Part 3: Catalog of reference measures and should-be comparison
Recall that step 1 is all about developing a solid understanding of security-relevant assets while step 2 deals with determining the criticality of assets in terms of protection goals. But knowing your protection assets does not mean that they already meet the corresponding security requirements. This is where step 3 to achieve reconciliation of rapid digital transformation with security and compliance kicks in.
Target-performance comparison of security measures
Knowing your protection assets does not mean that they already meet the corresponding security requirements. After all, your security requirements must keep pace with current technological developments and risks.
A safety catalog serves as a collection of safety-relevant measures.
Without a doubt, different security measures must be taken for applications that require a relatively high level of protection in terms of confidentiality, e.g., because they process or collect highly sensitive data according to GDPR, then for systems that require less protection. The aforementioned security catalog must therefore be set up in particular with a focus on protection goals, protection requirements and technology.
A constantly updated security requirements catalog is crucial to putting your security implementation to the test.
From our experience, a team of technical and audit experts are needed to establish a compliant and technically-sound collection of security measures. Digital tools are important instruments here that can simplify and speed up the creation and updates in dealing with the security catalog.
Because without these tools, the paradigm shift from "Move fast OR Stay secure" to "Move fast AND Stay secure", i.e. the process towards the governance of the digital era, would not occur.
In addition, digital solutions immediately detect deficiencies in the implementation of security measures for assets worth protecting. The detection of security deficiencies needs to be fully automatic and has to adapt to your security requirements catalog.