Information Security in the Financial Sector: How Frankfurter Sparkasse is Tackling the Mammoth Task

4. July 2024

The digital transformation in the financial sector has created new areas of attack for cyber criminals and therefore significant risks for companies. The result: ever-increasing internal and external demands on the information security of financial institutions and their service providers. This wave of cyber regulation can be a considerable burden for organizations. Read here how Frankfurter Sparkasse is mastering this challenge with the help of usd AG.

Information security at Sparkasse

Most institutions within the Sparkasse association use the SIZ product "Sicherer IT-Betrieb" (SITB) for the planning, implementation and documentation of their information security management in accordance with the ISO 27000 series standards in order to meet the internal and external requirements for information security management. The SITB contains a total of over 1,000 requirements, which are bundled into various requirement profiles. Each IT asset at a Sparkasse institution must be assigned such a profile and compliance with the requirements must be ensured.

New versions of the SITB are usually published around once a year and also in the event of major changes to the threat landscape or the introduction of new relevant regulation. With version 20 of the SITB, the Sparkasse institutions were faced with an extensive update, which was accompanied by a large number of new requirements. Reviewing the implementation within an institution takes up a lot of resources. For this reason, a team of experts from usd AG, led by Simon Weickart and Philipp Konow, provided strategic and operational support to Frankfurter Sparkasse during the implementation process.

Frankfurter Sparkasse is one of the largest institutions within the Sparkasse association with around 1,500 employees and a large number of assets worth protecting. Information security projects or large-scale changes in requirements management therefore quickly become very complex and extremely time-consuming for everyone involved. That's why it was important for us to bring in external expertise. In usd AG, we have found a trustworthy partner with extensive experience in information security and in-depth knowledge of the financial sector.


Jens Heinisch, Head of Operations and Process Organization, Frankfurter Sparkasse

Hands-on help

The usd AG team started the project with an in-depth target-performance analysis to identify and document deviations from the new SITB 20 requirements within Frankfurter Sparkasse. In the next step, the resulting risks were recorded, analyzed and evaluated as part of the risk management process. Existing processes were also refined during this phase of the project. Complete documentation of all project steps was of central importance for the success of the project and future audits.

In addition to the necessary expertise, all of these activities require one thing above all else for a company the size of Frankfurter Sparkasse: time. Time that the employees of Frankfurter Sparkasse would lack to fulfill their core tasks. It was therefore natural for our experts to support them not only in an advisory capacity, but also provide them with hands-on assistance in fulfilling their tasks.

Like the majority of companies in the financial sector, Frankfurter Sparkasse outsources many processes to external service providers. As any outsourcing can entail considerable information security risks, supply chain security is a key requirement in almost all regulatory frameworks. The project scope was therefore quickly extended from internal processes and assets to external service providers.

Regardless of how our original project framework is defined, if we identify potential for improvement in our customers' information security as part of our consulting activities, we draw their attention to this and of course support them in exploiting this potential through targeted adjustments. We were very happy that Frankfurter Sparkasse was extremely open to our advice. With some practical implementation support, we were able to improve information security in the company even beyond the requirements of the SITB.


Philipp Konow, Senior Security Consultant, usd AG

An unexpected turn

While the implementation project for SITB 20 was still in full swing, SITB 21 appeared - and with it a new set of requirements.

We've all been there: As soon as you're on the home straight in a project, a new regulation or new version of a standard appears and the course is suddenly set anew. In a situation like this, you have to react quickly and flexibly. We were able to fully rely on our contact partners at usd AG: At short notice, they made it possible to repeat affected project steps again and were always available for us if we had any follow-up questions.


Stefan Sohn, Group Head of Project and Process Management, Frankfurter Sparkasse

Nothing in the financial world is static, be it cyber risks, regulatory requirements or the financial institutions themselves. It is therefore in the nature of things that we often have to deal with changing conditions in information security projects. This is much easier if you create a stable foundation, for example in the form of good guidelines, a clean inventory and clearly defined processes. It is precisely this foundation that will help Frankfurter Sparkasse with its next major information security project: DORA.


Simon Weickart, Managing Security Consultant, usd AG

DORA on the horizon

With the Digital Operational Resilience Act (DORA), which will apply from 17.01.2025, the financial sector must once again face a new flood of requirements. Frankfurter Sparkasse is getting ready to implement the EU regulation with the support of usd AG.

It is a remarkable commitment by Frankfurter Sparkasse to move almost seamlessly from one major security project to the next. We are delighted that we are also able to accompany them as a partner in their DORA project and that we are already in the middle of implementing the requirements after extensive preparatory work. This puts Frankfurter Sparkasse well ahead of many other institutions.


Felix Schmidt, responsible for the financial sector at usd AG

After the project is before the project, that's often the case in our industry. Especially if you want to do justice to the vital issue of information security. There is certainly still a lot for us to do before DORA is fully implemented, but we are optimistic that we will successfully master this project as well, together with usd AG.


Denan Solaković, Group Head of IT Governance, Project Manager DORA, Frankfurter Sparkasse


About Frankfurter Sparkasse

Frankfurter Sparkasse was founded in 1822 and is today the market leader in retail banking in the Rhine-Main region. As part of the Helaba Landesbank Hessen-Thüringen Group and with its partners from the Sparkassen-Finanzgruppe, it offers all financial services for private, commercial and corporate customers. It advises customers with empathy and competence and is there for them personally and digitally: with its dense network of branches and service centers, on the phone and online. Together with its foundations, Frankfurter Sparkasse has always assumed sustainable responsibility for people, companies and the environment in the region.

https://www.frankfurter-sparkasse.de/de/home.html

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories