Information Security
Holistic information security and quality management
Security and quality are of paramount importance to Projektron GmbH. After all, secure software development and high-performance business processes represent the core of our web-based project management solution and our company. That is why we attach great importance to holistic information security and quality management. Here you can find out what measures we have implemented to create a secure environment and what we are planning for the future.
Regular security updates and bug fixes
The regular installation of updates is one of the most important security measures that users of Projektron BCS should pay attention to. We are constantly working to identify potential security vulnerabilities and fix them immediately. Updates to our software therefore always include bug fixes and eliminated security risks. Therefore, update your BCS installation regularly to be protected against potential risks in the best possible way.
Organizational measures
We strive for a high level of information security in the company. The general goals of information security apply to us across all areas of the company:
Confidentiality Integrity Availability
We implement these organizational measures
| Security checkProjektron BCS is regularly checked for security vulnerabilities according to recognized procedure models such as the OWASP Testing Guide. | | Projektron BCSIn order to implement the ISMS, the in-house software Projektron BCS was further developed in a project. | |
| ISMSWith the introduction of an information security management system (ISMS), information security was anchored organizationally in the company and important information security processes such as risk management were established. | | Employee trainingAll employees are sensitized and trained on the subject of information security. These training sessions are held regularly as a refresher or for current topics, and new employees are also trained directly during their induction. | |
| Team of expertsA team of experts for security in development has been set up in the company to deal with current IT security issues. | | Emergency manualsIn order to respond quickly to security incidents and limit potential damage, emergency response concepts have been developed and recorded in emergency manuals. | |
| Further trainingEmployees receive need-based training to raise their awareness of information security objectives and risks. | | DSMSWe use a data protection management system (DSMS) in accordance with the EU Data Protection Regulation (EU GDPR). | |
| ISMS officer and teamProjektron actively works on information security and the associated processes. A team takes care of compliance with security goals on an ongoing basis. | | ISO 27001The most important core processes such as product development, support, IT services and IT administration have been certified according to the ISO 27001 standard by TÜV Süd. | |
| System auditsStructured security assessment of all IT services using annual system audits with a focus on risk assessment, access rights and encryption. |
Product development
Taking information security into account in the Projektron BCS development process is fundamental to achieving Projektron GmbH's information security goals.
We implement these information security measures in product development
| Roles and rights conceptA customer-specific, adaptable roles and rights concept provides the prerequisite for limiting data or information access to the authorized person. | | Password vaultPasswords required for third-party systems can be stored cryptographically securely in a password vault. | |
| Encrypted connectionsEncrypted communication is possible for secure data transfer between Projektron BCS and users or external systems (https, imaps, smtps). | | SQL injection, cross site scripting & cross site request forgeryProjektron BCS is protected against these attack techniques. | |
| Secure passwordsPasswords are secured in Projektron BCS via PBKDF2 algorithm with Salt and Pepper. | | Guidelines for passwordsProjektron BCS supports guidelines for passwords regarding password complexity and change frequency. | |
| Single sign-onSupport for authentication via Active Directory (LDAP/KERBEROS) or OAuth 2.0 with OpenID Connect. | | Brute force attacksProtection of user accounts by waiting for several failed login attempts. Access to individual accounts can be allowed only for specific IP addresses and IP ranges, if necessary. | |
| 2-factor authenticationAdditional protection of the login via a second factor generated according to the TOTP procedure. | | Internal policy "Secure software developmentThe aim is to minimize security deficits and vulnerabilities in the development of Projektron BCS and to react appropriately to such deficits and vulnerabilities, among other things by using the OWASP Top 10 and SANS 25. | |
| PentestsIn cooperation with our customers, pentests are performed on a regular basis. The results of these tests are continuously incorporated into the development and protection of Projektron BCS. | | SANS 25The SANS 25 lists the 25 most dangerous (and relevant) vulnerabilities in software. The considerations are thus more holistic than the specific view of the OWASP Top 10 on web applications. | |
| Automated testingProjektron BCS is tested for both functionality and usability. Common attack patterns can be tested automatically. | | OWASP Top 10The OWASP (Open Web Application Security Project) Top 10 lists the ten most widespread and important flaws or vulnerabilities for web applications. |
Hosting / SAAS
We know that a secure system is important to you, especially if you host Projektron BCS with us or our service provider. Therefore, we have taken various measures to make our hosting even more secure.
