IT examination

The term IT examination was deliberately chosen in reference to the military examination - a procedure that describes a structured, in-depth and comprehensive examination of a person's suitability. Just as a military examination is not just based on superficial impressions, but on a holistic and standardized assessment, the IT examination does not focus on a single aspect of the IT or legal landscape, but on the overall picture of corporate IT-security.

As part of the IT examination by RIEDEL Networks:

• a systematic vulnerability scan of the entire IT infrastructure - not just selectively, but comprehensively and in depth,

• as well as a legal screening of the legal attack surfaces, particularly with regard to NIS-2, by the legal tech partner Clarius.Legal.

Differentiation from conventional audits or NIS-2 checks

Unlike many existing "NIS-2 checks" or selective audits, the IT examination is not limited to individual technical components or a superficial legal assessment. It is:

• standardized and comprehensive,

• transparently documented,

• integrated both technically and legally.

The name "Examination" underlines the holistic nature of the process and is deliberately intended to convey:

"This is not just a superficial check - this is a screening, assessment and clarification of what your digital and regulatory defense capabilities really are."

A conventional scan usually only checks technical components, while an audit often focuses on individual legal aspects.
The IT examination combines both - in a standardized, documented and practical procedure:

• Complete vulnerability scan of the IT infrastructure

• Legal NIS-2 check by our legal tech partner Clarius.Legal

• Clear, comprehensible recommendations for action

The IT examination is a joint offer from:

• RIEDEL Networks (technical analysis & IT security assessment)

• Clarius.Legal (legal review of NIS-2 compliance, incl. documentation)

The IT examination is aimed at:

• Companies affected by the NIS-2 Directive

• Companies that want to gain a clear overview of their IT security status and their legal attack surface

• Organizations that want more than a superficial audit - namely real screening

The IT examination can be carried out as a one-off status assessment - but it is also suitable as a regular measure to review and improve your IT and compliance structure. However, it is advisable not to view IT security as a "sprint", but rather as a "marathon" and to equip yourself for the endurance run with solutions such as the RIEDEL Enterprise Defense [R.E.D.] Cybersecurity Suite.

Nothing special - just:

• Access to the relevant IT infrastructure (for the vulnerability scan)

• Willingness to cooperate with internal contacts (e.g. IT management, data protection, legal)

Clarius.legal analyzes your existing security structure using a structured audit. This involves checking how well your technical and organizational measures already meet the NIS 2 requirements - based on the specifications of the BSI IT baseline protection.

• Creation of an individual audit plan
• Implementation of a compliance audit
• Development of a risk management system
• Adaptation of contracts with partners and service providers
• Training for management and employees
• Development of a legally compliant reporting chain

The implementation of the individual points is spread over several appointments, each lasting between 1 - 3 hours. Depending on the flexibility of the contact person's schedule, the legal review and preparation can be completed in a good month.

• Audit planning & preparation
• Implementation of the compliance check
• Assessment and prioritization of risks
• Implementation of organizational & technical measures
• Continuous support from experts

The management bears overall responsibility and can be held liable in the event of breaches. In practice, IT, compliance, data protection and external consultants (such as CLARIUS.LEGAL) work together on implementation.

Not necessarily all, but all security-relevant systems must undergo a risk assessment and, if necessary, be secured by technical or organizational measures. These include firewalls, backup systems, VPNs, access controls, etc.

At least annually or in the event of major changes to the IT infrastructure. We help you set up a standardized risk management process. In addition, technical monitoring of the IT infrastructure, e.g. by the RIEDEL Enterprise Defense [R.E.D.] managed security service, is helpful in maintaining an overview.

• Security guidelines and concepts
• Contracts with service providers (e.g. order processing, security requirements)
• Emergency plans and reporting processes
• Training certificates
• Risk assessments & technical reports

Clarius.legal is happy to provide templates!

The RED SKULL Vulnerability Test is an automated vulnerability scan of your IT infrastructure. Using a preconfigured hardware appliance, we analyze your networks for potential security vulnerabilities - quickly, securely and without interrupting your operations.

