News and information about verinice.

A new update 1.19.1 has been released for verinice. The new version fixes an error in the VNA export. verinice and verinice.PRO version 1.19.1 are now available for download in the verinice.SHOP or in the customer repository.

Background: Some data models could not or not completely be exported. The update to verinice 1.19.1 is recommended to all customers who encounter problems when exporting information networks of the modernized IT Baseline Protection.

Please also refer to the detailed release notes for version 1.19 for further information.

The agenda for verinice.XP 2020 is online: SerNet will be hosting the conference for verinice users on 26 and 27 February 2020 in Berlin (Radisson Blu Hotel, Karl-Liebknecht-Strasse 3, 10178 Berlin). Reduced Early Bird tickets are available until 14 December 2019. On 25 February there will also be a workshop day (bookable separately): Altogether four Workshops are dedicated to special topics like the conversion of the modernized IT Baseline Protection, the integration of industry standards and data security in verinice.

Using the early bird phase

Karen Kämpf (Federal Office for Information Security) starts of verinice.XP on February 26 with "Minimum Standards according to §8 Abs. 1 BSIG". Andrea Sudbrock (Chamber of Crafts East Westphalia) sheds light on the interaction of external and internal data security representatives. The "Risk analysis between BSI 200-3 and DIN/ISO 27005" is addressed by Kai Wittenburg (neam IT-Services), followed by Martin Peters (Sec2do) with a lecture on "Migration from BSI 100 to BSI 200". Alexander Koderman (SerNet) takes a look at "IT Baseline Protection around the globe: Cybersecurity Framework and NIST SP 800-53" before the day ends with a social event in the conference hotel.

On 27 February, Susanne Aust ("Modernized IT Baseline Protection using the example of the University Hospital Halle (Saale)") and Thomas Skerhutt (Charité Berlin, "Leap through the worlds - the ISMS as a central node in Europe's largest university hospital") will report from two university hospitals where verinice is in use. Also on the agenda are  "Compliant Data Protection Impact Assessment with verinice.PRO" (Robert Raczynski), the "Partial Automation of Risk Analysis according to ISO 27005 through Integration with SecuriCAD" (Ulrich Heun, CARMAO) and the further development of verinice (verinice product owner Michael Flürenbrock).

Reduced Early Bird tickets for the conference are still available until December 14. These cost 399 euros. Starting from 15.12. the regular price lies with 499 euro. Tickets are available over https://www.verinicexp.org

Workshops for using verinice

Following the success of the last few years, workshops are once again being held ahead of the event, this time with a significantly broader range of topics. To be chosen from:

• Integration of further standards in verinice using the example of B3S for Healthcare (Dirk Brand, SILA Consulting)
• Implementation of the modernized IT Baseline Protection in verinice (Ulf Riechen, Riechen Consulting)
• IT Baseline Protection und Datenschutz: Hand in hand with verinice (Inna Thies, Christopher Büttner & Tessa Witzigmann, Cassini Consulting)
• ISO 27001 and Data Protection Module 3 (Tatjana Anisow & Sirin Torun, SerNet)

The number of participants is limited - fast booking pays off. Participation is also possible independently of attending the conference and costs 450 Euro.

The verinice.TEAM releases verinice 1.19, a version optimized for stability and performance in many respects. More than 50 detail improvements and bug fixes especially improve the areas performance, AD import, task workflow as well as report queries and reporting.

All details about verinice 1.19 can be found in the Release Notes, the new features and functions can be discussed directly with other users and the verinice.TEAM in the verinice.FORUM.

Data protection module 3 with data protection impact assessment and risk analysis

Version 3 of the data protection module supports users in implementing the DS-GVO as of verinice 1.19 in the data protection impact assessment and data protection risk analysis. For the risk analysis, the data protection module was extended by data protection-relevant risk scenarios. For better orientation, the legal texts of the DS-GVO, the recitals and the legal texts of the BDSG (new) are included and linked according to the dependencies. 

In addition to the variant for use in the ISM perspective, data protection module 3 will also be available in a few days in a variant for use in the perspective of modernised IT basic protection. Users can thus directly use the module requirements of the IT-Grundschutz Compendium as TOM.

This module is currently only available in German. By early 2020 an English content version will be published at verinice.SHOP.

