Author Archives: admin

Information Security: It depends on the right measure

cfpa-cibersecurity

Customers, partners, legislators and lawmakers are increasingly forcing companies to ensure IT-Security protection. While the international IT- Security standard ISO 27001 has been consistently implemented in several large companies, the complex catalogue of measures poses significant challenges for SMEs (small/medium-sized companies). However what options do SMEs have in the organisation of IT-Security? The most important principles are summarised in the CFPA “Protection of Business Intelligence” guide, which raises important aspects of Cyber-Security. VdS Guidelines 3473 go even further – developed specifically for small and medium-sized enterprises, they implement the fundamental requirements of the ISO standard at only 20% of the costs.

Nearly 60% of organisations in Germany have been victims of a cyber attack over the past two years. This was announced by “The Alliance for Cyber Security”. According to the auditing firm KPMG, the number of victims of e-crime has doubled since 2013. In companies, this risk is well known: 89% of those responsible see a high or very high risk for German companies to suffer from a cyber attack. However, few people fear being hit themselves. They therefore only use inadequate security measures and only react when it is too late. The fact that a separate position is created that is exclusively concerned with IT security tasks is very rare – in 85% of companies with fewer than 1,000 employees this is not the case. The consequences of an attack are devastating and range from business or production losses to financial losses or image damage.

Challenge IT-Security
However whether from entrepreneurial self-interest or due to the demands of customers, contractors and legislators and lawmakers: SMEs are increasingly forced to ensure IT-Security. Against this background, a number of well-known institutions and bodies now involve themselves with the subject of Cyber-Security. One example is the CFPA Europe, which has developed a comprehensive guide with the “Protection of Business Intelligence”, in which the essential parameters for the implementation of information security in companies are presented. And CFPA Europe is working on the development of further common guidelines and also on harmonized training courses on this topic. In addition, a large number of CFPA members are now discussing the topic, as a glance at various publications shows.

International standard is complex and expensive
The most widely known and probably the most extensive directive for Cyber-Security in larger enterprises is the internationally recognised standard ISO 27001. However, the expense, effort and resources required with ISO 27001 are significant – from risk analysis to the elaboration of the abstract standards contained in the standard, up to the implementation of the concrete measures. For SMEs the certification is therefore usually associated with too high a cost and is therefore hardly achievable. Against the background of this complexity, the statistics presented at the outset do not surprise us that companies know the risk of an attack but do not adequately protect themselves. The lack of security measures is not an expression of carelessness, rather a consequence of the overwhelming demands of IT security.

Free risk analysis as a first step
To encourage and help especially SMEs to deal with this complex topic, in several countries questionnaires are available to raise the awareness for the most important risks. A tool to carry out a first risk analysis has been developed for example by CEPREVEN, the Spanish CFPA Europe member, and it is offered online for free. More information is available at http://www.cepreven.com/cuestionario-ciberseguridad.
The German CFPA Europe-member VdS has also worked on the topic and developed a system to support SMEs with regard to cyber-security.

VdS 3473: The solution for the SMEs
One way to easily implement IT-Security is VdS 3473. This standard developed by IT experts, is oriented to ISO 27001 and implements 80% of the ISO standard at only 20% of the cost. The special strength of the VdS 3473 guidelines is in the consideration of the organisational level. Topics such as personnel, responsibilities, accesses, etc. are adequately covered and small and medium-sized enterprises are neither overburdened organically nor financially. It is not without reason that VdS 3473 is one of the top three standards for the implementation of an information security management system, according to a BSI Cyber-Security survey.

VdS Quick-Check
How do companies actually implement the VdS guidelines? The first step towards IT-Security is an individual risk analysis. On the basis of the guidelines 3473, VdS offers a free Quick-Check, which can be carried out online by the company without any additional preparation. The check includes 39 questions, which can be answered within 20 minutes. The aim of the test is to determine the individual degree of protection. In the end, companies receive two evaluations: a compact and a more detailed report. The special features of the Quick-Check are the concrete recommendation measures for immediate action and their implementation.

Quick-Check for production environments
The previous VdS-Quick-Check focuses on the field of office communication. With a second test, VdS offers an analysis tool for companies that use industrial control and automation systems in their production, so-called Industrial Control Systems (ICS). These are often not taken into account when dealing with Cyber-Security. They are at a high risk as a result of the rapid growth in communications connections within the scope of industrial 4.0 projects. The Quick-Check for ICS therefore focuses on criteria such as very high availability requirements, aspects of remote maintenance and cooperation with manufacturers.

VdS-Quick-Audit systematically covers existing security gaps
The test is followed by the Quick-Audit. The security measures implemented on the basis of the Quick-Check results are analysed in detail. The later report shows in detail what measures are to be taken, covers existing gaps and provides comprehensive suggestions for optimisation. These instructions can be implemented by companies with their own professional personnel, such as IT staff or information security officers, or by the support of VdS-approved consultants.

