CC Charisma with a 360-degree approach

An optimum level of information security can only be achieved through seamless integration of various subdisciplines. Yet in the past, the opposite trend has emerged: The heavily increased requirements have often led to stovepipe structures with different areas of organization and responsibility. The consequence: There is only a limited perception of the mutual interdependencies, including the areas overlapping into related disciplines. This creates unintended security gaps in the interfaces, along with increasing overheads and the occurrence of avoidable costs.

The answer to this is the 360-degree concept from CARMAO. This approach to information risk management is thus far unprecedented and seeks to view information security from a holistic perspective. The result is that its effectiveness is based on a much more solid foundation. Thanks to the integrative outlook, areas are uncovered where the linkage of various subdisciplines may cause problems. At the same time, the integrative approach averts additional typical and comprehensive overheads that would otherwise occur. These overheads occur due to the fact that the individual subdisciplines partly exhibit significant overlapping areas: When they are designed discretely, there tends to be repetition in the modelling of certain processes, and organizational measures and documentation are duplicated.

Thus, an integrated approach of the subdisciplines, instead of stovepipes, leads to a premium level of information security, and at the same time, the 360-degree perspective helps the bottom line by means of significant cost savings. A significant instrument of the 360-degree CHARISMA framework is the requirement database, representing a centralized database of requirements, along with a central information risk repository. These elements continuously guarantee a very differentiated overview of the overall processes, roles, requirements, overlaps and project priorities.

ISMS according to ISO/IEC 27001. Information Security is more than IT Security

Achieving an information security level geared to corporate objectives requires more than the procurement of technical security infrastructures and products, such as firewalls and antivirus software. A security architecture integrated in the company structures is an integral part of corporate risk management. It is intended to safeguard the availability of routines, applications, IT systems in the information process therein, along with their integrity and confidentiality. Organizational and technical measures are dovetailed and integrated into your operational routines, administration, production, and IT.

CARMAO's scope of consulting in information security is shaped by a holistic approach and reflected in the CHARISMA Information Security Management method framework. The framework is based on ISO/IEC 27001:2013 and additional internationally recognized Best Practice approaches. You thus receive an ISMS which precisely corresponds to your individual requirements and can be dynamically enhanced. At the same time, it is designed so that the processes in everyday operations remain very lean.

For sophisticated project objectives, our consultants have a set of intelligent procedural methods, combined with comprehensive know-how in all relevant subdisciplines of application security. They can rely on their vast experience, as a result of the large array of projects they have managed for medium-to-large enterprises in various industries.

Basic IT Protection. Promoting systematic security

The build-up of a security organization and of security processes is a necessary task. Due to the complexity, it is helpful to rely on recognized and proven methodologies. The BSI’s IT baseline protection is one such standard for IT operations of companies and public institutions, and applying it can achieve a clearly-defined level of security.

CARMAO has developed methods for lean implementation of BSI-compliant infrastructures, applying safety concepts conforming to baseline protection and their practical certification-capable implementation. Based on the best practice competencies arising from many years of experience with BSI baseline protection, the entire requirements can thus be carried out prior to design, formation and implementation. Right down to documentation. This is achieved in ways that reduce overheads and budgets through licensed IT baseline protection auditors.

Because an ISMS, just like any other management system, must be maintained, we implement it in ways that enable processes to be structured in extremely efficient ways. Even in practical deployment.

Information Risk Management. Quality through risk diversification

Today, reliable and confidential information processing is indispensable in the management of business routines, in production processes and much more. That is why from a standpoint of business interest, IT risk management is not only useful, it is also mandatory. Not only do customers, especially companies within the financial industry, require relevant prevention against existential risks, their managers are also required by lawmakers to identify, monitor and avert existing or potential risks.

