Safety first – a strategic approach to cyber security for an Open Banking technology provider: As a software development company for Open Banking cyber security is critical for us and our customers. Therefore, a strategic approach is mandatory to achieve the right maturity level. The first step is to organize a security strategy that prioritizes cybersecurity as a company imperative. The required steps are:
- Get your documentation and policies straight.
- Review your IT and IT Security processes and complement if required.
- Get management support and commitment!
- Implement an overall IT Security strategy that complies with the company’s IT strategy.
- Having an operational risk management is mandatory.
- Establish a regularly Management report based on agreed KPIs/RKIs.
- Implement and practice your Security Incident Response Plan.
Creating a risk management and vulnerability framework is as well essential as getting the C-Level leadership and employees on board. Therefore, the ISO 27001/22301 is used as a security foundation framework by ndgit (now Qwist):
Sections covered by the ISO 27001:
- Risk Management
- Security Policy
- Organization of Information Security
- Asset Management
- Human Resources Security
- Physical and environmental Security
- Communications & Operations Management
- Access Management
- Information Systems acquisitions, Development and Maintenance
- Business Continuity Management
- Compliance
- Information Security Incident Management
To display and document the Information Security strategy approach an ISMS (Information Security Management System) is used to manage security challenges.
An incident mitigation and incident response plan matched with a Business Continuity Plan is the next important step to ensure security resilience and availability. Identifying the company used assets, e.g., data (at rest or in motion), network (Firewalls, Routers, Switches and Wi-Fi), Devices (Laptop, PC, mobile) and facilities is another important step to achieve a higher maturate level. Knowing your infrastructure and data helps you to identify top cyber threats related to your company. Analyzing the attack vectors like Malware (Ransomware), Social Engineering (Phishing), Insider Threats and DDoS Attacks helps to identify the risks and evolving challenges. Such challenges are varying from company to company. As a software development and technology driven company a transition to Cloud, Hybrid or on premises can be challenging for a company.
These are not only customer driven requirements, but also a strategic security decision. What does this mean? It is essential to have an endpoint protection strategy combined with an appropriate SIEM solution. Do not underestimate the recent attacks combined with machine intelligence or artificial intelligence against software deployments from ATP Groups, e.g. supply chain (Solarwinds, Kaseya).
Having a good Risk Management, reasonable security controls and a Business Continuity Management (BCM) in place helps a company to reach a good maturity level. Of course, the support of senior management is vital as well as the cooperation of all involved departments and teams.