IT Basic Protection Profiles

verinice 1.19 optimally supports users of the modernized IT-Grundschutz in the creation and use of IT-Grundschutz profiles. All IT-Grundschutz-Profiles published and licensed by the BSI can be downloaded from the verinice website for import into verinice 1.19 in the coming days.

VDA ISA 4.1.1

verinice 1.19 supports the VDA ISA catalog in version 4.1.1 for TISAX in German and English. In the VDA perspective, users can carry out information security assessments including the additional modules prototypes, third party integration and data protection.

After the 32 bit versions for the Linux operating system were discontinued a few months ago, the end for old Windows operating systems that still run on 32 bit will come soon. The verinice 1.19 released after it-sa 2019 will be the last version to include updates for 32bit Windows. The following version verinice 1.20 will be released in spring 2020 and will then only be released as a 64 bit version, just like under Linux and macOS.

SerNet has already stopped selling the 32 bit version for Windows with immediate effect! Only those who still have 32 bit variants running can get updates until spring 2020. 32 bit users are strongly advised to switch to 64 bit as soon as possible.

The SerNet sales team will be happy to answer any questions you may have about this changeover: By e-mail to sales@remove-this.sernet.com and by telephone at +49.551.370000-0.

The next verinice.XP will take place from February 25th to 27th 2020 in Berlin. In the Radisson Blu Hotel (Karl-Liebknecht-Strasse 3, 10178 Berlin) IT decision-makers, security officers and data protection officers from companies, institutions and authorities will gather. Reduced Early Bird tickets will be available in October at https://verinicexp.org, the Call for Papers is open.

verinice is one of the most widely used tools to support information security management (ISMS tool). With verinice.XP, SerNet GmbH as organizer and publisher of verinice brings together users from all industries on the subject of data protection and IT security. 

This year our partners Cassini, neam and SILA-Consulting are also active as sponsors of the conference and are available for technical discussions. 

Call for Papers started

The Orga-Team of verinice.XP is looking forward to your suggestions and presentations. Especially the topics IT security and data protection as well as their implementation with verinice in general are in demand. Specifically, this can take the form of disputes with the Modernized IT Basic Protection, ISO 2700x, PCI DSS, ISIS 12, special industry standards, etc. A program committee decides on the submitted contributions. This are the members of the committee:

• Michael Flürenbrock (SerNet)
• Volker Jacumeit (DIN e.V.),
• Boban Kršić (CISO DENIC eG),
• Isabel Münch (BSI) and
• Jens Syckor (TU Dresden).

Proposals for lectures should be sent by e-mail to cfp@remove-this.verinicexp.org or can be submitted directly to https://verinicexp.org.

Tickets and Program

Tickets are avaible at https://verinicexp.org . In addition to the daily program, participants of verinice.XP can also participate in the social event. This will take place on the evening of 26 February and is intended to promote the exchange between all participants. The venue will be announced soon.
The agenda for verinice.XP will be published at the end of 2019. In addition to the lectures, there will also be opportunities to talk to the verinice.TEAM and inform yourself about the further development of verinice.

Workshops

On February 25, SerNet will hold several workshops on the topics "ISO 27001", "Modernized IT Basic Protection" and "DS-GVO". Participation in these workshops is possible independently of verinice.XP. The costs are 450 Euro. The detailed agenda for both courses will be published soon.

One quarter after version 1.18, SerNet delivers important enhancements in version 1.18.1, for which we don't want to keep our customers waiting any longer. All details with explanatory screenshots can be found in the Release Notes for verinice. The date for the autumn release is already fixed. verinice 1.19 will be released in week 46 (11th - 15th November 2019).

Risk Analysis - BSI-Standard 200-3

The verinice.TEAM further simplifies the risk analysis in verinice 1.18.1 according to BSI standard 200-3. Risk assessment and risk treatment are no longer documented in the individual requirements or safeguards but directly in the respective threats. 

Users can now evaluate and document the risk directly in the threat with and without additional safeguards before and after any risk treatment for a package of safeguards.

The elimination of the previous documentation per safeguards/requirement and its calculation in the threats reduces the effort considerably. In addition to further bug fixes and detail improvements, the new procedure significantly increases performance.