CARMAO's scope of consulting in information risk management is shaped by a holistic approach and reflected in the CHARISMA Information Risk Management method framework. The framework is based on ISO 31000:2009 as well as ISO/IEC 27005:2011, along with additional internationally-recognized Best Practice approaches. You thus receive a risk management system which precisely corresponds to your individual requirements and can be dynamically-enhanced. At the same time, it is designed so that the processes in everyday operations remain very lean.

For sophisticated project objectives, our consultants have a set of intelligent procedural methods, combined with comprehensive know-how in all relevant subdisciplines of application security. And they can rely on a vast range of experience, resulting from a large array of projects in medium-to-large enterprises in various industries.

Application Security Management. The holistic way to more security

Experts assume that the vast majority of business-critical applications are subject to security risks. This applies to centralized business applications, as well as to web, mobile, and client software alike. This is independent of whether standard or open source systems are involved. Yet, up till now, the security of applications has only been of a secondary consideration; other security requirements have been dominating the discussion.

CARMAO's scope of consulting in application security is shaped by a holistic approach and reflected in the CHARISMA Application Security Management method framework. The framework reflects the overall application lifecycle, from the requirements analysis, through architectural requirements, threat and vulnerability analyses (threat modelling), risk analyses, development methods, source code analyses, and application penetration tests, right down to the structuring of organizational rules for software development and the running of applications.

For sophisticated project objectives, our consultants have a set of intelligent procedural methods, combined with comprehensive know-how in all relevant subdisciplines of application security. They can rely on a broad wealth of experience, resulting from a large array of projects in medium-to-large enterprises in various industries.

Penetration tests. Targeted identification of vulnerabilities

There are high standards required of information security implementations. Yet even for existing applications and IT infrastructure, new security gaps are constantly being identified. Through a myriad of integration interrelationships with other components of infrastructure, hidden security gaps emerge with potentially significant risk potential.

Our penetration tests and vulnerability scans with controlled simulations of attacks, both on applications and IT infrastructure, identify existing or potential vulnerabilities. For proprietary applications, it is importance to utilize this advantage prior to production operations, yet a penetration test should also be the standard procedure prior to each software modification.

These analyses may also be necessary after unauthorized third-party access to the infrastructure of the company, using this method to determine potential additional open vulnerabilities.

They are carried out as and when needed and on the basis of internationally valid standards, enabling you to implement very targeted optimization measures. After the test, we can develop very concrete recommendations for you, specifically as a supplement to the systematic documentation of findings.

Compliance Management. No gaps in the future

The wide array of legal regulations and liability risks for companies is continuously increasing, yet corporate requirements are also being placed on them to an increasing degree. This makes compliance a very significant task. In particular, safeguarding integrity, confidentiality and authenticity, along with the availability of information in the execution of mission-critical business processes, are the fundamentals of effective compliance management. This also includes risk analyses to determine threats in the value-added activities based on variances from external and internal rules and guidelines, along with preventive measures designed to systematically avoid such variances. Strategies for dealing with abnormalities complete the overall picture and thus secure the stability of the company.

Yet what sounds like a formal compulsory exercise can develop into a task that promises multifaceted beneficial effects: Because we design compliance as an effective controlling instrument with which the possible weaknesses can be uncovered and eliminated. Above all, an intelligently-conceived compliance method actively practiced by employees ultimately represents an invaluable early detection system. This is ensured by the experienced compliance consultants from CARMAO. They identify possible vulnerabilities and areas where there is a need for action in your company. Guided by a structured procedural model, and working in cooperation with you, we subsequently implement concrete measures for improvement towards a sustainable increase in compliance.

Fit for the EU GDPR through our new 360-degree view

Through the new EU General Data Protection Regulation (EU GDPR), companies and public authorities are facing totally new requirements in terms of transparency, data protection,documentation, and reporting duties. Yet what at first glance appears extremely comprehensive does not necessarily have to lead to complex projects. We employ a methodology specially developed for the EU GDPR, which guarantees accelerated and budget-friendly planning. Hencesaving time and money.

