PL EN DE
Best practices for IT service management

The dedicated SNP service organization ensures the quality and continuity of handling of all outsourcing contracts. Our work is based on ISO 20000, ISO 27001, PCoE (SAP Partner Center of Expertise) standards.

SNP Poland is the leader of SAP services market in Poland.
For 25 years (until 2017 - as BCC) we have been providing a full range of implementation, development and maintenance of SAP systems. We provide IT security and software development services.

We are a part of SNP Group - a leading global provider of solutions for transformation of SAP environments .

Since 1995 we have successfully accomplished hundreds of IT project in many countries worldwide.

Our experts present the most interesting solutions of IT world.

See the webinar archive, register for upcoming webinars.

See upcoming webinars:

    No results

Dlaczego uważamy, że SNP jest dobrym pracodawcą? Bo łączymy cechy rzadko spotykane w jednej organizacji - duże możliwości rozwoju, a zarazem dobrą atmosferę i elastyczność środowiska pracy. Dowiedz się więcej, na czym to polega w praktyce!

Peace of mind in business guaranteed

Information Security Audits

Share
Print:
Have I turned off the iron? Have I locked the car? – Probably everyone has experienced a surge of such doubts in their private life. And at work? Do you also have such thoughts about your business? Are you sure that what's most important to your business is well protected? And if you don’t have such doubts, are you sure you have nothing to worry about? An information security audit will help identify and eliminate gaps in security systems and procedures.
 

The statistics are merciless. The frequency and effectiveness of attacks on organizations is increasing. The tools of attackers are improving and their competencies are higher. The Center for Strategic and International Studies (CSIS) list of successful cyber-attacks on government agencies, the defense sector, high-tech companies, or economic crimes where losses due to attacks exceeded one million dollars, already contains nearly 600 examples. In 2019 alone, nearly 100 items were added to it.

In view of the data cited above, concerns about whether we have any unknown “irons not turned off" in our business are most justified. We must also remember that even in specialized security teams, vigilance can weaken over time. They develop an accidental insensitivity to obvious gaps or start accepting known risks that have not ended in an incident for many years.

Information security audit

An information security audit, especially when it is performed by external experts with a fresh look at numerous issues, can be very helpful in eliminating security gaps. Obviously, auditors do not have full information about the organization and must obtain it from the employees of the audited entity. At the same time, however, the auditors start their work armed with knowledge about ensuring information security in business, and practical experience and knowledge of the most common mistakes and security gaps.

Additional support is provided by criteria and good practices contained in standards, e.g. ISO 27001, 20000, 22301, 62443, and security systems (VDA ISA/TISAX, TPN and other). The effect of a fresh look at existing solutions is also important. Often it is easier for an outsider to see obvious mistakes to which the internal team has become insensitive.

Audit objectives

The performance of an information security audit allows various goals to be achieved, depending on the current needs of a given organization. An audit conducted by an external partner will also help extend the scope and improve the quality of internal audits.

If the company prepares to implement a management system based on a specific standard or system, the performance of a security audit according to specified criteria helps determine the scale of deviations of the organization from a selected standard. We can define a detailed plan and cost estimate of the implementation (the above may also apply to specific acts, e.g. PDPA or NIF).

When an organization has already implemented a management system and wants to obtain a certificate, the audit helps determine the level of its preparation for certification. It is recommended to conduct such an audit as a dress rehearsal. If gaps are identified, we can avoid costly interruption of the certification audit as a result of finding large non-compliances.

An audit in an organization that is already certified can be used as an example of an audit carried out by an independent external entity. Some standards require such actions. It can also be used as an element of a management system review.

Let’s leave certification issues. The performance of a zero audit creates a snapshot of the organization management and security level at a given time. We expose gaps in information security and business continuity in relation to generally accepted good practices. We can determine the real level of risks associated with various assets and strategic objectives. Finally, we can make adjustments to risk management plans based on actual needs.

Experienced auditors coming to the organization from outside are able to catch hidden or obvious gaps (“a child in the fog" effect) that escape the attention of specialists from within the organization.

During the audit, the auditors act as a neutral, external organization. This makes it easier to talk to employees. Guaranteeing them anonymity, they collect information about security gaps. Often this is the only way for this knowledge to reach the top management of the organization.

By performing an audit, the organization obtains verification whether information security processes and incidents are properly addressed and reported to the highest level.

While preparing for the audit, employees involuntarily, “by the way", raise their competencies, increasing the compliance of the processes with the policies and procedures adopted in the company. Moreover, by talking to employees during the audit, the auditors raise their level of knowledge about possible risks and indicate methods of avoiding them;

A documented information security audit, especially in combination with penetration and social engineering tests, can be used to prove to our counterparties how much importance we attach to secure organization and data management. This is important because practically every business interaction involves the exchange of sensitive data.

Growing responsibility

Organizations are increasingly responsible for the compliance of the information security level with the good practices and standards accepted in the market. Successive laws, including the recent National Cyber Security System Act or the previous General Data Protection Regulation, increase the financial and even criminal liability of companies and their managers. For GDPR violations in Europe alone, 130 penalties have already been imposed, the highest of which exceeded EUR 10 million.

Typical risk areas

Threats to information security are usually associated with hacking attacks, viruses, high-tech malicious software. However, a large and often ignored risk is associated with trivial security gaps that have nothing to do with IT, and result from lack of awareness, negligence or recklessness. We present selected examples of security threats encountered by SNP auditors.

