Reduction of the complexity of the protection needs analysis (SBA) through optimal tool support
Compliance with BAIT in relation to implementation of protection needs analysis
Customer uses MS Excel solution, which allows only limited evaluation capacity
Establishment of an automated workflow incl. dashboard that will significantly reduce working hours
According to BAIT 3.3, BaFin requires that "the institution [...] must regularly and on an ad hoc basis determine the protection requirements for the components of its defined information network, in particular with regard to the protection objectives of integrity, availability, confidentiality and authenticity". The customer currently uses MS Excel for the documentation of the protection needs analysis. A simple and fast evaluation is currently only possible to a limited extent.
Since the information network is usually complex in terms of interrelationships and number of assets, a technical implementation can help to digitize the SBA process and create clear dashboards. The technical implementation is the main subject of the project.
SRC IT Security Consulting in Action
SRC IT Security Consulting:Challenge
In order to be able to offer an adequate solution, it is necessary to identify the actual process of the protection requirements analysis and the associated "pain points". This is what makes simplification of SBA processes and thus optimal tool support possible in the first place. The following figure illustrates our understanding of the SBA process.
SRC IT Security Consulting: Solution
Digital solutions and custom-made automatisms were implemented and set up as part of this project. Among other things, the programmed automatisms check data entries for consistency, perform protection needs assessments and inheritance in automated form. By digitizing and automating the SBA process, it was possible to
the operational effort is largely replaced by a "self-service" for the departments. The information security officer is now responsible for controlling and tracking the progress of the process. Documentation - technical and functional - initiates self-empowerment of the departments.
SRC IT Security Consulting: Result
In short, the technical solution creates a high degree of automation within the application and technology stack available to the customer. Departments are able to independently evaluate the components of the information network that are relevant to them via self-service. The evaluation of protection requirements is carried out completely automatically.
Dashboards allow critical assets to be identified in real-time. Technical and functional manuals were provided to the customer for self-empowerment. Overall, this resulted in a relative reduction in working time of more than 50% for the customer.