Expert in IT security and compliance
Due to our roots in finance, tax, and FinTech, adorsys specializes in regulatory IT compliance, including COBIT, with a strong focus on IT security aligned with ISO 27001, NIS2, DORA, PCI-DSS, and ITIL. Committed to agile principles, we avoid over-engineering and unnecessary documentation ("shelf-ware").
Security
Information and IT security is part of our DNA and who we are
In accordance with COBIT principles, adorsys operates and continuously improves an Information Security Management System (ISMS) that is aligned with ISO 27001 (certification project scheduled for completion in 2024) and includes the following focus points:
- Awareness and Knowledge
Employees are constantly motivated and trained in basic security requirements and processes (e.g., ISMS and GDPR implications for administrative staff and software engineers, mobile and remote working, identity and access management, password management, client/endpoint protection, security event and incident process, partner and software supply chain security etc.). -
adorsys Secure Software Development Lifecycle (aSSDLC)
As part of our ISMS, adorsys has developed a custom SSDLC based on OWASP-SAMM, allowing customers to tailor secure software development practices. We’ve introduced “security champions” with specialized training, who can join project teams or provide IT security guidance at key stages like architecture reviews and penetration testing. - Secure Software Engineering, Business Analysis, API Management, Open Finance, Cloud and DevOps, Information Management, BC and DLT
For all of these specific areas, we have analyzed the current state of security knowledge and its implications and translated it into documented and reproducible business knowledge and artifacts.
Benefits
High and reproducible quality is the key to adorsys
As a software engineering and consulting professional services company, we run a never-ending series of customers projects. Customers and projects are varied, diverse and colorful – this is the essence and motivation for us to work in a supply-side company
But good principles and practices, do’s and don’ts, generic processes, reusable processes and knowledge assets, etc. are quite stable and should be continuously matured and improved during each project iteration.
This describes the common concept of a Quality Management System (QMS) that we apply to our end-to-end core process “Customer Engagement Lifecycle” and all its supporting and enabling processes (ISO 9001:2015 certified since 2022).
For our customers, this means:
- We continuously monitor and improve our teams, processes and artifacts (e.g. customer feedback, lessons-learned workshops and compiled measures).
- We carefully analyze, clarify and document your expectations and requirements and reflect them in our proposal, project and team setup.
- Our delivery teams and processes are trained, supported, coached and monitored by our project delivery experts and our central and shared Project Management Office (PMO).
- We are accustomed to executing and documenting our project plans, solution architectures, development processes, epics, stories, sprints, requirements, test cases, etc. according to best practices or standards (e.g. arc42, IREB, ISTQB, Scrum, SAFe).
- If we discover or suspect quality or delivery problems, we will address the issues immediately and transparently.
- We are able and trained to manage and ensure delivery quality and efficiency for multi-party projects with subcontractors onshore, nearshore or offshore.
- All of our processes, tools and resources are designed to work “remotely”, embracing and enabling distributed teams, but taking into account the need for interpersonal trust, proximity, reliability, communication and team building.
Compliance
COBIT as the governance, risk and compliance model for our organization
In order to ensure compliance with regulatory requirements such as KWG25b (German Banking Act, outsourcing of activities and process), BAIT (Banking Supervisory Requirements for IT) or VAIT (Insurance Supervisory Requirements for IT) in our common project areas, we have established a governance, risk and compliance framework and organizational model that is specifically tailored to the needs of our company and business model.
This means that we actively operate, monitor, and improve the following governance and management elements, consisting of guidelines (“principles”), policies, processes, roles, concepts, checklists and other organizational definitions – while keeping everything as light and practical as possible:
Process and Quality Management System
Risk Management and Internal Control System
Information Security Management System
Business Continuity Management System
Data Protection Management System (GDPR / DSGVO)
Additional policies for e.g. ESG, Projects & Delivery, Architecture, Research & Innovation
Corporate strategy
Mission and values
Employee code of conduct
White Paper
Financial grade API (FAPI) – the new high-security specification for data schemas, security and privacy protocols
Through Open Banking, banks and other financial companies are giving third parties open access to their APIs – and enabling access to their customers’ personal and financial data.
The goal is to make financial services faster and more convenient for customers. It goes without saying that these interface APIs must be secured and protected from attack. The financial sector has always been a prime target for cybercriminals, and public interfaces offer even more opportunities for attack.