Information is a mission-critical asset for a growing number of businesses and the dependency on information systems are increasing rapidly. The complexity and the global dissipation of information that the information systems create entail greater risks to the business.
The solution is not to impose a patchwork of security products as a firewall here and an antivirus program there. The solution is to take a holistic approach, identifying risks and balancing the right level of protection through a methodical information security management. The realization that security is much more than technology is an important step on the way. Proper security is a profitable investment that provides the opportunity to focus on operations and the core business.
On the basis of academic, analytical and efficient working practices and business understanding, Kirei works primarily with three main areas of information security:
- Information Security Management Systems (ISMS)
- Security auditing, requirements definitions and system architectures
- Security in communications infrastructure
- Standardization and Development
Information Security Management
Within the area of Information Security Management, we are working to ensure that our customers get a sharp tool in a consistent, accurate, and repeatable way to assess risks, take protective measures and to evaluate the measures taken, so that the right balance between protection and business-risk is achieved.
Businesses should have the information security protection necessary with respect to the operation’s nature, extent and other circumstances. A risk analysis is the basis for a well-suited information security protection regime and is both an activity that aims to identify assets requiring protection and as a documentation of the rationale for what is worth protecting. The risk analysis shall also relate the identified assets to the threats that the business may be exposed to, and the vulnerabilities that the business may be afflicted with. Finally, the risk analysis is aimed at developing a decision basis for safeguard measures, and establishing the traceability of this material.
Within the area of information security management and governance Kirei has supported our customers through the certification process in both the international information security management system standard ISO/IEC 27001:2013 as well as the IT security framework SysTrust.
Security Auditing, Requirements Definitions and System Architecture
When changing or introducing new systems, it is of crucial importance that security and quality aspects are taken into considerations from the beginning, and that system security can be maintained even after the project has been completed. We therefore support the implementation of all the projects’ phases through the definition of security requirements, design of the system architecture, procurement support, as well as validation, quality assurance and security audits.
We can also assume the role of a control function, where we will audit against the relevant security standards, regulatory or business requirements, specific identified risks or a combination of these. In other contexts, we evaluate the security of the specific components on a more technical level, often based on CC/CEM and a protection profile, down to the implementation level.
Security in Communications Infrastructure
Today almost all information systems rely upon open, robust and high-performance communication services. We use our experience from large operator networks, metropolitan area networks and corporate networks to define requirements, dimension and provide quality assurance to critical network infrastructure.
We design and implement robust communication solutions tailored to the individual business, sometimes designed to meet even the most stringent requirements for capacity, latency, resiliency and resistance to denial of service attacks. We also work with infrastructural services where in a few areas we have a unique expertise, for example in the security and robustness of the domain name system and ensuring that emergency calls can be placed and received over IP according ECRIT-principles.
Standardization and Development
Kirei has been driving standardization in a number of areas with an emphasis on security. For over 15 years we have been working on the standardization of DNSSEC, i.e. cryptographic functions in the global domain name system (DNS). With DNSSEC it is possible not only to determine that the information conveyed via the domain name system is authentic, it is also possible to use the infrastructure for secure key exchange so that two or more parties on the Internet can communicate securely with confidentiality. Kirei has also assisted in introducing these security features in the DNS root operated by ICANN, and a number of both national and generic top level domains.
Another area where Kirei has had long-standing commitments is in electronic identification. Kirei participated in authoring the Swedish Government Official Report The eID Board and the Swedish eID (SOU 2010:104), founding the model of the Swedish e-identification system and the establishing of the Swedish E-identification Board. Since then, Kirei developed and anchored the assurance framework that forms the normative security requirements definition applicable to all issuers of Swedish eID. Through the work of the national eID structure we were able, together with mainly British and Danish contribution, to author significant parts of the European Implementing Regulation (EU) 2015/1502 establishing the assurance levels for European cross-border identification.
A third area where Kirei provides significant development efforts is within the coordination and standardization efforts in the public transport sector in Sweden. Kirei is developing the national technical specifications that will enable secure interoperable electronic ticketing and information exchange between both publicly funded and commercial operators in the industry.