News and information about verinice.

We add some excitement the contemplative pre-Christmas period: On December 1, the public beta of the product "verinice DPMS" on the long-awaited new verinice.veo platform starts. Until March 1, you have the opportunity to test the fully web-based data protection manager free of charge and without obligation. Access is available here: https://account.verinice.com/. The team is looking forward to feedback!

0 € until March 2023 

verinice.veo is the next generation of verinice. As the first product on the new platform, interested parties can get to know "verinice DPMS" in a public test phase starting December 1, 2022. The verinice.veo data protection manager maps a complete data protection management system (DPMS). You can use it to manage the requirements of the GDPR in your institution and effectively ensure compliance. A comprehensively designed demo unit offers a detailed briefing on the concept and usage options of the data protection manager. During the public beta, you have free access to the full DPMS tool in the standalone version until March 1, 2023, and can get a first impression.

Important functional components of the DMS include:

• Directory of processing activities
• Appointment of data protection officers
• Commissioned data processing and data protection contracts
• Risk management and data protection impact assessment
• Data protection incident management
• Technical and Organisational Measures (TOM)
• Contract and document management

Feedback wanted!

Truly in the tradition of verinice, verinice.veo will continue to evolve along the needs of users. For this purpose, we would like to enter into an intensive dialog with you. We look forward to your feedback to make verinice.veo even better. Discuss with us and other beta testers in the verinice.FORUM: https://forum.verinice.com/veo.

What's next

Over the next few months, the team will first deploy the multi-user per-client version. This will be followed by the version for multiple clients ("units") per client. An on-prem version for one's own data center or for operation at one's trusted hoster is expected to be available in the second quarter of 2023. In the fourth quarter of 2023, we will also release the product "verinice ISMS" into the wild, first for BSI IT Baseline Protection and immediately thereafter for ISO 27001. The necessary points of interaction of data protection in the DPMS tool with information security in the ISMS tool are consistently included in verinice.veo from the very beginning.

New dates for verinice webinars introducing how to "Establish an ISMS according to ISO 27001 in verinice.PRO" are available. Thus, the verinice.TEAM offers the opportunity to get to know the tool for information security management and to ask questions directly to the verinice makers in the first half of 2023.

The presentation will take place via GoTo Webinar, please register directly there. You can also find further information on our webinar info page.

The verinice.TEAM has also recorded webinars: Interested parties can also watch these to get a first insight into the ISMS tool and the concrete implementation. All videos are compiled at verinice.com/media (mainly in German). Questions can be sent to verinice@remove-this.sernet.de. 

Emergency management has found its way into the ISMS tool verinice and verinice.PRO. As of version 1.25, the Business Continuity Management (BCM) in verinice can be documented based on the BSI standard 200-4 or the international standard ISO 22301. The new version is available for download in the verinice.SHOP or in the customer repository. In total, the verinice.TEAM is delivering around 70 new features, detail changes and bug fixes with verinice 1.25. All changes in detail are listed in the Release Notes.

Identify core processes, capture criticality data, define failure scenarios and determine relevant systems for restart - all this can now be done directly in the IT baseline protection or ISO-ISM perspective. Implementing emergency management directly in the familiar perspectives offers numerous advantages. Tatjana Anisow, product owner verinice: "Users who already maintain their ISMS with verinice can continue to work with data that has already been collected and supplement it with the necessary information for BCM." This synergy between ISMS and BCMS is also interesting for newcomers or first-time users, simplifies the recording and leads to a more efficient, concise procedure. "verinice brings information security, emergency planning and data protection together," says Anisow. This also enables IT security officers, BCM officers and data protection officers to work hand in hand.

"Especially in the area of BCM, we will deliver a lot more in the coming verinice versions," Anisow indicates. She is responsible for the further development of verinice and announces, among other things, the fine-tuning with finalisation of the BSI standard 200-4 as well as an extensive sample organisation including standard reports as an additional module. The sample organisation will be available independently of verinice releases via the verinice.SHOP and aims to considerably simplify work for emergency management.

Do you need support with the update to verinice 1.25? Please contact the verinice team if you have an existing support contract or purchase a support budget via the verinice.SHOP.

The verinice team is also working intensively on verinice.veo, which will enter public beta by the end of the year with verinice.veo DSMS as the first product. More information is available at: verinice.com/veo

.