Reporting

The verinice.TEAM publishes the final versions of the Report Templates for the new IT Baseline Protection, which have already been discussed in the verinice.FORUM in recent weeks, and would like to express its thanks to all testers for their constructive feedback. The new or revised report templates will be released exclusively based on the new LTR technology:

The report templates for the Security Assessments according to VDA ISA / TISAX 4.1.0 can now be generated including the spider web diagrams with SVG support.

With verinice 1.18.1, the report templates Risk Management and Risk Treatment for the ISO/ISM Perspective benefit most from the generation via LTR graph technology - customer tests promise a considerably faster generation of reports.

In addition, all report templates are successively internationalized, each report template file only exists once, and additional language versions are made available by simply adding a translation file.

A small but helpful feature is the option to open reports after creation directly from the confirmation dialog, no searching via the file manager is required.

The report queries themselves have also been optimized through caching and other improvements. In particular, the opening of large LTR datasets in verinice and v.Designer has been significantly accelerated.

Webfrontend

Users of the modernized IT Basic Protection can now access the texts of the IT Baseline Protection Compendium in the web frontend under tasks for requirements, safeguards and threats, which greatly simplifies the implementation of the individual tasks.

Hinweise zum Update

Two important hints for verinice users come with the update:

An automatic update of the clients to versions 1.18 and 1.17 was unfortunately not possible due to a platform change! See our HowTo. The update of the verinice.PRO server to version 1.18 can be done automatically as usua

SerNet has released version 1.18 of the open source ISMS tool verinice. The verinice.TEAM presents an extensive update, which is especially relevant for working with the Modernized IT Baseline Protection of the German BSI: An optimized modeling as well as the possibility for preliminary hybrid modeling are decisive innovations. All details with extensive screenshots can be found in the Release Notes. The new version is available in the verinice.SHOP (for standalone users) or in the verinice.PRO repository.

Two important notes for verinice users come with the update:

Automatic client updates are not possible for verinice 1.17 and 1.18! We have compiled all necessary information about manual updates in a HowTo. To update the verinice.PRO server to version 1.18, please use the package manager "yum" as usual (see details on the verinice.PRO update).

The verinice.TEAM has released the first beta version of the Information Security Assessment Version 4.1.0 of the German Association of the Automotive Industry (VDA ISA 4.1.0) for use in verinice. An english version is now also available. The corresponding CSV file can be found in the verinice.FORUM. (Please note: The initial post and the thread are German only, however the link for the English beta version is embedded.)

The current version can already be integrated into verinice and be used for asssessments. However, users should note that this beta version is explicitly intended for testing and not for productive use!

In addition, the following restrictions apply:

• Module 24 Data Protection cannot yet be documented (supported with verinice 1.18 from week 15 2019).
• The report templates will be supplemented by the modules 23 Third Party Integration and 25 Prototype Protection. They will be made available in the coming weeks (see Extension of the VDA ISA Report Templates for Version 4.1.0 1 – again: thread in German only).

All relevant notes as well as further details are also compiled in the corresponding thread in the verinice.FORUM. The verinice.TEAM is looking forward to feedback and a lively discussion.

The verinice.TEAM changes its release planning as of 2019: Two new versions will be released this year, the dates for a spring and an autumn release have already been set. Features for the respective versions will be presented in the verinice.FORUM (German only atm). 

The following release dates are planned:

• verinice 1.18 in week 15 (8. - 12. April 2019)
• verinice 1.19 in week 46 (11. - 15. November 2019)

In the "Roadmap" category (German only atm) in the verinice.FORUM, users can take a look at the features for future versions. They can also propose new features themselves or discuss specifications for already proposed features with the team and other verinice users.

The aim of the dates set and communicated at an early stage is to provide planning security and to be able to schedule updates of productive verinice systems in advance. As before, a feature freeze takes place one month before the release to ensure a thorough test phase.

The user's demand for a fast integration of the German Modernized Baseline Security framework by BSI made a new sub-release 1.17.2 of verinice. and verinice.PRO necessary. Detailed information about bugs and the applied solutions are available in our release notes. 

A new version of verinice-Client has been provided in our verinice.SHOP for download. Subscribers of verinice.PRO will find the new version 1.17.2 in the respective repositories. 

This update is mandatory for users of the Modernized Baseline Security framework.