Very committed, highly professional, always team-oriented, above average successful and extremely fast!
Josef Schriek, Wonder Automotive Europe
My TISAX audit went largely smoothly and was immediately successful, we can now prove information security and win new automotive customers. Gaps in the preparation or examination were delivered promptly and in high quality or appropriately modified by templates and documents from the Smartkit as well as from an extensive pool of suitable templates. I can only recommend the team around Klaus Höllerer, Klaus Kilvinger and Thomas Salvador.
dr Samir Kadunic, MAASU GmbH
I had the pleasure to work with Opexa Advisory; Thomas Salvador is a very sharp minded and pleasant work-mate/consultant. He understands to break down complex problems in a structured and comprehensible way. He also was a great help in political and personal questions. 5 stars for outstanding professionalism and integrity.
Roman Dietrich, Bavarian Motor Works AG
What our clients have to say
Common Questions around InfoSec Consulting
We want to reduce our risk, but how?
Just contact us, after a first talk about your status, we can give you an initial recommendation for the next steps or valuable tips for the upcoming decision-making processes.
Does our company really have any risks?
Every business today has cyber security risks, crime looks for easy targets no matter the size. We analyze your risk exposure and special situation and support you in the solution in a step-by-step and customized approach according to our mantra: Democratizing Information Security!
Do you offer any other services?
We are not restricted in our measures, but showing too many options can quickly confuse the interested party. Each action requires careful evaluation of efficiency and effectiveness against the problem, your risk and your budget. Contact us!
Which companies do you support?
Our customers are mainly small and medium-sized companies, we know the needs and limitations of their business model and adapt to their needs. We are just as industry-independent as information security!
The individual creation of a current documentation "from scratch" or the updating of outdated documentation can become elaborate.
We provide templates, samples, forms, and guidelines based on our standard-compliant document library (over 130 different documents) and adapt them to your situation if necessary, in accordance with the relevant norms.
This way, you save yourself significant time and prolonged discussions.
Document library
Industry 4.0 solutions are based on the Internet of Things (IoT), where dynamically connected objects enhance the efficiency, flexibility, and autonomy of systems and can increase the productivity of production lines.
However, the widespread and comprehensive connectivity also leads to an increase in the risk of cyberattacks.
By systematically implementing the relevant series of standards, you enhance information security and additionally demonstrate measures for cybersecurity within your systems.
We assist you in the systematic implementation of IEC 62443, taking into account your existing ISMS according to ISO 27001.
Industrial Security
We think and act from the perspective of a potential attacker, conducting a comprehensive assessment of externally accessible infrastructure (web servers, VPN gateways, mail servers, web applications, etc.) for security vulnerabilities and potential entry points. Additionally, we examine whether potentially stolen company data sets are circulating in the darknet. Through our scanning process, you can identify security vulnerabilities and points of attack, and with the right measures, easily enhance the security of your IT infrastructure. The analysis is performed externally in a controlled process, and you'll receive a clear, understandable, and targeted recommendation from us for addressing weaknesses.
It couldn't be easier!
Penetration testing
We compare the current status and requirements based on ISO 27001 or TISAX® standards, providing you with a valuable overview of your company's standing.
The analysis precisely highlights the areas of your information security management system that are already in compliance with the standards and identifies critical aspects that require immediate attention. Furthermore, we offer our assessment of the anticipated efforts and the duration of implementation.
What more could you ask for?
Information Security GAP Analysis
Insurance questions often arise throughout the lifecycle of a contract. Careful consideration should be given to what is necessary before entering into cyber insurance. Furthermore, it is important to clarify matters during renewals or extensions. In the event of a claim, communication with the insurer should be planned with great care. We do not sell insurance and therefore maintain a neutral stance.
Before entering into an insurance agreement, we conduct an analysis of the risk expectations and situation of the assets to be insured. We clarify the required performance components and their relevance, and conduct appropriate market research. Based on this foundation, we pre-select insurance offers and define a decision matrix for management. This significantly supports risk management and reduces uncertainties during assessment.
In the event of a claim, we assist the client in managing the situation, including providing legal support through specialized attorneys in our network.
The execution of analyses and consultations as part of the above-mentioned activities is carried out based on the ISO/IEC 27001, DIN SPEC 27076, and TISAX standards. This helps the management make, demonstrate, and address questions regarding measures based on recognized norms. It also aids in responding to inquiries related to D&O insurance or mitigating personal liability risks for the executive board.
We would be pleased to conduct a complimentary and non-binding initial conversation with you!
Cyber insurance diagnostics
Are you planning to implement cloud solutions?
We assess your security situation regarding cloud offerings and provide advice on the selection or implementation strategy with a focus on information security. We rely on best practices as well as recognized standards for this purpose.
In addition to organizational questions (Who manages the service or how do I organize it internally? What about backup strategies?), contract reviews play an important role, and data protection must not be compromised.
Furthermore, we comprehensively address relevant questions about the "return" from the cloud, because your strategy may change, legal issues or crises can quickly prompt a rethink.
Cloud Readiness Diagnosis
Our professional speaker participates in your internal or customer-oriented events, sending a clear message both internally and externally about the significance of information security.
Our experts carry intriguing and educational topics with them, presenting practical examples and extensive experience from numerous projects, national and international congresses, specialized events, and seminars.
This lively presentation offers an engaging option for your company to transparently and personally convey what is often considered dry subject matter to employees, further solidifying risk awareness for information security.
Speakers for your event
The "Human Firewall" is crucial to achieve an adequate level of information security. Informing the employees and thus raising their awareness is therefore highly recommended.
Your advantage: All awareness-raising measures in this area have a good price-performance ratio compared to organizational or technical measures!