Also this year verinice will be present at the it-sa in Nuremberg. This time, the largest trade fair in Europe on the subject of IT security will take place from October 25 to 27, 2022. You will find the verinice.TEAM of SerNet GmbH together with the partners Cassini and sila consulting in hall 7 booth 107.

At it-sa you will receive information about the verinice products as well as about the different services of the verinice. PARTNERS like the setup of an ISMS, consulting on standards like BSI IT-Grundschutz, ISO 27001 and much more.

We would be happy to give you an insight into our latest tool verinice.veo DSMS. You can talk to Michael Flürenbrock (verinice.veo Product Owner) and Daniel Murygin (technical development manager) about the next steps and the future of verinice.veo.

Would you like to make an appointment with us or one of our partners in advance? Then please send us an email to itsa@remove-this.sernet.de.

Get your free day ticket now!
Explore it-sa and visit us at our booth with a free ticket - we will gladly send you an individual registration link. Just send us an e-mail to itsa@remove-this.sernet.de. We are looking forward to seeing you!

From now on verinice and verinice.PRO version 1.24.1 are available for download in the verinice.SHOP or in the customer repository. The verinice.TEAM provides more than 40 new features, detail changes and bug fixes with verinice 1.24.1. Detailed information can be found in the Release Notes.

Central innovation in verinice 1.24.1 is the referencing of building blocks in the modernized BSI IT-Grundschutz, which is now simplified and visually highlighted. With building block referencing, it is possible to use building blocks already modeled in the information network for several target objects at the same time. This reduces both the effort required for editing and maintaining the modules and the number of modules contained in the information network. In the process, the target objects for which a building block referencing exists are clearly marked.

From this version on, the Windows client is delivered signed. The use of verinice is also supported on a current MacBook with an M1 processor.

Due to security vulnerabilities in older log4j versions, a switch to reload4j is made with verinice 1.24.1.

NOTE: verinice 1.24.1 is the most current version. After an update to verinice 1.24, multiple IDs were displayed in the client behind the names of the objects. This feature, intended for debugging, caused unwanted noise, but no errors in the application and verinice could be used as usual. The problem also did not occur with a new installation - nevertheless, the team provided a new version 1.24.1.

If you need help updating to verinice 1.24.1, do not hesitate to contact us at verinice@remove-this.sernet.de – you can also use the verinice forum for exchanges with the verinice team as well as other users. 

Last week, a vulnerability - now known as Spring4Shell - was discovered in the Spring framework. It is registered as CVE-2022-22965, technical details can be found in this article, among others: https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/

verinice.PRO is only affected under certain conditions: Only if the verinice-REST-Service is installed on the server. In a standard installation of verinice.PRO, the verinice REST service is generally not included. The verinice single-user version is not affected by this vulnerability at all.

Since the verinice REST service can be affected by the vulnerability under certain circumstances, the verinice team has created a new version of this application. This closes the vulnerability and is available via the verinice GitHub repository: https://github.com/SerNet/verinice-rest-service/releases/tag/0.5. We recommend updating to this new version 0.5 if you have the verinice REST service installed.

Please contact our support if you have further questions or need help.

International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) are working to update the ISO/IEC 2700x family. ISO/IEC 27001:2022 is expected to be published between May and October 2022 – the revised ISO/IEC 27002:2022 has been available since February 15, 2022. There will also be changes for verinice users who operate an ISMS according to ISO 27001 using the open source ISMS tool from SerNet GmbH.

Foreseeable for ISO/IEC 27001:2022 is already: while the management requirements for the ISMS in chapters 4 to 10 offer little that is new, Annex A has been extensively revised with now four chapters and 93 instead of 114 normative controls.

The "ISO 27002:2022 Information security, cybersecurity and privacy protection – Information security controls", published in mid-February 2022, now contains guidelines for the implementation of the controls on organizational, physical, personnel and technical aspects in 4 instead of 14 chapters. The decisive factor here is that no control remains unchanged compared to the previous version. Specifically, one control has been dropped, 56 controls have been combined into 24 controls, 11 controls are new and all others have been reformulated. Also new in Annex A is the consideration of attributes for Control Type, Information Security Properties, Cybersecurity Concepts, Operational Capabilities and Security Domains, Annex B finally contains a mapping of the old to the new controls.

