Information Security

Holistic information security and quality management

Security and quality are of paramount importance to Projektron GmbH. After all, secure software development and high-performance business processes represent the core of our web-based project management solution and our company. That is why we attach great importance to holistic information security and quality management. Here you can find out what measures we have implemented to create a secure environment and what we are planning for the future.

Organizational measures

We strive for a high level of information security in the company. The general goals of information security apply to us across all areas of the company:

 Confidentiality            Integrity          Availability

We implement these organizational measures

Security check

Projektron BCS is regularly checked for security vulnerabilities according to recognized procedure models such as the OWASP Testing Guide.
  		 

Projektron BCS

In order to implement the ISMS, the in-house software Projektron BCS was further developed in a project.

ISMS

With the introduction of an information security management system (ISMS), information security was anchored organizationally in the company and important information security processes such as risk management were established.
  		 

Employee training

All employees are sensitized and trained on the subject of information security. These training sessions are held regularly as a refresher or for current topics, and new employees are also trained directly during their induction.

Team of experts

A team of experts for security in development has been set up in the company to deal with current IT security issues.
  		 

Emergency manuals

In order to respond quickly to security incidents and limit potential damage, emergency response concepts have been developed and recorded in emergency manuals.

Further training

Employees receive need-based training to raise their awareness of information security objectives and risks.
  		 

DSMS

We use a data protection management system (DSMS) in accordance with the EU Data Protection Regulation (EU GDPR).

ISMS officer and team

Projektron actively works on information security and the associated processes. A team takes care of compliance with security goals on an ongoing basis.
  		 

ISO 27001

The most important core processes such as product development, support, IT services and IT administration have been certified according to the ISO 27001 standard by TÜV Süd.

System audits

Structured security assessment of all IT services using annual system audits with a focus on risk assessment, access rights and encryption. 		   

  

Product development

Taking information security into account in the Projektron BCS development process is fundamental to achieving Projektron GmbH's information security goals.

We implement these information security measures in product development

Roles and rights concept

A customer-specific, adaptable roles and rights concept provides the prerequisite for limiting data or information access to the authorized person.
  		 

Password vault

Passwords required for third-party systems can be stored cryptographically securely in a password vault.

Encrypted connections

Encrypted communication is possible for secure data transfer between Projektron BCS and users or external systems (https, imaps, smtps).
  		 

SQL injection, cross site scripting & cross site request forgery

Projektron BCS is protected against these attack techniques.

Secure passwords

Passwords are secured in Projektron BCS via PBKDF2 algorithm with Salt and Pepper.
  		 

Guidelines for passwords

Projektron BCS supports guidelines for passwords regarding password complexity and change frequency.

Single sign-on

Support for authentication via Active Directory (LDAP/KERBEROS) or OAuth 2.0 with OpenID Connect.
  		 

Brute force attacks

Protection of user accounts by waiting for several failed login attempts. Access to individual accounts can be allowed only for specific IP addresses and IP ranges, if necessary.

2-factor authentication

Additional protection of the login via a second factor generated according to the TOTP procedure.
  		 

Internal policy "Secure software development

The aim is to minimize security deficits and vulnerabilities in the development of Projektron BCS and to react appropriately to such deficits and vulnerabilities, among other things by using the OWASP Top 10 and SANS 25.

Pentests

In cooperation with our customers, pentests are performed on a regular basis. The results of these tests are continuously incorporated into the development and protection of Projektron BCS.
  		 

SANS 25

The SANS 25 lists the 25 most dangerous (and relevant) vulnerabilities in software. The considerations are thus more holistic than the specific view of the OWASP Top 10 on web applications.

Automated testing

Projektron BCS is tested for both functionality and usability. Common attack patterns can be tested automatically. 		 

OWASP Top 10

The OWASP (Open Web Application Security Project) Top 10 lists the ten most widespread and important flaws or vulnerabilities for web applications.

   

Hosting / SAAS

We know that a secure system is important to you, especially if you host Projektron BCS with us or our service provider. Therefore, we have taken various measures to make our hosting even more secure.

These are the measures we take for secure hosting

Pentest

Our hosting undergoes an annual pentest.
  		 

SSL

When hosting, you access Projektron BCS via encrypted access with an SSL certificate.

Maintenance windows

There are regularly scheduled maintenance windows to apply updates and patches. In the event of an acute security breach, unscheduled updates are carried out and announced two hours in advance.
  		 

