Case Study – Huf Hülsbeck & Fürst GmbH

Huf Gruppe - Informationssicherheitsmanagement

Well prepared to achieve international Certifications after the successful Implementation of an integrated Information Security Management System (ISMS).

One highlight of the security management project of the Huf Hülsbeck & Fürst GmbH & Co. KG company located in Velbert, headquarter of the Huf corporate group, is the successful ISO 27001 certification executed by the TÜV Nord in December 2010. The Huf group was able to impressively prove the establishment of a standardized information security management system, even if the company operates in several international locations and the client requirements with regard to the information and product protection are very high. Assisted by the security experts of the WMC company the QSEC-Suite, an integrated ISMS solution, was successfully implemented and integrated in the daily operations.
In October 2010 even when several subprojects were implemented in parallel the Huf company with its headquarter in Velbert faced to the strict certification guidelines of the TÜV Nord organization. At this point in time all ongoing projects were running at such a high maturity level that the responsible persons were looking forward to the audit optimistically.

Initial Situation
When the project started at the beginning of 2008 the Huf group was celebrating its 100th anniversary. The company founded in 1908 to produce, purchase and sell locks, fittings, ironmongery and brazen goods now globally develops and produces mechanical and electronic locksets and authorization systems, for nearly all well-known vehicle brands. Within the locking systems it holds an international market share of 20 percent which makes the Huf group to be the global market leader in this segment.
When cooperating with the renowned customers the key issue is to protect and secure the product and the information. To cope with both the Huf group requirements and the ones of its customers a full scope security management (SMS) is indispensable. One must meet the legal requirements and exclude any possible liability risk to the greatest possible extent.
An integrated security management means to involve all departments of a company. Each individual staff member must be made aware of any possible risk.
The challenge here: from the very beginning the concept of the SMS shall include the globally, centralized control of a heterogeneous IT landscape, i.e. the commercial and development systems. This now allows to cooperate during the global development of security concepts.

Project Launch and Self-Assessment
At first, the interdisciplinary teams to control and implement the project were defined under the project management of the Huf group as a customer and in cooperation with the WMC GmbH company. The main focus included the security standards on the IT infrastructure, the program development and site security defined by the Huf headquarter which shall be globally applied in the future.
Based on its long-term expertise on all aspects of an integrated information security and IT risk management the WMC GmbH company was selected and entrusted to implement the project. One good reason for the assignment was that the WMC company is the software producer of the QSEC Suite which allows to fully implement an SMS together with a compliance, IT risk, measures, incident and document management.

The project started with an intensive self-assessment. The initial position of the security level is determined and the related discrepancies with regard to the scope and the requirements set by the customers are defined.
In addition, the self-assessment is the base to decide on the following subprojects:
The top priority is to establish a security management in the headquarter located in Velbert. Only those items which were successfully introduced and implemented will have an effect to further locations and organizational units of the Huf group.
All concerned are confronted with comprehensive tasks. First of all, one must define the ‘Organization of the Security‘. All necessary guidelines which are applicable and valid for the entire corporate group must be drafted together will all necessary locally valid policies. All security-relevant procedures must be checked on the technical aspects in detail to establish a unified approach to analyze the risks which are based on the operative business in accordance with the ISO 27005 standard in the company on a long-term.

A further subproject includes the introduction and implementation of service and support structures following the ITIL practises.
To do so it includes:

  • To integrate the currently used software solution to administer the inventory data and tickets
  • To define service agreements based on the results of the risk analysis
  • To define an incident management process
  • To define a change management
  • To define and develop the necessary roles, responsibilities and escalation hierarchies with regard to the company structures
All measures to minimize, convert and avoid risks cannot be substantiated before all policies, agreements and processes have been described in detail.
The project team then spends some time on Business Continuity Management-compliant contingency plans with regard to the process-supporting IT. Plans that already exist will be consolidated and, based on the executed risk analysis, checked on their effectiveness.

Once the project progressed that far it was possible to launch the rollout concept for the international locations. At first, all policies defined for the parent company shall be rolled out without neglecting the link to the defined service and support structures.

What has been achieved since the launch of the project?
It was possible to systematically, sustainably and continuously monitor, control and improve the targets on the company security in accordance with the acknowledged Plan-Do-Check-Act (PDCA) approach and the underlaying process maturity model following the (Automotive-)SPICE methodology. And not only that: all security principles and guidelines are the fundamentals of the daily business for all concerned. The staff members have been made aware on the necessary security precautions.

The centralized control instance of the security management in the Velbert headquarter had a vital influence on the global cooperation when drafting the security concepts. Each international Huf location shall be able to be confronted with the strict certification audits in accordance with the ISO/IEC 27001/2 and ISO IEC 27005 standards.

All legal requirements with regard to the liability risk are met and the IT infrastructure is globally secure because of the knowledge about company-wide threats and adequate planning how to encounter the risks.
Together with the current certification of the Velbert headquarter the first international certification of a Spanish subsidiary could be finalized in November 2010. An important step, to be continued.

What is the further planning and what are the next targets?
Mr. Bernd Herrmann, Manager of Corporate Risk & Security Management: “We mainly focus on the full integration of all international locations of the Huf group concerning the corporate security including the SMS. During the course of the next year we fully concentrate on the development of the strategic IT risk and business continuity management.”

The Project at a Glance

Despite the internationality the principles and guidelines of the information security can be centrally checked and controlled in accordance with the legal requirements assisted by an integrated information security management systems. All security incidents are handled centrally, precautions and solutions to maintain the security are globally valid. There is a common understanding with regard to the operative risks in place.

Project Duration
24 months for the implementation of the information security management system and its move into production at the Velbert site including the definition of the framework for the international locations.

The Company
Huf Hülsbeck & Fürst GmbH
The Huf Hülsbeck & Fürst GmbH company globally develops and produces mechanical and electronic lock systems, authorizations systems, passive-entry systems, vehicle access systems, door handle systems, systems for tailgates and boot lids.
Within the locking systems it holds an international market share of 20 percent which makes the Huf group to be the global market leader in this segment.
Currently, the Huf group employs 5.000 employees located in 16 countries worldwide. More than 300 designers are engaged in offices located in Germany, in the USA, in China, in Brazil and in Korea.

You can download here the Casy Study  “Information Security Management” by Huf Group