The verinice.TEAM is working on the implementation in verinice. Yet, this cannot be done comprehensively until the certifiable ISO/IEC 27001 is published. After the final release of the new versions, a transition period will apply to bring the ISMS up to date. However, the verinice team recommends that all those who operate an ISMS in accordance with ISO 27001 deal with the updates at an early stage and, if necessary, involve the verinice partners in the migration in a supportive manner.

The Orga Committee has published the agenda for the verinice.XP. The conference for users of the open source ISMS tool will take place on February 23, 2022 - digitally and free of charge. In addition, the verinice team will introduce verinice.veo - the next generation verinice. Tickets for verinice.XP 2022 are available at https://verinicexp.org. The detailed agenda is also presented here

The program at a glance

With "Innovations in the B3S health care in the hospital as well as the starter package § 75c SGB V" Marion Beck (German Hospital Association) opens the conference day.  A practical look at the "Security Management in the hospital" and for this the integration of the open source tools verinice and KIX casts Rico Barth (c.a.p.e IT).

Maximilian Stadler and Marc Drechsler (both Cassini Consulting) deliver the impulse lecture "With holistic planning to organizational resilience".  Frederik von Zedlitz (Cassini Consulting) talks about the "Interplay of confidentiality and information security" and the benefits of verinice for this.

Viktor Rechel (secuvera) will talk about penetration testing as part of an ISMS - basics, relevance and possible approaches. Christian Breitenstrom (UNeedSecurity) addresses "Cloud Compliance in verinice - M365 Compliance Manager" with a focus on the Cloud Computing Compliance Controls Catalogue (C5), which is available as an add-on module for verinice. Horst Pittner (Secianus) takes on the mapping of the iKfz3 procedure in verinice as a solution for representing the enormous security requirements for the registration offices for the operation of the iKfz procedures. The possibilities of an analysis of the IT baseline protection standard with graph databases are shown by Alexander Koderman (verinice team, SerNet). He suggests countering the increasing workload of compliance officers with automation and using new evaluation options and insights for this purpose.

Presenting verinice.veo – the next generation verinice

The verinice.XP is an opportunity to get a first look at verinice.veo. SerNet is working on the second generation of the ISMS tool verinice, combining the technical strengths of the proven ISMS tool with the latest web technology as a software-as-a-service (SaaS) solution. Sirin Torun (SerNet / verinice.TEAM) will present the verinice.veo data protection manager. The DSMS tool for web-based data protection management according to DSGVO will soon be offered as the first product on the new platform for single use in companies and public authorities.

verinice.veo will replace the previous ISMS tool verinice within the next five years. The migration of existing modelling e.g. according to ISO 27001, BSI IT baseline protection or VDA-ISA/TISAX will then enable users to switch directly to the new generation of the ISMS tool. The roadmap for both the existing verinice and verinice.veo will be presented by Michael Flürenbrock.

Workshops on 22.02.

Workshops on data protection and IT baseline protection with verinice are also scheduled for the day before the conference (Tuesday, February 22, 2022). In small groups of participants, they are intended to enable an intensive exchange with expert colleagues and speakers.

The cost of attending one of the full-day workshops is 450 euros. Booking is available through the conference site at verinicexp.org. An up-to-date verinice single-user version will be available for download for active participation in the workshops. Participation is possible independently of verinice.XP.

About the verinice.XP

For years, verinice.XP has been bringing together IT decision-makers, security managers and data protection officers from companies, institutions and public authorities. They are all united by the use of verinice for the management of information security or data protection.

ATTENTION: The release date of verinice 1.24 had to be moved to mid-May.

The verinice team plans the release of version 1.24 for the end of April 2022. The feature freeze will occur in early April to ensure an extensive testing period. Users can discuss verinice 1.24 as well as other upcoming versions with the team in the community area. In addition, they can suggest new features there themselves or debate details about features already suggested.

We are happy to assist you with an update to verinice 1.24 as part of a support contract or a support budget. To do so, please contact us early to arrange an appointment.

Independent of the release, the new IT baseline protection compendium of the BSI will also be made available for verinice directly after its publication. The expected timeframe for this is the beginning of February 2022.

At this year's verinice.XP (February 23 & 24, 2022), which will also take place digitally, the verinice team will present the first version of verinice.veo.