Quality and security
Holistic quality and information security management
Quality and security are of the utmost importance to us. Because your trust is important to us and we strive for a high security standard, we have been certified according to DIN EN ISO/IEC 27001.
Certified Management System
Projektron has an integrated management system that covers comprehensive quality and information security measures. Since 2008, we have been operating a quality management system based on ISO 9001 that covers the entire value chain and product life cycle – from the product idea to development, testing, documentation, and commissioning at the customer's site, as well as customer support. In 2017, we also implemented an information security management system (ISMS) according to ISO 27001.
At the beginning of 2018, we received ISO 27001 certification from TÜV SÜD and in 2021 we received renewed certification according to DIN EN ISO/IEC 27001:2017 . In 2024, we were awarded the certification ISO/IEC 27001:2013 by TÜV Rheinland with the scope of application of development, support, IT services and internal IT administration. We strive to be an excellent company in the sense of the EFQM model and plan to achieve ISO 9001 certification.
The general goals of information security apply to all areas of our company:
|
|
|
Our management systems include all relevant provisions and guidelines for data protection, health protection, environmental protection, occupational safety and fire protection, as well as information security. The ISMS has anchored information security in the company's organizational structure and established important processes such as risk management.
Organizational measures for information security
Staff training and professional developmentAll employees receive regular information security awareness training. These training sessions serve to refresh and update knowledge on current topics. New employees receive appropriate training during their induction period. In addition, employees receive needs-based training to raise awareness of information security objectives and risks. | |
Emergency management and system auditsIn order to be able to respond quickly to security incidents and limit the potential damage, emergency response concepts have been developed and documented in emergency response manuals. In addition, annual system audits are carried out to ensure a structured security review of all IT services. The focus here is on risk assessment, access rights and encryption. | |
Data protection and information security managementProjektron uses a data protection management system (DSMS) in accordance with the EU General Data Protection Regulation (EU GDPR). A special team, consisting of ISMS officers, works actively on information security and the associated processes. This team continuously ensures compliance with the security objectives. In addition, a team of experts has been put together in the company to deal with current topics in IT security and security in development. |
Highest security standards – TISAX® certification process
The ENX Association supports with TISAX (Trusted Information Security Assessment Exchange) on behalf of VDA the common acceptance of Information Security Assessments in the automotive industry. The TISAX Assessments are conducted by accredited audit providers that demonstrate their qualification at regular intervals. TISAX and TISAX results are not intended for general public.
For Projektron GmbH confidentiality, availability and integrity of information have great value. We have taken extensive measures on protection of sensitive and confidential information. Therefore, we follow the question catalogue of information security of the German Association of the Automotive Industry (VDA ISA). The Assessment was conducted by an audit provider, in this case the TISAX audit provider TÜV SÜD Management Service GmbH. The result is exclusively retrievable over the ENX Portal.
Quality management
We systematically survey and evaluate customer wishes and requirements regarding Projektron BCS and our services to ensure that the quality demands of our customers of all sizes and in all industries are fully met to their satisfaction. Regular recording and analysis serves as a starting point for the continuous improvement of our products, services and our company as a whole. This is how we continue to develop as a learning organization.
IT administration
Our internal IT administration also takes information security very seriously. We use state-of-the-art technology to secure our systems and continuously update our security measures.
