K. Zlöbl
Experience is the best teacher. At SSI Schäfer, an Information Security Management System (ISMS) has been providing assurance of information security for some time now. This system not only encompasses all technical measures but is also continuously evaluated as an organizational framework with corresponding security goals and strategies.
Klaus Zlöbl, responsible for software security at SSI Schäfer, emphasizes the need for close coordination with customers to ensure the security objectives of availability, confidentiality, integrity, and authenticity. These security objectives are also key requirements of the NIS2 Directive 2022/2555 of the European Parliament and of the Council of 2022, which aims to strengthen cybersecurity standards across Europe. Implementing these standards protects against cyber threats and strengthens the resilience of IT systems. Specifically, this means that information and systems must be available at all times, while simultaneously being treated confidentially and protected from unauthorized access. Changes to data must be traceable, tamper-proof, and clearly identifiable as originating from the stated source.
Targeted training ensures that employees can recognize threats and confidently apply existing security measures and processes in their daily work. This includes general training for all employees, covering topics such as secure password management, malware detection and reporting, and similar fundamentals.
Fig.: SSI Schäfer
In the field of software development, specialized knowledge such as secure coding is taught to prevent security vulnerabilities during the programming phase. This is complemented by a comprehensive catalog of measures at the component, data, system, and process levels. Particular attention is paid to the technical systems on which information is stored, processed, or transmitted. Zlöbl explains: "These systems must function flawlessly and be effectively protected against the diverse threats.".
Key elements
- Threat modeling, secure coding, and code reviews are applied during the development phase.
- - Controls are implemented in all systems and applications to restrict access exclusively to authorized users. This is also taken into account in software development, where access rights are granted according to the need-to-use/know principle, depending on the security requirements of the information. This means, for example, that employees only receive access to a customer system when it is necessary to perform service tasks or operations.
- - The security architectures ensure traceability and indisputability with regard to the protection goals in the applications and systems.
- - Static Application Security Testing is implemented using static code analysis tools, and potential vulnerabilities are identified and fixed early.
- - Third-party components used are regularly checked for known vulnerabilities and updated.
- - Comprehensive penetration tests by independent external partners recreate attacks and help to find and fix security vulnerabilities.
The necessary security practices are implemented and documented in a structured manner. A balance is sought between high security and user-friendliness to avoid compromising the software's functionality. Zlöbl, who has been responsible for the security of the software products as Security Officer in product development since October 2022, states: "Protecting sensitive data and systems is a shared responsibility.".
Klaus Zlöbl studied telematics with a focus on computer science before joining SSI Schäfer in 2011, where he held several positions in software development. Since 2017, he has dedicated himself to IT security.
