Skip to main content
Sicherheitskonzept - kyberio gmbh

Security Concept
of kyberio GmbH

Security on all levels:
physical, digital, and organizational

Our lived ISMS:

ISO 27001

Our ISO 27001 certification based on IT Grundschutz from the German Federal Office for Information Security is built on a wide range of precise, practiced guidelines and processes.

The perfect Add-On:

PCI-Certification

The PCI standard corresponds to a set of rules that reflects the security requirements for payment transactions with credit cards.

Well-positioned:

5-Zonen Security Concept

As part of our ISMS, we address multiple topics to ensure the long-term secure operation of our data centers and customer systems.

Emergency Plans:

Business and Service Continuity

We have developed comprehensive emergency plan strategies and escalation paths as part of our ISMS.

Our lived ISMS

Certified Security:
Our lived ISMS

Our ISO 27001 certification based on IT Grundschutz from the German Federal Office for Information Security is built on a wide range of precise, practiced guidelines and processes.

The scope of the BSI ISO 27001 certification covers the data center network in Hanover and its management. It includes all systems and processes required to operate the data center infrastructure, customer management, and providing services for the co-location.

The application of ISO 27001 based on IT Grundschutz from the German Federal Office for Information Security (BSI) includes the objectives and measures from Annex A of ISO 27001 and the associated implementation guidance for commonly accepted procedures from ISO/IEC 27002.

As a prerequisite for certification, Kyberio has undergone a multi-stage audit procedure for the data center and the associated organizational processes. This audit takes place periodically. The audit primarily covers the following areas:

  • Company business requirements
  • Technical infrastructure Management
  • Responsibility
  • Organizational processes
  • Risk management
  • Data protection

By choosing kyberio, our customers also improve their security in light of IT security legislation. The requirements regarding data protection and the associated liability risks have become much stricter since May 2018 due to the EU‘s General Data Protection Regulation. This legal change means even more drastic penalties for breaches of data protection law than the previous Federal Data Protection Act.

Certification provides legal protection and offers many business advantages in conjunction with improved security. To summarize the benefits:

  • Improved IT infrastructure security
  • Increased security awareness from management to employees.
  • Legal protection and reduction of liability risk
  • Improved competitiveness
  • Cost savings through outsourcing of expensive security-related in-house services
  • Creation of trust among customers and the public
  • Possibility for the certification of customer applications based on Kyberio´s existing certificate.

 

The perfect Add-On

PCI-DSS v3.2 –
The perfect Add-On

PCI-DSS Standard stands for „Payment Card Industry Data Security Standard.“ The PCI standard corresponds to a set of rules that reflects the security requirements for payment transactions with credit cards. This standard is binding for all companies, institutions, and organizations that process credit cardholder data.

Companies and organizations that process cardholder data (CHD) electronically on a cardholder environment (CDE) must secure this environment against data abuse and unauthorized access following the PCI guidelines to protect its ongoing operation. Furthermore, the standard provides a clear assignment of responsibilities for the different areas and tasks within the CDE. It must be possible to track all access and work steps. Physical security and the associated processes to ensure this in data center operations are essential to operating such an environment. These requirements concern 12 areas:

  • A firewall concept
  • Password security
  • Protection of cardholder data
  • Data encryption
  • Anti-virus software
  • Systems and application maintenance
  • Access restriction
  • User-specific access
  • Physical access restriction
  • Tracking and monitoring data access
  • Regular testing (systems and processes
  • Maintaining an information security policy

Professional access controls and processes, seamless video surveillance around the clock, logging and exact verification of persons in the data center, data comparison, and plausibility checks ensure that admission and access to the environment are tracked.

As a co-location customer in our data center, you benefit from a service already PCI-certified by a qualified auditor („QSA“), which extends to your rack cabinet. This certification allows you to concentrate on the compliance of your rack-operated infrastructure and refer to the physical security of your rack based on our certification, which covers essential components of requirements 9 and 12 of the PCI requirements catalog and requirement 11.1 regarding wireless access points. These points are no longer included in your audit as you build your certification on the certified PCI compliance of the data center operator.

E-commerce providers, content providers, institutions, and other organizations that offer services or products or accept donations online by credit card, therefore, have the opportunity to implement this in a PCI-certified data center environment in their own, individually lockable 19“ rack (with 22 or 42 height units). We are happy to provide you with our Attestation of Compliance („AOC“) for this purpose.