The measures we take to secure our systems in IT administration
Central software distribution and endpoint security | ||||
Central software distributionThe software required on the operating computers is distributed centrally and kept up to date. | Antivirus and antimalware softwareThe antivirus and antimalware programs that are always in use on all end devices are regularly updated. | |||
Patch managementSecurity updates and patches for operating systems and applications are regularly installed. | ||||
Network and perimeter security | ||||
Redundant network technologyInternet lines, firewalls and central switches are redundant. | FirewallsFirewalls are used to control data traffic. | |||
Network segmentationNetworks are segmented into different segments to restrict access to critical systems and prevent attacks from spreading. | VPNVPN access is available to employees for mobile working. VPNs are used for secure remote access to internal systems. | |||
Monitoring / security monitoring | ||||
| Internal services are monitored permanently to ensure availability and to be able to react quickly to problems. | ||||
Access control and authentication | ||||
Least Privilege PrincipleAccess rights are granted based on the principle of minimal authorization, so that users can only access the resources they actually need. | Role-Based Access Control (RBAC)Role-based access controls have been implemented to restrict access to sensitive information. | |||
Data encryption and security | ||||
CryptographyThe recommendations of the BSI Technical Guidelines (BSI TR-02102) are audited annually. | Internal certification authorityInternal services are encrypted via their own certification authority. | |||
Encryption during transmissionEncryption technologies are used to protect data during transmission. | ||||
Email security and backups | ||||
Incoming mail traffic is monitored and, in case of doubt, initially placed in quarantine. | Backup & recoveryInternal services are backed up daily and can be quickly restored to the state of the last backup. The recovery process is tested every six months. | |||
Organizational measures | ||||
Regular trainingWe provide training for IT staff and end users on the latest security threats and best practices. | Security awareness programsWe run continuous programs to raise employee awareness of information security. | |||
Documented security policiesSecurity policies and procedures are created, documented and regularly updated. | ComplianceWe ensure compliance with relevant legal and regulatory requirements as well as internal security policies. | |||
Procedural measures | ||||
Incident response and emergency managementWe have emergency plans in place that include measures to restore systems in the event of an incident. We regularly conduct exercises to prepare for security incidents and review the effectiveness of our emergency plans. | Risk and vulnerability managementWe regularly conduct risk assessments to identify and evaluate potential threats. We have implemented a process to detect, assess and rectify vulnerabilities in the IT infrastructure. | |||
Support
We use our own support portal to provide technical support to our customers. In doing so, we always pay attention to the quality and, above all, the security of the information we handle.
Our measures for security when handling information in support
Support portal and configuration management | ||||
Support portalThe support portal for customers is used for the secure exchange of information and the transfer of data. Communication takes place via tickets with an internal system storage for the data exchange. | Configuration versioning service (CVS)The configuration versioning service (CVS) is a central configuration store for customers and Projektron itself. The configurations are managed within an SVN repository. | |||
Authentication and access control | ||||
Access authorizationThe customer's contact persons have personalized access to the support portal. | Strong authenticationA two-factor authentication (2FA) is used to access the support portal. | |||
Role-based access control (RBAC)Access rights are assigned based on the roles of the users in order to restrict access to sensitive information. | Secure password policiesWe have implemented secure password policies, including minimum length, complexity, and regular change. | |||
Encryption and data protection | ||||
EncryptionAccess to the support portal is only possible via encrypted access. | Data minimizationOnly the customer data necessary for order processing is collected and stored in the system. | |||
End-to-end encryptionIt is ensured that data is encrypted during the entire communication between customers and support staff via the support portal. | Data protection compliant processesProcesses have been implemented in accordance with the General Data Protection Regulation (GDPR) and other relevant data protection laws. These processes are consistently adhered to. | |||
Staff training and security information | ||||
Security information for customersWe regularly provide security-related information for customers within the support portal. | Further training for our employeesOur support staff receive regular and needs-based further training on the security of the software used and interfaces to third-party systems that can be connected to Projektron BCS. | |||
Regular trainingSupport staff receive regular training on the topics of information security, data protection and the secure handling of customer data and are made aware of the issues. | Awareness programsWe continuously implement programs to promote security awareness and compliance with security policies. | |||
Procedural measures and emergency management | ||||
Logging and monitoringAll activities in the support portal are logged in detail and the logs are regularly checked for suspicious activities. | Security policies and proceduresPolicies and procedures for information security in the support portal are consistently enforced and continuously adapted. In addition, security reviews and audits are regularly carried out to ensure compliance with security standards. | |||
Incident response and emergency plansWe follow a clear process for reporting, analyzing and rectifying security incidents. We have emergency plans in place in the event of a security incident, which are regularly updated. | Customer data management and anonymizationTo increase the protection of customer data, we anonymize or pseudonymize data wherever possible. | |||
Information security in BCS development and hosting
In addition to efficient business processes, secure software development is the core of our company and our web-based project management software.
Measures for information security in product development and hosting
