IT-Compliance Cross Country (International)

Our experts take into account the international requirements, applicable laws and regulatory requirements and the like: of the European Union regarding the Basic Data Protection Regulation (GDPR) and the Capital Adequacy Ordinance - Requirements under the Basel III Framework for the Banking Sector and the Financial Markets Directive; International Pharmaceutical Requirements: HIPAA, GxP, International Financial Reporting Standards (IFRS) and Payment Card Industry and Data Security Standards such as Data Security Standard (PCI-DSS) and Sarbanes Oxely (SOX);

Country specific Austria: Telecommunications Act Austria

Authorization Management

Analysis

  • We analyze your entitlement based on current legal and regulatory requirements, prepare a CAP analysis, and provide proposals for auditable entitlement management

Authorization Design / Redesign

  • We develop or revise your existing authorization roles according to best practice standards;
  • We identify your critical or sensitive authorizations and transactions for further processing in risk matrices, approval procedures and processes

Processes 

  • Implementation or redesign of the authorization management

Authorization concepts

  • Creation of authorization concepts taking into account the separation of functions, the risk management and the controls for the reduction of the separation of responsibilities

Classification of Criticality

  • We work with you to develop the criticality of your systems and applications according to the regulatory and general regulatory requirements that apply to you

SOPs Standard Operation Procedures

  • We will work with your departments to develop the necessary instructions according to legal and regulatory requirements

Test documentation

 We prepare the legally and regulatory prescribed test documents for auditable changes of authority roles, system upgrade or system relocation, or re-implementation of standard or enterprise-specific solutions


Identity Access Management

IDM -IAM 

  • Implementation Audit - appropriate implementation or redesign of your Identity Management (IdM) and Information Access Managements.
  • We implement or revise your user management, taking into account your regulatory and legal requirements
  • Goal oriented according to the need to know principle the minimal principle

Processes

We implement relevant processes for the conscious handling of identities, anonymity and pseudo-anonymity processes:

  • Authorization Concepts
  • Instructions
  • User types such as Technical, System Support and Department users
  • Implementation of TOP IDM tools on the market.

Joiner-Mover-Leaver

  • We implement the IDM relevant Joiner-Mover-Leaver processes and present solutions for the automation and thus audit-oriented administration of users

Risks

  • We introduce the standard risks of user management and work with you to develop the organization's own risks or take them over from the internal company ICS

Controls

 We present standard controls - automated and manual to mitigate risks and work with the department's own organizational controls

Periodic recertification of permissions

  • We support you once or twice a year (depending on the criticality of your systems) in the periodic recertification of authorizations. This is often a lengthy process and we have developed templates that make it easier for the owners of permissions and data to check a variety of permissions.

Periodic recertification of risks

  • We support you once or twice a year (depending on the criticality of your systems) in the periodic recertification of risks. Risks must be checked and evaluated periodically. Businesses are constantly changing, and risks that were considered uncritical yesterday can be critical today. For example, in logistics if the transport routes are moving through war zones or merger & acquisitions result in additional regulatory requirements. It can also be downgraded risks and thus reduce the use of controls or obsolete. Assessment is often a lengthy process and we have developed checklists that make it easier for risk owners to assess risks.

Periodic recertification of controls

  • We support you once or twice a year (depending on the criticality of your systems) in the periodic recertification of the controls in use to demonstrate effectiveness.Controls, like risks, must be periodically checked for their effectiveness and documented. The ERP systems are subject to constant change through customizing, upgrades and updates, and implemented controls can lose their effectiveness. The process of recertification is often a lengthy process, and we have developed templates that make it easier for control owners to audit controls.

Periodic recertification of users

  • We support you once or twice a year (depending on the criticality of your systems) in the periodic recertification of users. Often this is not only a lengthy process but also a process prone to error. We'll gladly assist you.


You can also outsource the process - please click here to go to outsourcing.

Function Separation

  • We implement function separation (SOD).
  • We review and complete your SoD matrix.
  • We implement various tools to manage your separation of functions as well as the risks and controls. Suitable products that are recommended internationally such as SAP GRC®, SAST®, Security Weaver®.

Critical permissions

  • We review and supplement your risk matrix.
  • We implement various tools to manage your separation of functions as well as the risks and controls. Suitable products that are recommended internationally such as SAP GRC®, SAST®, Security Weaver®.

Risk and Control

  • We identify your risks from your internal control system (ICS) and implement appropriate controls and create an overarching risk and control matrix.
  • We implement various tools to manage your separation of functions as well as the risks and controls. Suitable products that are recommended internationally such as SAP GRC®, SAST®, Security Weaver®.

Our experts take into account the international requirements, applicable laws and regulatory requirements