  • Open back doors. Very strong security measures “at the front" of the organization, and at the same time no protection of other access routes (unprotected doors, wickets and barriers, protection only on one side of a facility, armored walls at the front, rusty wire fencing at the back);
  • Obvious security gaps. CCTV monitors with images from sensitive areas visible to visitors, protection provided 24 hours a day, but only 5 days a week, employees disabling or dismantling security equipment or directly opposing its installation.
  • Communication disruptions. Lack of on-/offboarding processes (former employees having access to the organization’s assets for many years, using the company’s resources for their own purposes, e.g. living on the company premises, a Bitcoin mine on company servers), parts of the company operating “on their own", no development of the organizational structure despite the increase in the number of employees from a few to several thousand people, foreign language employees not provided with materials in their own language.
  • Lack of business continuity. CEOs carrying backups in their pockets, on pendrives, employees encrypting all resources of a company with one malware/pendrive, relying on “financial cushions" to ensure further operation, bottlenecks due to lack of designated substitutions in case of absence, delegation of tasks or lack of clear channels of information flow, especially in case of crisis, loss of access to assets due to one employee leaving the company, damage to backups unverified by recovery tests, single points of failure (six devices, one charger).
  • Useless documentation. Outdated policies, non-compliance with policies (e.g. no deletion of permissions, accounts, employees using company accounts 2 years after leaving the company), certifications carried out by unknown companies, demonstrating compliance and risking loss of a contract in the absence of actually implemented solutions, assigning random employees to perform responsible roles and tasks.
  • Virtual security zones. A catering provider enters everywhere, conference rooms adjacent to public kitchens with only a thin wall between them, staff cloakrooms in the server room, a production area unprotected against theft by employees, logistics areas with button opening, passwords to IT resources in the logistics/production/loading areas stuck to monitors, open mail/fax rooms.
  • Inadequate control of environment. Opening windows in the server room instead of proper air conditioning, generators not tested since their installation, communication and server nodes open for guests, using the server room as a warehouse for used IT parts, lack of notification systems, water extinguishing systems in facilities with electrical installations, water heating systems in server rooms, putting sensitive objects in particularly vulnerable places (control rooms in the vicinity of customer service desks, showers for the staff located above the server rooms, putting servers in boiler rooms, kitchens, elevator shafts), detection of oil fire with gas sensors, installed systems and equipment that are not supervised by anybody or that have an unknown purpose.
  • Lack of resources. Printing payrolls on scrap paper, displaying older materials, still sensitive, in unprotected areas, securing sensitive resources only in a minimal way (a key);
  • Dishonest employees. Private clouds, working on private resources (Windows 95 serviced by a grandson), using company resources for private/competitive activities (problematic materials left in the company environment – third party data, naked photos);
  • Gaps in employee competencies. Lending passwords, saving passwords in unsecured assets, performing risky activities, lack of training, throwing sensitive information into the trash can.

Lepszy Biznes

magazyn klientów SNP

Przejdź do bazy artykułów
Share
Print:

Contact form





  1. Personal data is processed pursuant to Article 6 (1) (a) of the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 – the General Data Protection Regulation
  2. The data controller is SNP Poland Sp. z o.o. with its registered office in Złotniki, ul. Krzemowa 1 62-002 Suchy Las. Contact data of the Data Protection Supervisor: dpo.pl@snpgroup.com.
  3. Consent to data processing is voluntary, but necessary for contact. Consent may be withdrawn at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.
  4. The data will be processed for the purposes stated above and until this consent is withdrawn, and access to the data will be granted only to selected persons who are duly authorised to process it.
  5. Any person providing personal data shall have the right of access to and rectification, erasure, restriction of processing, the right to object to the processing and to the transfer of data, the right to restriction of processing and the right to object to the processing, the right to data transfer.
  6. Every person whose data is processed has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
  7. Personal data may be made available to other entities from the group that SNP Poland Sp. z o.o. is part of – also located outside the European Economic Area, for marketing purposes. SNP Poland ensures that the data provided to these entities is properly secured, and the person whose data is processed has the right to obtain a copy of the data provided and information on the location of the data provision.

Please write an email or call

E-mail office.pl@snpgroup.com
Phone +48 61 827 7000

SNP Poland Sp. z o.o.

Headquarter:
Złotniki, ul. Krzemowa 1
62-002 Suchy Las near Poznań, Poland

Contact us

How can we help?
Write us
Send email
Call us





  1. Personal data is processed pursuant to Article 6 (1) (a) of the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 – the General Data Protection Regulation
  2. The data controller is SNP Poland Sp. z o.o. with its registered office in Złotniki, ul. Krzemowa 1 62-002 Suchy Las. Contact data of the Data Protection Supervisor: dpo.pl@snpgroup.com.
  3. Consent to data processing is voluntary, but necessary for contact. Consent may be withdrawn at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.
  4. The data will be processed for the purposes stated above and until this consent is withdrawn, and access to the data will be granted only to selected persons who are duly authorised to process it.
  5. Any person providing personal data shall have the right of access to and rectification, erasure, restriction of processing, the right to object to the processing and to the transfer of data, the right to restriction of processing and the right to object to the processing, the right to data transfer.
  6. Every person whose data is processed has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
  7. Personal data may be made available to other entities from the group that SNP Poland Sp. z o.o. is part of – also located outside the European Economic Area, for marketing purposes. SNP Poland ensures that the data provided to these entities is properly secured, and the person whose data is processed has the right to obtain a copy of the data provided and information on the location of the data provision.

General contact for the company
office.pl@snpgroup.com

Question about products and services
info.pl@snpgroup.com

Question about work and internships
kariera@snpgroup.com

+48 61 827 70 00

The office is open
Monday to Friday
from 8am to 5pm