Information is a mission-critical asset for a growing number of businesses and the dependency on information systems are increasing rapidly. The complexity and the global dissipation of information that the information systems create entail greater risks to the business.
The solution is not to impose a patchwork of security products as a firewall here and an antivirus program there. The solution is to take a holistic approach, identifying risks and balancing the right level of protection through a methodical information security management. The realisation that security is much more than technology is an important step on the way. Proper security is a profitable investment that provides the opportunity to focus on operations and the core business.
On the basis of academic, analytical and efficient working practices and business understanding, Kirei works primarily with three main areas of information security:
- Information Security Management Systems (ISMS)
- Security auditing, requirements definitions and system architectures
- Security in communications infrastructure
- Standardisation and Development
Information Security Management
Within the area of Information Security Management, we are working to ensure that our clients get a precision tool to consistently, accurately, and repeatably assess risks, take mitigating measures and to evaluate those measures taken to ensure their effectiveness, so that the right balance between protection and business-risk is achieved.
Businesses should have the information security protection necessary with respect to the operation’s nature, extent and other circumstances. A risk analysis is the basis for a well-suited information security protection regime and is both an activity that aims to identify assets requiring protection and as a documentation of the rationale for what is worth protecting. The risk analysis shall also relate the identified assets to the threats that the business may be exposed to, and the vulnerabilities that the business may be afflicted with. Finally, the risk analysis is aimed at developing a decision basis for safeguard measures, and establishing the accountability of this material.
Within the area of information security management and governance Kirei has supported our clients through the certification process in both the international information security management system standard ISO/IEC 27001:2013 as well as the IT security framework SysTrust (Service Organization Controls, SOC).
Security Auditing, Requirements Definitions and System Architecture
When changing or introducing new systems, it is of crucial importance that security and quality aspects are taken into considerations from the beginning, and that system security can be maintained even after the project has been completed. We therefore support the implementation of all the projects’ phases through the definition of security requirements, design of the system architecture, procurement support, as well as validation, quality assurance and security audits.
We can also assume the role of a control function, where we will audit against the relevant security standards, regulatory or business requirements, specific identified risks or a combination of these. In other contexts, we evaluate the security of the specific components on a more technical level, often based on CC/CEM and a protection profile, down to the implementation level.
Security in Communications Infrastructure
Today almost all information systems rely upon open, robust and high-performing communication services. We use our experience from large operator networks, metropolitan area networks and corporate networks to define requirements, scaling and provide quality assurance to critical network infrastructure.
We design and implement robust communication solutions tailored to the individual business, sometimes designed to meet even the most stringent requirements for capacity, latency, resiliency and resistance to denial of service attacks. We also work with infrastructural services where in a few areas we have a unique expertise, for example in the security and robustness of the domain name system and ensuring that emergency calls can be placed and received over IP according ECRIT-principles.
Standardisation and Development
Kirei has been driving standardisation in a number of areas with an emphasis on security. For over 20 years we have been working on the standardisation of for example DNSSEC, i.e. cryptographic functions in the global domain name system (DNS). With DNSSEC it is possible not only to determine that the information conveyed via the domain name system is authentic, it is also possible to use the infrastructure for secure key exchange so that two or more parties on the Internet can communicate securely with confidentiality. Kirei has also assisted in introducing these security features in the DNS root operated by ICANN, and a number of both national and generic top level domains.
Another area where Kirei has had long-standing commitments is in electronic identification. Kirei participated in authoring the Swedish Government Official Report The eID Board and the Swedish eID (SOU 2010:104), founding the model of the Swedish e-identification system and the establishing of the Swedish E-identification Board, whose responsibilities were subsequently transferred to the Swedish Agency for Digital Government. Since then, Kirei developed and anchored the assurance framework that forms the normative security requirements definition applicable to all issuers of Swedish eID. Through the work of the national eID structure we were able, together with mainly British and Danish contribution, to author significant parts of the European Implementing Regulation (EU) 2015/1502, establishing the assurance levels for European cross-border identification.
A third area where Kirei has provided significant development efforts are within the standardisation of the public transport sector in Sweden. Kirei has developed the national technical specifications that enables secure interoperable electronic ticketing and information exchange between both publicly funded and commercial public transport operators in the sector.
Based on the experiences gained from the public transport sector in Sweden with regards to electronic ticketing, we have also authored the technical specification for the EU’s digital Covid certificate, with which the free movement within the Union could be maintained. This work resulted in the publication of Regulation (EU) 2021/1073, where Annex I is the technical specification we have developed and which has been used to issue and validate several hundreds of millions of Covid certificates in 2021 alone.