Risk management without transparency?
The topic of IT security began noticeably many years ago in Germany and has been gaining traction significantly since mid-2015 as a result of the IT-Sicherheitsgesetz [IT security law]. Identifying and evaluating the risks for critical networks and complex IT structures nonetheless remains a complex undertaking. Hazard analyses must be carried out, in addition to full IT asset itemisation and criticality evaluation of individual applications and systems. In short, all sorts of data about the IT landscape are required, and this data should always ideally be up-to-date and complete.
In today's ISMS practice, extensive and manual activities still frequently need to be observed. Generally speaking, the evolution of IT landscapes and IT networking progresses at a faster rate than we can document and regularly update IT assets and communications relationships with the assistance of manual operations.
Providing the ISMS with high-quality information is under the limits of the Industrial Control System, the ICS for short, more difficult than is the case in traditional IT environments. Older technologies, longer systems life cycles and availability and real-time requirements make using data collection tools more difficult.
Although the framework conditions in IT do enable the use of tools for automated data collection and evaluation, these often remain unused. There is a lack of time and expertise to utilise the opportunities available and to integrate them into existing structures.
Using conventional means, ISMS processes can therefore only be performed to a limited extent and through the use of considerable resources. In doing this, ‘only’ the data processed and stored daily in the networks, systems and facilities have to be used.
The secunet transparency campaign and the use of modern sensor technology should create transparency about the IT landscape and support for optimised ISMS processes. Operations in the ISMS can be supported based on the asset data collected via an automated system, data connections and other important parameters.