Certificate for customers and insurance companies
If all improvement measures are successfully implemented, companies will obtain a corresponding confirmation in the form of a certificate. With this they generate trust with their customers and partners. In addition, the certificate has yet another advantage: in order to safeguard the residual risk that remains despite comprehensive measures, companies should conclude a Cyber-Policy. Cyber-Insurance is already common practice in the USA and is also gaining in importance in Germany, especially in the face of the increasing risk potential. The certificate is used by the insurance company to assess the risk and provides more favourable policies for those companies which are proven to comply with the directives.

Just like Quick-Check and Quick-Audit, the VdS certificate is also based on the guidelines 3473 and is thus tailored to the requirements of SMEs. In order to obtain the certificate, auditors examine the necessary documentation and prove for themselves on the spot of the correct implementation of the measures. The VdS certificate has a validity of three years – however, annual, less extensive re-audits are provided. The certificate can later be used as a basis for certification in accordance with ISO 27001.

VdS Cyber-Courses are positioned in line with business practice
In order to firmly establish information security within the company, qualified employees become a decisive key factor. The necessary knowledge is provided by various VdS courses, which focus on different target groups. This includes courses for the information security officer, in which the participants learn how to interlink the necessary safety and security measures in such a way that the necessary level of protection within the company is defined and achieved with as little effort as possible. The course includes the teaching of theoretical knowledge as well as practical exercises and concludes with an examination. In addition, VdS offers courses on the VdS 3473 guidelines, for first-aid in the event of IT loss or damage, as well as a course on Cyber Security for insurers.

Conclusion
When implementing an information security management system, the question now is not whether it is necessary, but rather how it can be implemented. The reason for this is the complexity of ISO 27001, which presents small and medium-sized enterprises with insurmountable challenges. The difficulty, therefore, is to find the perfect measure of information security management. The ideal procedure takes into account the organisational business areas without overwhelming SMEs: VdS Guidelines 3473 are therefore the ideal standard for small/medium-sized businesses. The path to comprehensive protection leads through the free Quick-Check, the following audit and finally the certificate. In this way, companies achieve higher IT-Security, minimise the risk of financial losses or image damage, while still meeting the demands of customers, partners, legislators and lawmakers.

For more information on the VdS Cyber-Security standard, please visit www.vds.de/cyber
The free VdS-Quick-Check is available at www.vds-quick-check.de
The VdS courses on Cyber-Security are summarised at www.vds.de/lehrgaenge/cyber0/

Insurance Europe endorse Guideline

natural-hazards-flood

In April Insurance Europe endorsed CFPA E’s Guideline No. 1:2012 “Protection against flood”. This is the first Guideline they endorse but they will continue with endorsement and have already decided how this work will be done.

“Endorsement from Insurance Europe is very important for all users of our Guidelines and of course it shows that our work is on a high level and that we are on the right track”, said Tommy Arvidsson, Director of CFPA E. “We have also discussions about endorsement with some other organizations and soon we can inform about their first endorsed Guideline.”

Today CFPA E has ratified more than 50 Guidelines. Most of these are about fire safety but there are ten Security Guidelines and six about Natural Hazards.

To download the Guideline click here

Half a century of prevention!

50 years marked by the consequences of the tragedy of the department store “A l’Innovation” in Brussels,

50 years of commitment for ANPI,

50 years of collaboration between the fire brigades of Brussels (today called SIAMU).

Nowadays, by its actions, ANPI asbl is the reference in Belgium that brings together all the actors of  fire prevention (Federal Public Services, representatives of industries, insurance companies, engineering offices, prevention officers).

ANPI is became a source of inspiration in Europe and all over the world.

To celebrate its  50th anniversary, all the ANPI team invites you to join us on Monday 22 May 2017 in Brussels.

Please confirm your attendance before May 15, 2017 through   http://kalahari-registration.be/anpi/  and find enclosed program of the day and roadmap.

Invitation NL  |  Invitation FR

Market surveillance for the smoke alarm devices: Summary of the results

Captura de pantalla 2017-04-04 a las 14.31.16

60 different references of smoke alarm devices have been tested in the frame of market surveillance processes from several countries. The samples have been tested at ANPI according to EN14604 for 6 requirements: battery removal indication, marking and data, directional dependence, initial sensitivity, fire sensitivity, and sound output.

The results have been statistically analysed along 2 axes: requirements and claimed certification scheme. The results provide the occurrence of noncompliances to the requirements. It appears that 33% of the sampled products are not compliant for at least 1 requirement, that 19% of the products have a problem with fire detection, that products which claim at least one voluntary mark certification yield significant better results by a factor 2 to 4 than these claiming CE only.

Complete Article in English

Complete Article in French

Complete Article in Dutch

Big interest for CFPA E

cfpa-noticia-nuremberg

Tommy Arvidsson, CFPA E and Frank Euler, VdS in the booth at FeuerTRUTZ exhibition in Nuremberg

22-23 February there was a Trade Fair, FeuerTRUTZ Exhibition, in Nuremberg in Germany. CFPA E got a possibility to borrow a corner of VdS (CFPA E’s member in Germany) booth to inform about our organisation and business. Between 400-500 people stoped to get information about us and approximately 60 persons sign for subscription of the Newsletter. ”I had two very busy days but it was great to meet all these people who showed interest of our work”, said Director Tommy Arvidsson. ”I hope we can expose our business in the same way in all countries where we have members”.