Firewall

A centralized firewall with strict filter rules individually per customer protects you from external attacks. A firewall for web applications can be provided on request.

Separate database servers

Customer data is located on separate database servers. This enables better performance and the setup of individual interfaces.
  		 

Automated updates

The virtual machines and Projektron BCS are updated automatically so that you are always up to date and secure.

CVS

Our customers are automatically connected to the configuration versioning service (CVS). This means that their configurations are managed within an SVN repository.
  		 

HTTPS/SFTP/SSH & SCP

You generally only access your virtual machine via secure connections (via HTTPS/SFTP/SSH) and thus create backups or data copies (via SCP), for example.

VPN tunnel

The virtual machines are not accessible via the Internet. Projektron only accesses them via VPN tunnels.
  		 

Backup and restore

The hosting provides backups and fast recovery if needed.

Availability

We guarantee the agreed availability, which is permanently monitored.
  		 

Security guard

The data center is supervised 24/7 by an on-site security guard.

Location in Germany

The data center is located in Germany and is subject to high security levels. It belongs to the Tier IV class with redundant ISP POP.
  		 

Access control

The data center may be entered only by the authorized persons entrusted with the task fulfillment with prior registration.

Certified

Our data center and Projektron's security-related areas are certified according to ISO 27001. The data center also has other certificates: VdS ISO 9001 NSL and IS, DIN 14675 for BMA and DIN EN 50518. 		   

  

Thomas Hackenbuchner

Head of Finance & Administration, MicroNova AG

"When it comes to information security, BCS provides support through the option of assigning additional attributes to projects. For example, we can classify projects in terms of their need for protection or mark whether it is a project with prototype protection. Based on these markings, we can derive and initiate further process steps."

Kevin Botsch

BCS Technical Product Management, Finanz Informatik Solutions Plus GmbH

"As a consulting, development and integration service provider for business applications in the financial sector, software security and transparent processes are important to us. Due to our growth to date and the constantly increasing number of users, user-friendliness and intuitive operation have also become important factors. With Projektron BCS, we have found a system that meets these requirements exactly. In addition, BCS can also be flexibly adapted to our needs and enables us to make numerous process improvements."

 

Support

For the technical support of our customers we work with our in-house support portal. In doing so, we always pay attention to the quality and, above all, the security of information handling.

Our measures for security in handling information in support

Support portal

The support portal for customers is used for the secure exchange of information and transfer of data. Communication takes place via tickets with a folder for data exchange.
  		 

CVS

The configuration versioning service (CVS) is a central configuration store for customers and Projektron itself. The configurations are managed within an SVN repository.

Access authorization

The customer's contact persons have personalized access to the support portal.
  		 

FAQ

We regularly provide security-related information for customers within the support portal.

Encryption

The support portal can only be accessed via encrypted access. 		   

  

IT-Administration

Information security is also an important concern for our internal IT administration. We are guided by the state of the art to secure the systems and continue to secure them.

Our measures for securing our systems in IT administration

Central software distribution

Required software is distributed centrally to the operating computers and kept up to date.
  		 

Monitoring

Internal services are monitored to ensure availability and to be able to react quickly in case of problems.

Redundant network technology

Internet line, firewall and central switches are redundant.
  		 

Cryptography

Recommendations of the BSI Technical Guidelines (BSI TR-02102) are tested annually.

Internal certification authority

Internal services are encrypted via a separate certification authority.
  		 

SVN

Internal versioning services are thematically separated and access is controlled via groups of people.

E-mail

Incoming mail traffic is monitored and initially quarantined in case of doubt.
  		 

VPN

VPN access is available to employees for mobile working.

Backup & Restore

Internal services are backed up daily and can be quickly restored to the status of the last backup. The restore process is tested every six months. 		 

Encrypted data transfer

If employees want to take released data with them into mobile work, they can use encrypted USB sticks with a numerical code for this purpose.

  

Further measures

Of course, we do not stop working on ourselves and our processes and systems at this point. To ensure that we are always prepared for the latest threats and requirements, we maintain an active exchange of experience with our customers. We are also continuing to expand our team of experts and have certain employees trained as specialists on the subject of security. Further measures are currently in progress or planned in the near future:

Data protection certificate

With the DSMS, we want to obtain a certificate for data protection, both for our company and for our Projektron BCS product.
 

ITIL

We have already implemented some best practices of the IT Infrastructure Library (ITIL) and plan to integrate more of them in our company.
 

  

All references To top