This also includes readiness analysis to determine the possible need for action at the beginning. Based on findings, necessary measures can then be derived on a priority basis. This readiness analysis typically takes two to three days to complete, followed by a differentiated evaluation. By taking the steps, you clear the path for a high level of EU GDPR-compliant legal certainty, through which business risks can also be avoided.

And to the extent that you are also active in other European countries, an international network of partners is available for European advisory services. Incidentally, our experts are also prepared to optionally assume the function of the external data protection officer, the appointment of which is mandatory according to the new data protection regulation.

Business Continuity Management. Well organized

In case time-critical business processes and/or their supporting resources, such as personnel, facilities, suppliers or even the IT infrastructure should fail, maintaining business operations, and thus the achievement of business objectives, is severely jeopardized, even during short-term interruptions. A holistic system of emergency management geared towards process flow, referred to in professional jargon as business continuity management, facilitates avoidance through individual emergency concepts, with respect to the handling of emergency situations.

In the event that  critical systems of the technical infrastructure fail for a longer period of time,  production and business operations are directly affected. In order to minimize the economic and other ramifications of these types of problems, effective business continuity management (BCM) is required to keep  downtime instances of business processes to a minimum.

As part of business continuity management, CARMAO adapts a prevention plan tailored precisely to your company and your business objectives. This includes recommendations for actions concerning emergency precautions, the handling and aftercare of which are based on the findings of comprehensive investigations. Continuity and recovery plans with selective tests provide for functionality of individual emergency management at all times. In this, CARMAO is geared to the international ISO 22301:2012 standards, as well as the 100-4 standard, the BSI, along with best practices.

The broad consulting portfolio, however, includes not only the design and implementation of business continuity management systems (BCMS) but also the determination of the maturity level of existing emergency concepts. Each with strong industry understanding and with methods for project implementation mindful of overheads.

IT-Service Continuity Management. Exceptionally prepared

IT emergencies in companies can have significant ramifications, as evidenced by the recurring examples reported in the news. To the extent that the continuity of business operations is impaired as a result, this may cause devastating direct and indirect economic damage. You can mitigate these problems with our IT emergency management. It develops a highly organized methodology in prevention, but also in the management of potentially critical IT situations. IT security continuity management (IT-SCM) encompasses conceptual prevention and provides the interface for follow-up, reactive emergency handling, in order to mount a quick and commensurate response through well-rehearsed steps. This includes clearly defined processes, measures for emergency prevention, design of emergency procedures right down to recovery plans, the setup of emergency teams, and more. IT-SCM thus fits perfectly into the issues handled by higher-level Business Continuity Management.

Our methodology follows a secure standard, in which we gear the customer-based IT emergency management to establish standards. The scope of consulting may also involve assistance in the selection of tools to handle requirement. Thanks to IT emergency management conceived according to proven methods, you'll have the certainty in critical IT situations of being able to limit the repercussions on business operations to a minimum. By deploying our cost-conscious CHARISMA framework,costs that are incurred are significantly lower han usual.

Forensics. Success in digital investigation

Increasing digitalization creates substantial benefits for companies and private users alike. The flip side, however, is that the digital world has raised the specter of new criminal potential. Forensic data analysis in IT systems and networks is dedicated to systematically ferreting out, reconstructing, and investigating criminal actions.

The DEKRA-certified experts from our forensics laboratory are specialized in this field. Using intelligent methods and tools, they investigate data clues in IT systems and reconstruct cases in order to gain precise knowledge of the source, identity and modus operandi of the perpetrators. They examine suspicious incidents concerning all aspects of IT, recover data, and provide proof of sabotage, espionage or manipulation. The results are prepared for use as evidence admissible in court, as well as in the form of a forensic expert opinion where needed.

Our additional services include forensic emergency service with rapid availability of IT forensic specialists on short notice and on-site in order to guarantee data backup/data recovery admissible in court. Our forensics laboratory, however, is also dedicated to security management with forensic data erasure and data recovery or reconstruction.