is not integrated with other systems, making the tangle of information even harder to unravel.

And, while staff efficiency is usually the first and most noticeable casualty, information governance, control, and compliance also suffer. When an organization can’t definitively confirm what information it possesses, it becomes impossible to adequately categorize, secure, and protect that information. This is especially true in an advanced compliance era such as the one facing businesses now.

Meanwhile, as information continues to increase in volume and legislation continues to expand, organizations need to regain control over the situation without being forced to replace or consolidate existing systems.

As a result of traditional ECM systems’ inability to solve information management challenges in the long term, in 2017, Gartner declared that ECM was ‘dead’ [1]. Replacing old-fashioned ECM is a new approach to information management known as intelligent information management.

3 The evolved, intelligent approach to information management

AIIM asserts that ECM is no longer a sufficient term to describe the strategic way that organizations need to approach information management. Instead, intelligent information management is a more accurate description of what organizations are trying to do with content and information.

For true governance and compliance, businesses need to do more than just capture documents and information. The term ‘management’ is, therefore, insufficient to describe how organizations want to leverage information, derive insights from it, and work with it dynamically to add business value, as well as protect it and govern it for full compliance.

To improve compliance, organizations need to get more control over information. This means knowing where it is, what it is, and how it relates to other pieces of information. Organizations also need to understand its history and ensure that the information is reliable and accurate. Once all of this is done, organizations must be able to secure the information against malicious or unintentional theft, loss, or exposure.

To use information to its best potential, organizations need to ingest and understand it sooner. They need to prepare this data for use by emerging technologies such as the Internet of Things (IoT) and artificial intelligence (AI). They need to be able to understand what information to keep and protect, and which documents should be destroyed (and how), according to compliance requirements.

It’s important to remove the human element from information governance and compliance to minimize the risk of errors. This means digitalizing every piece of information, then applying semantic and auto-classification technologies.

While ECM was capable of automating document-intensive processes, it’s the next set of challenges that needs to be addressed by intelligent information management.

The new intelligent approach to information management is system-neutral and unifies information across the enterprise based on context and need, not based on the system, site, library, or folder in which the information is stored. This means content and data can practically be created and stored anywhere so team members can use the systems they’re most comfortable with without having to follow specific conventions to save information.

This approach frees information up from the constraints of a specific system, such as an ERP or CRM solution, and makes it available across the organization so it can be put to use in new ways. For example, by pulling up a customer contract, users could also be shown related information such as previous sales, pending contracts, and other interactions, all of which can be used to inform the way this customer is dealt with from now on.

Intelligent information management also frees up staff members from having to remember or decide where to save their files, or what to name them. Folder hierarchies can be subjective and confusing, and they’re open to employees deciding their way is better. This subjective approach is superseded by the objectivity of intelligent information management in which people don’t have to decide where something is stored; they merely have to know what that information is.

There are five key characteristics that define intelligent information management:

1. System-neutral

A system-neutral backend to any intelligent information management solution lets it connect with other repositories and systems to give users visibility into every repository and silo in the organization without requiring that content to be migrated into a single repository. Open architecture makes information available via a single user interface and leaves the information in place so it can continue to be used by systems and employees without disturbance.

This approach abstracts ECM functionality such as version management, check-in and check-out, sharing, commenting, and access rights management, from the storage functionality of the ECM solution. ECM functionality thus becomes more like a service that can be applied to content stored in any repository.

2. Metadata-based architecture

Metadata is the information about the data; it defines what the document is and what other documents it’s related to precisely, objectively, and intuitively. Hence, documents no longer get lost. Using metadata, it no longer matters where a document is saved, so users are no longer forced to decide between folders or the most appropriate location to store a document. Furthermore, there’s no need to store the same document in multiple locations, leading to information duplication, which significantly reduces document control. Instead, using metadata users simply search for what they need and the right documents will be surfaced according to that metadata.

This remains true whether the information resides in a business system like CRM solutions or if it’s saved in shared drives. A federated search functionality crawls and indexes content and data across all systems and repositories. This means information that was previously trapped in silos is no longer trapped at all, without having to migrate it from the silo to some other repository or system.

This approach lets organizations continue to leverage their investment in systems such as SharePoint, Dropbox, OneDrive, or even ECM systems. It also adds version control to these systems that don’t offer version control built in. With a single user interface, employees can find, access, edit, share, and process documents no matter where they are.

Intelligent information management systems include the ability to apply traditional ECM features such as version control, permissions, workflow, and content sharing for content stored in ungoverned, less-governed, or less-controlled repositories such as network file shares, Dropbox, OneDrive, Google Drive, etc.

Furthermore, intelligent information management includes workflows to provide visibility and transparency into where documents or tasks are, like review/approval tasks, processing of incident reports and non-conformances, as well as corrective action/preventive actions (CAPA). This is achieved via metadata that describes who is assigned the task, what the task is, and in what state the document currently exists.

Understanding who reviewed and approved or rejected what information and when is crucial to managing compliance. Intelligent information management lets organizations execute workflows on content that is scattered across systems and repositories, not just data in the system that executes the workflow.

3. Intelligent

Using AI, new systems automate, simplify, and help the user interact with information. This includes managing how metadata is generated and applied so that information is correctly and intuitively classified and organized.

AI technologies use text analytics to find words, names, numbers, or phrases as well as natural language processing and understanding to infer what the information is about. This works well even if specific terms aren’t present. This can also be applied to crawl systems to identify sensitive information such as social security numbers, bank accounts, email, medical history information, and more.