Certified Security Management Benefits FIDUCIA Customers

Volks- and Raiffeisenbanken (i.e. credit unions and cooperative banks), companies in the cooperative banking group and private banks, all rely on FIDUCIA IT AG. These have outsourced a wide range of IT services with FIDUCIA. It’s no question that FIDUCIA, one of the ten leading IT providers for providers of financial services in Germany, gives its all to offer its customers the highest security standards. One of the ways in which the company upholds these standards is through the installation of the Qualys risk-management system. Qualys is used in combination with the system integrator Controlware. The entire computing center at FIDUCIA IT AG is scanned regularly with Qualys. Qualys provides its customers with a convenient management console and practice-oriented reports.

The IT security solutions provider Controlware is convinced that future IT-security measures will increasingly concentrate on prevention rather than on defending against threats. According to Mario Emig, Product Manager of security solutions at Controlware, many companies have opted in recent years to install a so-called "information security management system." This trend is also evident in the increase in the number of ISO 27001 certificates. The situation at FIDUCIA IT AG is similar. This provider of IT services has been fully certified according to ISO norm 27001. This corporation thus became one of the first IT service providers in the German banking sector to have received certification. This certification guarantees FIDUCIA's customers the best in preventive security measures and highest technical standards. "Security is an integral part of our business procedure, so we wanted an independent source to confirm our adherence to high standards in this area," explains Lutz Bleyer, head of central security at FIDUCIA.

Analysis of Weak Spot Helps to Satisfy Security Requirements

Another way the IT service provider satisfies the ISO norm requirements is through the installation of a risk-management system. The company is comprehensively advised here by Controlware. Among its other services, the Dietzenbach-based system integrator assists companies with analysis, consultation and implementation of information security management. "Hence, all three levels of planning and transacting, i.e. the strategic, the tactical, and the operative level, may be required to integrate information security into a company as precisely and as economically as possible," explains Mario Emig of Controlware.

The Decision for Qualys

Bleyer began its search for an appropriate analytical tool in 2007. According to him, when the commercial tools Qualys and ISS Internet Scanner were considered, the open source scanners were quickly eliminated. "Our company has been running the freeware tool Nessus for several years," the IT expert says. "We needed a tool that would not only have a comfortable management console, but would also save its results to a database for subsequent analysis." Bleyer also mentions several other criteria that contributed to the decision: "We also wanted our tool to make available the results in a documented XML interface for processing by additional systems (e.g. Intrusion Detection, SIEM, Configuration Management, Asset Management). The optimal tool wouldn't interfere with productivity while performing a scan and would be easy to maintain." Above all, the option of accessing various databases via a single programming interface tipped the scales in favor of Qualys.

Early Experiences in Running Operations

Everything happened very quickly after the decision was made in favor of Qualys. Bleyer and his colleagues gathered their initial experience with the tool through a test installation. This was carried out by performing scans from various perspectives. "A hacker might have very different methods of attack and motivations in the examples tested," Bleyer notes. After a few adjustments within the framework of the test installation, Qualys has been running in active operations since August 2007. "We were delighted to see how smoothly the solution's implementation went," Lutz Bleyer reports happily. Furthermore, only one training session of one-and-a-half to two hours were needed for employees who have accounts with Qualys to acquire confidence in using the tool. At present, valuable practical experience is being gained with different scan intervals. Bleyer isn't concerned that Qualys might not store the data securely enough. "It's clear that Qualys assumes responsibility for looking after the database on our behalf, but the data are encrypted and the code needed to decipher them is kept FIDUCIA throughout the entire process," assures Bleyer. Qualys does not know the code and thus cannot access the enciphered data.

Regular evaluations of the data

Scans alone, however, are not enough. Though two employees are tasked with starting and monitoring the scans, the evaluation of the results occurs within the framework of a two-week-long meeting attended by various employees from a wide range of departments. "A representative from the internal IT department might find himself seated at a table responsible for the mainframe computer, and elbow to elbow with the people in charge of Unix and Windows," Bleyer explains. "Meetings of this kind are very important to assure mutual understanding in a project like this one, which involves so many departments," the chief security officer at FICUCIA IT AG added.

The expectations have been fulfilled

Lutz Bleyer is completely satisfied with Qualys. So far, no problems have arisen, "and if any should arise at any time, we know that we'll receive timely support from Qualys on the basis of our service agreement," the head of central security explains. At present, they are still fine tuning the system and gathering experience about the efficiency of various scanning intervals and different views of the network. At conferences for users, Bleyers shares his experiences with other Qualys customers.

About the FIDUCIA Group

The FIDUCIA group, headquartered in Karlsruhe, Germany, is one of the ten leading IT service providers in Germany. It is an IT competence center and is the largest IT service provider in the cooperative banking group as well. The company offers an extensive spectrum of services in the area of information technology. The FIDUCIA group's core business is to provide IT services for approximately 800 Volks- and Raiffeisenbanken, for the central institutions and businesses of the cooperative banking group, and for private banks. FIDUCIA’s core competencies are the operation of computer centers with supercomputer technology with the highest security standards, and the development and implementation of integrated IT solutions. The FIDUCIA group employs approximately 3,000 people, generated a business volume totaling 732 million € in the 2006 fiscal year.