IT security at XFAIR

Mr Schröder, as IT security officer at XFAIR GmbH, you deal with potential risks for various internal and external data records and how these can be restricted on a daily basis. Where do you think these risks are most acute?

Of course, there is always a risk to information security. It is not possible to minimise the risk to zero. However, there is an acute risk in live use at the trade fairs and events themselves. We have a large number of people there, users with very different levels of knowledge about IT security, some of whom are inadequately or not at all trained in the secure use of software. In addition, we sometimes have very confusing situations on site due to the large number of people. There is an increased risk of theft of equipment. There is also a permanent risk of third parties gaining access to the equipment when it is in use. I would therefore see a risk peak during the exhibition period.

In day-to-day business within XFAIR, the risk is relatively constant due to the normal availability of data records from the start to the end of the project. Therefore, I would not see a peak here where you could say it was particularly high at any point in time during the project. Basically, the risk in data processing is by no means zero, there is no such thing as zero in this context. You can only reduce it as much as possible.

What measures does XFAIR take to ensure that these risks are kept as low as possible?

XFAIR recognised very early on that various guidelines, specifications and processes were needed to ensure a certain level of IT security. Here, the three terms that actually come more from the area of data security (GDPR) – availability, integrity and confidentiality – must be ensured. Of course, there is initially a risk of data loss or a leak, meaning personal data ending up somewhere outside the company. Of course, losses in the sense of accidental deletion are also a possibility. This is why there is a wide range of technical and organisational measures (TOMs): from the simplest back-up strategies to security and access concepts to the purchase of services from external partners for security measures.

However, human error remains the greatest risk factor. The most important measure here: Training, training, training. Sensitisation is a top priority. At some point, we realised that a simple ISMS (information security management system) is not enough, as our customers want a higher standard or proof. That’s why we opted for ISO certification in accordance with 27001, which we then implemented in 2022, or rather, had certified in order to be able to demonstrate a certain level of information security. That doesn’t mean that we didn’t already have this requirement, but since the certification, we have official proof.

The ISO certificate is initially valid for three years. This initial certification is followed by two surveillance audits, in which it is checked again whether everything is working and that everything we have claimed is being implemented. From the third year onwards, there is the so-called re-certification, which is more or less like an initial audit, in which you have to prove that you are up to date, have developed further and are at the cutting edge of technology.

So XFAIR is ISO-certified. What does this certification entail and why is it so important for companies in the IT sector?

The ISO standard is an internationally recognised standard that defines certain guidelines, specifications and procedures for products, processes and services. It is therefore a seal of quality, but also makes the whole subject comparable. The ISO 27001 standard is proof that we have implemented a certain level of information security. It defines exactly what guidelines and processes must be in place and what they must contain as a minimum. This means that (potential) customers can easily recognise that XFAIR has a certain level of information security – a minimum level, I should say. This creates a certain level of trust right from the start. Due to the high importance of IT security, it is currently the case that without such certification, you have almost no chance on the market in any tender, because of course there is simply no proof that you can guarantee a certain level of information security. And this ISO certificate fulfils this requirement.

XFAIR is constantly working on the further development of internal and external security measures and regularly trains its staff in everyday measures for the prevention and safe handling of security incidents. If you have any questions about certification and the application of this expertise in everyday trade fair and office life, you can contact us at any time using our contact form. You can find more information on our hardware and software services in the XFAIR blog interviews listed below.