 

concept

Our Concept

More than Secure:

5-Zone-Security
People, Technology, Processes

As part of our ISMS, we address multiple topics to ensure the long-term secure operation of our data centers and customer systems.

Thanks to our continuously staffed Operation Center on-site, we can respond quickly to any incident and ensure the smooth operation of the data centers.

The business park on which the data center is located is protected by barred gates, while the data center itself has additional perimeter protection. The gate to the customer parking lot and the building are controlled and monitored by the Operation Center and remain locked to unauthorized persons around the clock.

The outside area, all building entrances, and the data center area are monitored around the clock by cameras with motion detection. The live video sequences are transmitted to the Operation Center, where they are reviewed and stored for later review.

Access is only granted after prior registration, in the company of authorized employees, and following the security concept of two-factor authentication (2FA). Authentication is granted with a personalized RFID transponder of the employee („possession“) in combination with the correct entry of the personal PIN („knowledge“).

The building management system fully integrates into our central monitoring solution and alerting processes. Compliance with defined operating parameters and fault messages are immediately transmitted to the staff on site and our security service providers connected via redundant communication channels. Depending on the message type, the security service provider directly informs the police, fire department, and building services if necessary or first consults with the staff on site.

Highly sensitive smoke detectors for very early smoke detection (VESDA) are used for early identification and prevention of fires. If further fire detectors (2-line dependency) detect a potential fire, an automatic nitrogen extingu-ishing system (N² extinguishing) is triggered after a warning to protect any people in the technical area. At the same time, the fire department, the Operation Center, and the building services are informed, and an emergency plan is activated.

A battery-supported, uninterruptible power supply (UPS) combined with a diesel emergency power system (EPS) to ensure operation if the public power grid fails. These are scaled so that all components, including air conditioning, can continue operation without restrictions.

Protecting networks and IT systems against cyber attacks is essential; we constantly adapt it to current threats. We have developed a multi-layered security concept based on D/DOS protection, threat detection (IDS/IPS), next-generation firewalls, malware protection, and tamper-proof backups for our customers and our proprietary systems.

OPERATIONAL SAFETY OR: „WHAT HAPPENS IF...“

Business and
Service Continuity

As part of the ISMS, comprehensive emergency plan strategies, and escalation paths have been defined to secure the uninterrupted operation of essential systems even in crisis scenarios (e.g., fire, power outage, or cyberattacks) or at least their restoration as quickly as possible.

In addition to the routine review of the required documentation, processes, and systems, we conduct periodic emergency drills and training sessions with all employees and external service providers (e.g., maintenance companies). Critical systems required for operation (such as our monitoring) are designed redundantly and distributed across our two independent data centers.

All systems are continuously maintained and subjected to regular performance tests (including load transfer from the EPS). Through contractually agreed on-call services with our maintenance companies, we also ensure a rapid response in case of a fault.

Monitoring and Systems Protection

Security Operations Center

The Security Operations Center (SOC) is at the heart of your company’s cyber security strategy. It monitors your information systems to detect and respond to early security incidents. Our SOC ensures comprehensive protection against cyber threats with tailored security concepts and state-of-the-art technologies. Utilize our extended services, such as proactive threat analysis and rapid mitigation of security vulnerabilities, to strengthen your company’s resilience.

Your Security Advantages:

  • Expert security personnel on duty around the clock
  • Immediate responsiveness to security incidents
  • Partnerships with leading security technology providers
  • Direct support in defending against and analyzing cyberattacks
  • Rapid containment and resolution of security incidents
  • In-depth threat analysis and continuous monitoring
  • Managed security services and custom-tailored service level agreements (SLAs)
  • Integration of cyber security into all aspects of IT operations
  • Competent support and implementation of security projects from a single source

Our SOC serves as your frontline defense against cyber threats, ensuring the security of your data and systems. By combining advanced technology, proven methods, and experienced personnel, we offer a security service specifically tailored to the needs and challenges of your business.

Florian Dierks
Managing Director

Together We will Find
the Right Solution

We take the time to understand your requirements and develop optimal solutions. We also know how to explain complex technical matters clearly and precisely.

Feel free to contact me directly, and we will find a solution.