Protection_of_Business_Intelligence

New Guideline on Protection of Business Intelligence

It is human nature to assume that those we meet business are genuine, have integrity and are well-intentioned.  Sadly, in an age of intense business competition this may turn out to be fatally naive.  The readiness of unprincipled individuals and businesses to commit industrial espionage, sabotage and vandalism appears to be on the increase globally.  This impacts the victim organisation through damage to competitiveness, market advantage, reputation and staff morale.  Therefore CFPA Europe has published the Guidelines “Protection of Business Intelligence” (no. 10:2016/S). These valuable guidelines will assist the organisation identify their vulnerabilities, detect the warning signals and take proactive action to implement those countermeasures and controls essential to secure the organisation’s operational and intellectual property.

cfpa-Control-Metal-Theft

New Guideline on Recommendations for the control of metal theft

At times of high market demand for metal as a result of worldwide economic developments, and the correspondingly high prices available for scrap metal, the theft of metal materials, particularly attached to or outside buildings, such as cable, roofing, raw materials and finished products, causes significant disruption to business and community assets and can even result in injury and death.  The problem can be mitigated partly by rigourous controls on scrap metal trading but these should be supported by the type of security options discussed in the new guide published by CFPA Europe: “Recommendation for the control of metal theft” (no. 9:2016/S).

cfpa-security-schools

New Guideline on “Security in Schools”

The managers of our community schools bear a heavy responsibility for the wellbeing, safety and security of pupils whilst in their care. Young minds are especially vulnerable if their experience of school life is characterised by a perception that their school lacks control over property and personal crime and a generally threatening environment.

Furthermore it goes without saying that the financial costs of inadequate risk management of criminal behaviour and natural hazards is particularly significant for the educational sector which, in most countries, experiences continuous budgetary pressure.  Assaults on pupils and teachers, whilst thankfully uncommon, are on the increase and the assailant is usually legitimately on the premises rather than an outsider.  The contents of schools – computers, musical instruments, video equipment etc, unavoidably invites petty theft and catastrophic loss through arson is an ever present risk.

Security risks are therefore wide ranging. The new CFPA-Guidelines “Security in Schools” (no. 8:2016/S) describe how they are manifested in schools and the sensible, practical and cost effective protection strategies and measures available to management.

cfpa-Developing-Evacuation

New Guideline on Developing Evacuation and Salvage Plans for Works of Art and Heritage Buildings

Those responsible for the safe preservation of our cultural heritage bear a heavy responsibility, particularly as the buildings and objects in their custody, or under their control, are usually irreplaceable.  Responsible custodians and conservators are generally conscious of the need to keep property safe from accident, mishandling, negligence and natural hazards and can be expected to recognise the importance of fire and security risk management but it is all too easy to overlook the need to have in readiness a current and rehearsed plan for the minimisation of loss or damage in the event of a catastrophic event such as a fire or flood.  Prompt and effective action in such a crisis greatly increases the chance of valuable property being rescued or salvaged.

The CFPA-guideline “Developing Evacuation and Salvage Plans for Works of Art and Heritage Buildings” (no. 7:2016/S) will help establishments entrusted with art and heritage property such as museums, libraries, archives, and churches plan for the safe preservation of exhibits in the event of a catastrophic event such as a fire or flood, when timely action is critical.  Adoption of the guidance will also have the incidental effect of mitigating risks to the building itself.  Others with custody of art property such as warehouses, forwarding companies, galleries and trade exhibition centres will also find the document highly relevant.

BST02-199_cfpa

Save the date: 4th international VdS conference “Fire Protection Systems” in April 2017 in Poland

On April 27th, 2017, the fourth international VdS-conference on fire protection systems will take place in Warsaw (Poland). International experts from insurance sector, industry and fire protection organisations will make presentations on the following topics:

  • Legal and quality marks for fire protection products and systems
  • Fire protection installation from the insurers’ point of view
  • Sprinkler system design for storage facilities
  • Water mist system technology, VdS 3188
  • Fire Detection Systems in Power Stations
  • Gas extinguishing systems – Guidelines and practical experiences
  • Reliable fire protection by spark extinguishing systems
  • Experiences from Fire tests with Lithium-ion-batteries

In addition there will be an exhibition over two days at the conferences site. At the evening of June 26th a get-together with possibilities to visit the exhibition will be held.

“This is already the 4th conference in Warsaw, and we will offer also in 2017 an exciting information forum for planners, installers and operators of fire protection systems, as well as for fire protection engineers, fire safety officers from all industries and loss prevention experts from the insurance industry”, Tomasz Afeltowicz-Schultz, Head of VdS offices Poland and Director of the event says. “And the conference exhibition with renowned specialist companies offers also this time the optimal opportunity for the professional exchange of fire protection experts.”

Conference languages are Polish and English with simultaneous translation.

The participants of the VdS-conference have also the possibility to visit the conference of the European Fire Sprinkler Network (EFSN) on April26th, 2017, at the same place at a reduced price.

You will find more information by visiting the conference-web site at www.vds.de/conference-pl