These are the measures we take for secure hosting
| PentestOur hosting undergoes an annual pentest. | | SSLWhen hosting, you access Projektron BCS via encrypted access with an SSL certificate. | |
| Maintenance windowsThere are regularly scheduled maintenance windows to apply updates and patches. In the event of an acute security breach, unscheduled updates are carried out and announced two hours in advance. | | FirewallA centralized firewall with strict filter rules individually per customer protects you from external attacks. A firewall for web applications can be provided on request. | |
| Separate database serversCustomer data is located on separate database servers. This enables better performance and the setup of individual interfaces. | | Automated updatesThe virtual machines and Projektron BCS are updated automatically so that you are always up to date and secure. | |
| CVSOur customers are automatically connected to the configuration versioning service (CVS). This means that their configurations are managed within an SVN repository. | | HTTPS/SFTP/SSH & SCPYou generally only access your virtual machine via secure connections (via HTTPS/SFTP/SSH) and thus create backups or data copies (via SCP), for example. | |
| VPN tunnelThe virtual machines are not accessible via the Internet. Projektron only accesses them via VPN tunnels. | | Backup and restoreThe hosting provides backups and fast recovery if needed. | |
| AvailabilityWe guarantee the agreed availability, which is permanently monitored. | | Security guardThe data center is supervised 24/7 by an on-site security guard. | |
| Location in GermanyThe data center is located in Germany and is subject to high security levels. It belongs to the Tier IV class with redundant ISP POP. | | Access controlThe data center may be entered only by the authorized persons entrusted with the task fulfillment with prior registration. | |
| CertifiedOur data center and Projektron's security-related areas are certified according to ISO 27001. The data center also has other certificates: VdS ISO 9001 NSL and IS, DIN 14675 for BMA and DIN EN 50518. |
Carsten Münch
First Business Partner & Team Coordinator Application Management, TÜV Rheinland Service GmbH
"We have implemented single sign-on so that our employees don't have to enter a password and can use a secure and modern login procedure."
Thomas Hackenbuchner
Head of Finance & Administration, MicroNova AG
"When it comes to information security, BCS provides support through the option of assigning additional attributes to projects. For example, we can classify projects in terms of their need for protection or mark whether it is a project with prototype protection. Based on these markings, we can derive and initiate further process steps."
Kevin Botsch
BCS Technical Product Management, Finanz Informatik Solutions Plus GmbH
"As a consulting, development and integration service provider for business applications in the financial sector, software security and transparent processes are important to us. Due to our growth to date and the constantly increasing number of users, user-friendliness and intuitive operation have also become important factors. With Projektron BCS, we have found a system that meets these requirements exactly. In addition, BCS can also be flexibly adapted to our needs and enables us to make numerous process improvements."
Support
For the technical support of our customers we work with our in-house support portal. In doing so, we always pay attention to the quality and, above all, the security of information handling.
Our measures for security in handling information in support
| Support portalThe support portal for customers is used for the secure exchange of information and transfer of data. Communication takes place via tickets with a folder for data exchange. | | CVSThe configuration versioning service (CVS) is a central configuration store for customers and Projektron itself. The configurations are managed within an SVN repository. | |
| Access authorizationThe customer's contact persons have personalized access to the support portal. | | FAQWe regularly provide security-related information for customers within the support portal. | |
| EncryptionThe support portal can only be accessed via encrypted access. |
IT-Administration
Information security is also an important concern for our internal IT administration. We are guided by the state of the art to secure the systems and continue to secure them.
Our measures for securing our systems in IT administration
| Central software distributionRequired software is distributed centrally to the operating computers and kept up to date. | | MonitoringInternal services are monitored to ensure availability and to be able to react quickly in case of problems. | |
| Redundant network technologyInternet line, firewall and central switches are redundant. | | CryptographyRecommendations of the BSI Technical Guidelines (BSI TR-02102) are tested annually. | |
| Internal certification authorityInternal services are encrypted via a separate certification authority. | | SVNInternal versioning services are thematically separated and access is controlled via groups of people. | |
| | VPNVPN access is available to employees for mobile working. | ||
| Backup & RestoreInternal services are backed up daily and can be quickly restored to the status of the last backup. The restore process is tested every six months. | | Encrypted data transferIf employees want to take released data with them into mobile work, they can use encrypted USB sticks with a numerical code for this purpose. |
Further measures
Of course, we do not stop working on ourselves and our processes and systems at this point. To ensure that we are always prepared for the latest threats and requirements, we maintain an active exchange of experience with our customers. We are also continuing to expand our team of experts and have certain employees trained as specialists on the subject of security. Further measures are currently in progress or planned in the near future:
| Data protection certificateWith the DSMS, we want to obtain a certificate for data protection, both for our company and for our Projektron BCS product. |
| ITILWe have already implemented some best practices of the IT Infrastructure Library (ITIL) and plan to integrate more of them in our company. |
