To support the staff unit, an appropriate technical advisory service is offered for each department (internal audit (lot 1), data protection (lot 2), information security (lot 3)). To maintain the necessary objectivity and independence, one lot (lots 1-3) is advertised for each staff unit. A contractor may only be awarded a contract for one lot, simultaneous participation in several lots of this tender is not possible and leads to automatic exclusion from the procedure.
The internal audit of the ITSCare is subject to the standards and principles of the DIIR (German Institute for Internal Auditing eV). Based on these principles, internal rules of procedure and a revision manual were adopted.
The basic prerequisite of a revision audit is, among other things, the annual risk-oriented audit planning (based on the currently valid audit universe) as well as detailed audit planning per audit (work program). In addition, "unplanned" special audits and examinations at strategic service providers of ITSCare. The focal points of the audit regularly include technical (commercial audit) as well as technical processes (IT audit).
After completion of the exam preparation, the examination will be carried out independently by a fixed examination team under the coordination of a test supervisor.
The consultancy service to be performed by the contractor will follow the principle of "Revision as a Service". Based on an examination and test plan coordinated with the contractor, a cast of the test team is to be coordinated with the client. The contractor will propose to the client a suitable selection of examiners (per examination).
After the approval of the review team, the test is carried out. Under the instructions of the client and in compliance with the rules of the revision manual and the rules of procedure, the audit team will carry out audit procedures, document them and, if necessary, record findings and agree on measures.
The action tracking will be carried out subsequently by the client.
The contractor also supports the client in the further optimization of the audit processes and the audit system.
Explicitly not part of this tender are the auditor's activities by the contractor.
The contractor uses persons with skill levels "Senior Auditor" within the framework of examinations as well as in the process consultation of revision processes.
The ITSCare has designed and implemented a data protection management system (DMS) based on the currently valid EU-DSGVO and the BDSG (new). As a processor of the shareholders and customers (statutory health insurance) of the ITSCare, the ITSCare is also subject to social data protection within the meaning of SGB I and X.
The objectives and principles of the DMS were published internally in a privacy policy. In addition to advising the departments and customers of ITSCare, the area of data protection carries out regular training and examinations.
The data protection team is led technically by the Data Protection Officer (DSB) of the ITSCare. DSB has internal strength and external consulting services for operational data protection coordination.
The consulting service offered by the client will follow the principle of "Privacy as a Service".
Deputy Data Protection Officer
In agreement with the client, the contractor nominates a consultant with skill level "Stellv. Data protection officer ". This is officially appointed by the client as deputy data protection officer of ITSCare. The Deputy Data Protection Officer assumes the same professional rights and obligations as the Data Protection Officer. In case of absence of the data protection officer, the deputy data protection officer takes over the responsibility accordingly.
In coordination with the DSB of the ITSCare, the Deputy Data Protection Officer also performs the following tasks (not exhaustively):
- monitoring the data protection mailbox for incoming requests,
- coordination of inquiries and appointments,
- carrying out checks and data protection audits,
- creation and implementation of data protection training,
- updating and preparation of process descriptions,
- Support and monitoring of data protection impact assessments.
The aim is to maintain the appointment of the Deputy Data Protection Officer for the entire duration of the contract. A coordinated but regular attendance at the registered office of the company in Frankfurt is required.
For the execution of the activities described, the contractor is permitted, after consultation with the client, to appoint appropriately trained auxiliary staff for the deputy data protection officer. The assignment of the resulting tasks to internal resources of the contractor is to be made freely by the contractor, provided that the necessary are given.
The ITSCare concentrates the strategic components of information security in the IT security department of ITSCare. The introduced ISMS was successfully certified according to the standard of ISO / IEC 27001: 2013 at the end of 2017. The permanent maintenance of this certification is a strategic goal of the ITSCare and its shareholders.
The objectives and principles of the ISMS were published internally in an ISMS manual. In addition to advising the departments and customers of the ITSCare, the division carries out regular training and examinations.
The team is led technically by the IT Security Officer (ISB) of ITSCare. External consulting services are available to ISB for its operative work. At the same time, the risk manager of ITSCare is also located in the "IT Security" administrative unit.
The consulting service offered by the client will follow the principle of "IT Security as a Service" and includes the technical components of the "IT Security Analyst" and the "Penetration Tester".
IT Security Analyst:
The contractor provides the client with operational consulting services with the skill level "IT security analyst" as a service. The services of this consultation include (but not limited to):
- Experience in the evaluation and, if necessary, treatment of security incidents; Coordination with service providers,
- experience in the evaluation of safety concepts, process description and procedures,
- experience in the coordination and execution of security audits and review of the implementation of the resulting regulatory requirements,
- experience in the definition of measures concerning criticality and risk with the involvement of the ISB,
- Experience in advising the ISB on regulatory requirements, drafting concepts of ISMS context,
- Experience in the monitoring of risk development (including policy tracking) and maintenance of the IT risk inventory as an essential control instrument of the IT department,
- Experience in the development and monitoring of specifications of the ISMS,
- Cooperation in and for committees within and outside ITSCare,
- Consultation and active exchange with the IT management on the subjects of IT risk, IT emergency and IT security and in the development of risk-reducing measures,
- Experience in the development of cyber strategies, accompanying transformations and conducting security assessments,
- Experience in the implementation of cyber training and awareness measures,
- Experience in the review, improvement and implementation of Information Security Management Systems (ISMS) according to ISO 27001.
Penetration Tester:
The contractor provides the client with operative consulting services with skill level "Penetration Tester" as a service. The services of this consultation include (but not limited to):
- Experience in planning and execution of penetration tests and vulnerability analyzes on the systems, networks and (web) applications according to OSSTMM, OWASP or specifications discussed in the project scope,
- experience in advising on the security of systems and networks,
- Experience in preparing, documenting and presenting the results in a written report.
The assignment of the resulting tasks to internal resources of the contractor is to be freely designed by the contractor, provided that the required requirements (skill requirements) are met. A coordinated but regular attendance at the registered office of the company in Frankfurt is required. If necessary, it may be necessary to use it at all locations of the ITSCare.