We analyze your situation and develop the right concept for you, we rely on pragmatic solutions with justifiable effort. You have the choice between various measures, including direct online contact with experts in order to use motivational opportunities.
Raising Employee Awareness
Due to the increasing cyber threats, it is crucial for organizations today to have a functional and well-equipped security organization to combat cyber incidents, such as a CSIRT (Computer Security Incident Response Team). However, this team should be appropriately sized, equipped, and skilled in proportion to the company's size and the security situation of the organization, in order to maintain a balance between performance and costs.
Of particular importance for the CSIRT is the understanding of its own maturity level, in order to steer the improvement of its performance within the framework of continuous improvement, which significantly impacts costs.
We assist you in determining the maturity level and guide you in implementing tailored, goal-oriented, and cost-effective measures.
Cyber Security Incident Response Team Improvement
The networking of vehicles for the utilization of various active or new services (navigation, over-the-air updates, remote diagnostics, online "on-demand" add-on vehicle functions, etc.) is progressing. In the future, automotive manufacturers and their suppliers must certify their vehicles based on the demanding ISO/SAE 21434 standard (Road Vehicle – Cybersecurity Engineering).
Both OEMs and suppliers face a common challenge as the requirements are extensive, encompassing both internal processes and alignment with national and international certification regulations.
Hence, it is imperative to adopt this standard as effectively and swiftly as possible.
We are here to assist you in this endeavor!
ISO/SAE 21434 – Standard for Automotive Cyber Security
The Digital Operational Resilience Act (DORA) is a regulation currently in the process of EU legislation aimed at enhancing the cybersecurity and operational resilience of the EU financial services sector. Once the law comes into effect, the regulations will apply to traditional financial sector companies, FinTechs, and ICT third-party providers of financial institutions.
It's crucial to prepare ahead of time – we'll guide you to success!
DORA - Consulting: Operational Resilience for the Financial Sector
Emergencies can occur at any time; absolute security does not exist. But are you prepared? Do you have a "Plan B"?
In many other aspects of life, preparation and practicing emergencies are a normal part of proactive work. Mountain climbers practice falling in a safe environment, check their knots before ascending. The fire department rehearses procedures and tests the functionality of pumps, checks for hose integrity, and ensures water supply from hydrants. Companies conduct fire drills. In general, the continuity of business operations despite adverse circumstances should be a top leadership concern!
Examples are diverse, and in a serious event, it matters little whether hackers targeted the Funke Mediengruppe, or companies like Eberspächer and Marc O´Polo were incapacitated by a ransomware attack, or if a major corporation like Continental AG is hit by an attack. The question is always asked: What could have been done proactively to prevent the incident, minimize the impact, or what needs to be different in the future?
For such situations, everyone should possess the necessary knowledge to remain functional. Creating emergency plans and conducting realistic emergency drills is imperative so that issues can be addressed, and damage can be minimized.
Emergency management
For small and micro businesses with fewer than 50 employees, implementing necessary information security measures can be challenging, especially when demanding standards like ISO/IEC 27001 or TISAX® are to be adopted. Unfortunately, for such relatively small enterprises, security improvement measures are often neglected for various reasons (e.g., costs, time, capacity constraints).
Opexa offers a combination of various services tailored to the SMB target group, aiming to provide rapid, cost-effective, and pragmatic assistance. By utilizing the simplified DIN SPEC 27076:2023-05 for situational assessment, a swift, budget-friendly, and straightforward diagnosis can be achieved, particularly suited for these businesses.
Furthermore, a vulnerability scan is conducted. Recommendations are derived based on the scan results and the diagnosis according to DIN SPEC. Additionally, an awareness initiative is integrated. As a result, an enhanced security setup can be prioritized and progressively realized.
We provide the aforementioned measures at a fixed price!
Promoting Security for Small Businesses!
The healthcare industry, not only due to the impact of Corona and shortages of medication and nursing staff, has several tasks to accomplish. In the field of "Medical Care," the objective is to shape the transformation brought about by digitalization. This aims to achieve better utilization of data for research, optimization of administration, or simply for effective cost management.
The diverse and historically evolved system landscape, along with the organizational environment within hospitals, presents a challenge in implementing a security standard, given the cost pressures in the healthcare sector. This is to ensure data privacy, confidentiality, integrity, and availability.
The industry-specific security standard for medical care (B3S), developed by experts in the field based on various standards such as ISO/IEC 27001, addresses these concerns. We assist you in efficiently and swiftly implementing the multitude of requirements.
B3S in the health sector
The Whistleblower Protection Act is here! It serves to protect individuals who expose wrongdoing and, if necessary, publish confidential information to prevent harm to companies or society. For instance, violations of criminal provisions or offenses subject to fines, as well as situations where the protection of life, body, health, or the rights of employees or their representative bodies are affected, can be reported.
It applies to all companies with 50 or more employees, but with varying thresholds. Organizations with typically at least 250 employees must implement the requirements according to the Whistleblower Protection Act by no later than July 2, 2023. Companies with 50 to 249 employees have a bit more time until December 17, 2023.
Caution: Fines, for instance in cases involving the disclosure of personal data, can be imposed on larger companies as early as July 2!
But what does the law require? What must companies implement? What should be considered when establishing and operating internal reporting channels? What do employees need to know? How can a reporting channel be used for information security? How can the service be provided externally? What costs are involved?
Many questions that need to be clarified. We're here to assist you!
Whistleblowing Services
Every company should enjoy a minimum level of security! Therefore, we support our customers of different sizes and all industries and check their needs and topics against proven best practices and norms.
Based on analyses, we recommend suitable standard security measures or develop tailor-made solutions for successful risk reduction, true to our mantra: Democratizing Information Security.