1. dispatch of the preconfigured test kit

2. execution of the scan by our Security Operations Center (SOC)

3. return of the device

4. evaluation of the results

5. discussion and delivery of a detailed report with recommendations for action

No. Once the test kit has been connected, our SOC takes care of the entire process remotely. All your team has to do is prepare the network infrastructure and connect the device.

No. The scan is non-disruptive. No systems are attacked or changed, so your operations can continue undisturbed.

Depending on the size and complexity of your network, the scan takes between a few hours and up to a week. The report is then generated within about a week.

No system data is changed. All information collected is transmitted in encrypted form, processed in accordance with GDPR and ISO 27001 standards and can be deleted or archived on request.

The scanner is a miniserver that is preconfigured on receipt and you will receive specific instructions on how to carry out the scan and integrate the device in consultation with our SOC.

You simply mount the supplied LTE antennas on the connections provided. The device starts as soon as it is connected to the power supply.

Our SOC manages the scanner remotely and makes the necessary configurations.

You simply ensure that routing, firewall rules, VLAN, VPN access and Internet connectivity are configured. But our colleagues are happy to help!

You will receive a comprehensive report on all weaknesses found, including prioritization and specific recommendations for action. We will discuss the results with you in a personal meeting.

The NIS-2 Directive aims to strengthen cybersecurity in the European Union by introducing higher security standards and reporting obligations for companies. It aims to increase the resilience of critical infrastructures and improve cooperation between member states.

To comply with the NIS 2 directive, companies must take several measures:

1. Implement robust security measures: companies must protect their networks and information systems with appropriate technical and organizational measures to prevent and defend against cyberattacks.

2. Regular risk analyses: Companies must carry out regular risk assessments to identify potential vulnerabilities and implement appropriate protective measures.

3. Security incident reporting: Companies are obliged to report serious security incidents to the relevant authorities immediately to enable a rapid response and cooperation.

4. Training and awareness: Employees must be regularly trained and made aware of cybersecurity risks in order to promote security-conscious behaviour and minimize human error.

5. Contingency plans and crisis management: Companies must establish contingency plans and crisis management processes in order to be able to react quickly and effectively in the event of a cyber attack.

Within 24 hours:
You must provide an initial assessment to the relevant national authority or the CSIRT (Computer Security Incident Response Team) within the first 24 hours of detecting a security incident. If applicable, indicate whether the incident may be the result of illegal or malicious activity and provide initial information on the potential impact on systems and security of supply.

Within 72 hours:
You must prepare and submit a detailed report with the so-called Indicators of Compromise (IoCs) to the competent authority no later than 72 hours after the discovery of the incident. These IoCs, such as IP addresses, malware signatures or unusual network activity, are used to identify the threat. Supplement the report with an initial assessment of the impact on affected services and customers.

After one month:
You must submit a comprehensive final report no later than one month after the incident. This report must describe the security incident in detail, analyze the causes, assess the severity and document the impact. In addition, you must explain the type of threat (e.g. ransomware, DDoS attack), describe the remedial measures taken and evaluate their effectiveness. Finally, you should formulate specific recommendations to prevent similar incidents in the future and improve the cyber security situation.

Companies that violate the NIS 2 Directive face significant sanctions. Depending on the severity of the breach and the national legislation of the EU member states, these may include the following measures:

1. Management liability
   The NIS 2 Directive introduces extended management liability, which means that managers can be held personally responsible for compliance with cybersecurity requirements.
2. Heavy fines:
   Companies can be subject to heavy fines, which in severe cases can be up to €10 million or 2% of annual global turnover, whichever is higher.
3. Public disclosure:
   Violations can be made public, which can cause considerable damage to the company's reputation.

The requirements for companies include various to-do's from different fields. Software-based solutions help you to comply with all obligations and, in particular, simplify the fulfillment of the obligation to provide evidence.

The NIS-2 directive should not be seen as a static requirement, but aims to motivate companies to continuously manage risk.