IT Foundations

Like in old Greek temples, choosing and assembling the right and lasting supporting pillars is of paramount importance for the reliable and durable design. Analogous and nowadays, similar foundations have to be built to satisfy the demands from the business for fail-safe and persistent IT solutions. In this competency, we have identified four major pillars in which we specialize to help you strengthen IT foundations and thereby support your business:

Each of these areas contributes in a not negligible way to safe, successful, and efficient IT operations.

Due to their importance for your organization, we are often asked to review them, e.g. your IT architectural elements and building blocks or your information security approach, in an audit like fashion. During a short engagement, this allows you to get some valuable feedback where you stand and how you could improve your setup.


IT Architecture and EAM

For us, talking about IT architecture refers to both, the management or application specific planning, design, and implementation of IT systems as well as performing EAM (Enterprise Architecture Management).

Depending on the size of and current general structure inherent in your IT landscape, we analyze the various elements of these systems, including

  • Software,
  • Hardware,
  • IT management processes,
  • Operational (human) skills, as well as
  • Information flow and interfaces,

which all contribute to their performance. This activity forms the foundation for a definition of your as-is landscape. Besides being used as input for subsequent steps like EAM, it can be used on its own to identify risks and bottlenecks.

At a higher flight height and using the outcome from the systems’ analyses, if required, we support your enterprise architecture management journey to achieve your to-be landscape. This focusses on the major activities:

  • Derive and create architecture guidelines aligned and taking into account both, business and IT strategy, which allow to
  • Provide migration paths from as-is to to-be landscape, thereby leveraging
  • Further standardization and operational process efficiency.

Information Security

Achieving 100% Information Systems Security is not possible. 

If you accept this statement as a starting point, we gladly work with you to get your organization as close to this unreachable target as your business shall accept the impact.

Over last two decades we have been auditing, analyzing, designing, and supporting the provisioning of information systems security solutions to our customers.

Depending on their needs or the security incident in focus, our contribution to the customer’s IT security team(s) had been delivered at various organizational levels:

  • Together with the Chief Information Security Officer (CISO) or comparable team lead we worked on and delivered for example 
    • IT security strategy; 
    • Local, regional, and global policies for users, systems, and processes;
    • Security awareness programs and ethical training;
    • Information Security & Risk Management System (ISRMS);
    • Risk registers, etc.
  • To improve operational security, we e.g.
    • executed or supported IT security assessments, 
    • analyzed sensitive internal processes, 
    • reviewed Cloud security solutions and standards, 
    • implemented corporate public key infrastructures, 
    • established electronic signature processes, and
    • designed information and data classification models.
  • At a technical level, our security projects virtually stretched over all layers of the ISO Open Systems Interconnection model (OSI model), from OSI layer 1 to layer 7.

 

All our work in the information systems security domain is strictly oriented on globally accepted best practice standards, among them COSO, COBIT, ISO/IEC 27000 series, ITIL, just to name a few.


Legal & Regulatory Compliance

From the perspective of IT foundations, the earliest possible adoption and “organizational respect” for legal and regulatory compliance implied rules for day-to-day operation represents one of the major driving forces on the way to operational IT maturity.

This is based on the two inherent preconditions of compliant operations, which is planning-ahead before execution and following processes.

Independent of the particular regulated area,

  • the need to reflect on what one’s doing,
  • considering input and possible outcome,
  • possibly testing it before going ahead,
  • creating a fall back strategy, 
  • documenting the activity, typically as a change request,
  • requiring formal review and approval by another entity, and
  • sometimes being challenged to justify the approach

as well as other possible tasks form one of the major supporting pillars for growing maturity of IT operations.

Our customers are driven by specific industry compliance requirements, like pharmaceutical or medical device industry, or more generic ones like data protection and privacy regulations. Both deeply extend into the information technology processes design and execution framework.

Whereas the former is a long-standing practice in most organizations affected by it, review and possible restructuring does carry potential for efficiency gains due the new risk-based approach of the Good Automated Manufacturing Practice Guide for Validation of Automated Systems in Pharmaceutical Manufacture, version 5 (GAMP 5). Being the most known of the International Society for Pharmaceutical Engineering’s (ISPE) guides, it virtually touches all areas of production and how to process the data within and resulting from it.

Looking at the latter, data protection & privacy regulations, the General Data Protection Regulation (GDPR) of the European Union (EU), being finalized in 2016 and implemented for all individuals within the European Union since the end of May 2018, is the “new kid on the block”.

Being directly binding within European Union and the European economic area without national legislation, it presents a cornucopia of partly new data handling concepts and assigns rights to individuals to control the processing and storage of their personal data. The demands resulting are to be fulfilled by IT organizations as well and they are applicable to each company globally which does business with EU consumers.

    In both of these regulatory domains, the solutions we developed together with our customers included

    • full and efficient, risk-based qualification of complete IT Infrastructure,
    • GxP/FDA compliant design of laboratory data processing and management, 
    • Security auditing in GxP production environments,
    • GDPR driven process design and implementation of IT related tasks.

    Identity & Access Management (IAM)

    Ideally, for each individual, who needs to interact with electronic systems, there is one and only one corresponding electronic or digital identity.
    This electronic identity allows

    • to authenticate the user,
    • to protect the user’s data,
    • to have the user sign-on everywhere (Single Sign On) within the organization’s IT systems,
    • to authorize the user by assigning roles and access privileges,
    • to enforce policies upon users,
    • to remove rights if the user leaves the company,

    and much more. 

    But, in reality, you observe

    • Each organization runs on- and offboarding processes for its staff, usually assigned to and executed by the Human Resources department. Lists of new or departed employees are typically forwarded to other departments for processing.
    • Individual departments directly acquire Cloud resources e.g. to share data with external partners and manage their user accounts directly.
    • Access to the corporate network from outside relies on a set of credentials which is separate from internal user logon data. 
    • The warehouse management system provides a separate logon challenges to the users based on separate accounts in its own database “to protect it better”.

    Sounds familiar? From our experience, you are not alone. Historically grown and continuously practiced maintenance of data silos represents a common practice, to be found in virtually each organization. Especially in the area of management of digital identities, which is the at the core of Identity and Access Management (IAM), most attempts to deliberate such implementations are indeed initiated but stay at the same technical level and the respective silo. 

    Contrary to that approach, understanding IAM from the beginning as an objective which demands alignment at the corporate level represents the only way to successfully master this topic in both domains, user acceptance and information security.

    Working with our customers in this area we always focused and started our engagements by separation of abstract discussions from technical implementation work required. The former is needed to avoid potential barriers which block the solution finding process before it has even started.
    This methodology allowed us to achieve together with our clients:

    • Establishment of a central repository for digital identities at corporate level,
    • Integration of activities from various departments with the intertwined tasks run by the IT department’s identity systems, 
    • Creation of standardized and secure processes for identity management, optimized from the security perspective (e.g. two factor authentication, where required), 
    • Connectivity to cloud providers to manage the corporate digital identities in the multi-tenant environment,
    • Awareness for and in the mid-term acceptance of data-ownership concepts which in turn feed and support rights and access management concepts.