Data Protection & Information Security

Data Protection & Information Security

24 - 02 - 2021
15 Min

Introduction 

Any information that can be classified as “identified or identifiable” represents personal data. It could be a name, an address, a card number, even an IP address or a cookie ID. The EU’s General Data Protection Regulation (GDPR) tries to strike a balance between being strong enough to give individuals clear and tangible protection while being flexible enough to allow the legitimate interests of businesses and the public. Compliance with the requirements of the GDPR is required when processing personal data.

Data protection is defined as a “legal control over access to and use of personal data”. More specifically, GDPR refers to “the protection of natural persons concerning the processing of personal data”. It is basically a set of laws, regulations and best practice regarding the collection and use of personal data about individuals. Information security is defined as the practice of defending information (both physical and digital data) from unauthorized access, use, modification or disruption.

In xitee we provide services to keep your data safe and secure.

Cyber-attacks on critical infrastructures, such as on hospitals, are becoming more aggressive and frequent. To eliminate any possible risks of your solution, we offer the service of penetration testing. The goal is to use the methods which are typically used by hackers to identify vulnerabilities that allow the system to be compromised, confidential information to leak or impair the availability of services.

Additionally, we recommend and provide the GAP analysis to evaluate your processes, activities, and procedures regarding the requirements of ISO/IEC 27001 and identify all necessary measures to achieve conformity to the legal requirements as well as optional certification.

Code review

Our source code review service aims to discover any hidden vulnerabilities, design flaws and verifies whether you have implemented the key security controls. We use a combination of automatic scanning tools and a manual review to check coding practices, performance problems, security vulnerabilities, such injection flaws & cross site scripting, security-configuration rules, integrated libraries, etc.

The first step of a code review process is to conduct an analysis of the application and creation of a threat profile.

This activity is followed by inspecting of the code layout to develop a specific code review plan for every application individually.

Subsequently, we usually use a hybrid approach to perform automated scans as well as a manual code review.

Once the code is reviewed, we provide you with a final report containing the found flaws and suggested resolutions / steps for improvement.

Gap analysis audit

Gap analysis reveals strategic and operative gaps in your company, which shall be improved. The audit determines the maturity of your information security based on the best-practice requirements of ISO/IEC 27001.

We are providing audits called GAP analysis to evaluate your processes, activities and procedures regarding the requirements of ISO/IEC 27001:2013 and identify all necessary measures to achieve conformity to the legal requirements as well as an optional certification. With our structured best practice model, we protect confidential data, ensure the integrity of your operational data and increase the availability of your IT. The final report includes then concrete recommendations. 

Selected key audit areas according to ISO/IEC 27001:2013:

  • Context and leadership of the organization (management responsibilities, governance, guidelines)
  • Planning (including risk management)
  • Support (including resources, competence, communication and documentation)
  • Operation (operational planning and control)
  • Performance Evaluation (monitoring, internal audits, management evaluations)
  • Access control, cryptography and physical and environmental security
  • Development and maintenance of information systems
  • Security incident management
  • Business continuity management
  • Compliance
  • Continuous improvement

Penetration testing

A penetration test is a simulated cyber attack against client‘s computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF). The result of the test is a report on the outcome and recommendations for steps for improvement.

Complex IT systems collect and process data that could be potentially misused.  Since there is usually at least some part of the system exposed to the public e.g., a web server, it is necessary to assure that only authorized users can operate the system and that security precautions will not allow any unauthorized person to access any of the system elements.

System security is evaluated by performing a simulated attack on the computer system. This test can identify vulnerabilities and impact of potential security breach. Typical threats are for example system malfunction or overload caused by excessive usage of components available from the public network (API, web forms...), sensitive and personal data leakage or unauthorized access to restricted application functionality. The main types of penetration testing include external, internal, and physical penetration tests.

Our approach to testing methodology:

  • PLANNING - Defining the subject and scope of the security audit
  • SCANNING - Conducting a kick-off workshop with the persons responsible for IT, information security and the operation of the affected IT systems
  • GAINING ACCESS - Execution of the penetration testing according to proven and established standards, such as OWASP Testing Guide. Use of proven, up-to-date tools and performance of supplementary manual analyses/rechecks (false positives).
  • ANALYSING AND REPORTING - Results report and presentation with prioritized recommended measures
  • OPTIONAL - Carrying out a follow-up inspection

Benefits of penetration testing:

  • Testing and consulting by industry-experienced experts
  • Better assessment of current protection level of used IT systems
  • Assessment of established protection measures
  • Reduction of the liability risks which arise from inadequate security of your systems
  • Proof of compliance with regulatory requirements of established standards such as ISO/IEC 27001, industry-specific security standards and GDPR

Other blog from the same industry