Lead in IT security and regulatory compliance
Due to our company's origins and core business focus in finance, tax and FinTech, adorsys' organization and culture is specialized in regulatory IT compliance according to COBIT, including a comprehensive IT security perspective. Committed to agile principles, we refrain from over-engineering and over-production, and therefore never create "shelf-ware" (documentation that is not used and known by anyone).
Information and IT security is part of our DNA and who we are
In accordance with COBIT principles, adorsys operates and continuously improves an Information Security Management System (ISMS) that is aligned with ISO 27001 (certification project scheduled for completion in 2023) and includes the following focus points:
- Awareness and knowledge
Every employee is constantly motivated and trained in basic security requirements and processes (e.g. GDPR / DSGVO implications for administrative staff and software engineers, mobile and remote working, identity and access management, password management, client/endpoint management, security event and incident process, etc.).
- adorsys secure software development lifecycle (aSSDLC)
As part of our ISMS, adorsys has established a tailor-made SSDLC for our typical customer project work, derived from and aligned to OWASP-SAMM (Open Web Application Security Project, Security Assurance Maturity Model). Each customer and project can choose to what extent secure software development principles, methods and tools are included (tailoring). Following the OWASP-SAMM principles, we have defined the role and curriculum for so-called “security champions”, who can be part of project teams or at least advisors on all IT security issues at regular check points in the project life cycle (e.g. solution architecture) or ad hoc during the project.
- Software Engineering, Business Analysis, API Management, Open Finance, Cloud and DevOps, Information Management, BC and DLT
For all of these topics, we have analyzed the current state of security knowledge and its implications and translated it into documented and reproducible business knowledge and artifacts.
High and reproducible quality is the key to adorsys
As a software engineering and consulting professional services company, we run a never-ending series of customer projects. Customers and projects are varied, diverse and colorful – this is the essence and motivation for us to work in a supply-side company.
But good principles and practices, do’s and don’ts, generic processes, reusable processes and knowledge assets, etc. are quite stable and should be continuously matured and improved during each project iteration.
This describes the common concept of a Quality Management System (QMS) that we apply to our end-to-end core process “Customer Engagement Lifecycle” and all its supporting and enabling processes (ISO 9001:2015 certified since 2022).
For our customers, this means:
- We continuously monitor and improve our teams, processes and artifacts (e.g. customer feedback, lessons-learned workshops and compiled measures).
- We carefully analyze, clarify and document your expectations and requirements and reflect them in our proposal, project and team setup.
- Our delivery teams and processes are trained, supported, coached and monitored by our project delivery experts and Project Management Office (PMO).
- We are accustomed to executing and documenting our project plans, solution architectures, development processes, epics, stories, sprints, requirements, test cases, etc. according to best practices or standards (e.g. arc42, IREB, ISTQB, OWASP, Scrum, SAFe).
- If we discover or suspect quality or delivery problems, we will always address the issues immediately and transparently.
- We are able and trained to manage and ensure delivery quality and efficiency for multi-party projects with subcontractors onshore, nearshore or offshore in the same way as pure customer-adorsys projects.
- All of our processes, tools and resources are designed to work “remotely”, embracing and enabling distributed teams, but taking into account the need for interpersonal trust, proximity, reliability, communication and team building.
COBIT as the governance, risk and compliance model for our organization
In order to ensure compliance with regulatory requirements such as KWG25b (German Banking Act), BAIT (Banking Supervisory Requirements for IT) or VAIT (Insurance Supervisory Requirements for IT) in our common project areas, we have established a governance, risk and compliance framework and organizational model that is specifically tailored to the needs of our company and business model.
This means that we actively operate, monitor, and improve the following governance and management elements, consisting of guidelines (“principles”), policies, processes, role and organizational definitions – while keeping everything as light and practical as possible:
- Process and Quality Management System
- Risk Management and Internal Control System
- Information Security Management System
- Data Protection Management System (GDPR / DSGVO)
- Business Continuity Management System
- Additional policies for e.g. ESG, Projects & Delivery, Architecture, Research & Innovation
- Corporate strategy, mission and values, employee code of conduct
Financial grade API (FAPI) – the new high-security specification for data schemas, security and privacy protocols
Through Open Banking, banks and other financial companies are giving third parties open access to their APIs – and enabling access to their customers’ personal and financial data.
The goal is to make financial services faster and more convenient for customers. It goes without saying that these interface APIs must be secured and protected from attack. The financial sector has always been a prime target for cybercriminals, and public interfaces offer even more opportunities for attack.
FAPI (short for: Financial grade API) – the new highly secure specification of data schemas, security and privacy protocols – has been introduced to prevent cybercriminals from gaining access. The new standard is a high-security OAuth profile designed to provide precise guidelines for security. It is primarily used for use cases that require a high level…Download PDF