Information Security at LBBW

For Landesbank Baden-Württemberg (LBBW), the security of IT processing is a central component of its business policy. Ensuring the confidentiality, availability and integrity of information processing is crucial to our business success and that of our customers. For this very reason, LBBW has implemented a Group-wide Information Security Management System (ISMS) consisting of organizational regulations and up-to-date technical precautions.

Organization: A key component of LBBW's ISMS is the information security regulations based on the ISO 27001 standard, which the Chief Information Security Officer (CISO) uses on behalf of the Board of Managing Directors to define an appropriate level of information security that meets both regulatory and statutory requirements and is valid throughout the Group (including foreign branches and subsidiaries).

Reporting: Regular reporting by the CISO to the Management Board and other management bodies (e.g. Supervisory Board, IT-Security Board) is ensured. The reporting includes, among other things, a presentation of the audits carried out, the current risks, security-relevant incidents and measures already implemented and planned. Close involvement of the management level in the ISMS ensures that information security and the associated risks within the Group are considered appropriately and that there is sufficient security awareness.

Information risk management (IRM): The responsible handling of information from customers and business partners requires a regular process of identifying, assessing and managing information security risks. Actively dealing with these risks contributes to functioning business processes and averts potential damage to the bank.

Information security audits: The implementation of the information security policy is regularly reviewed through internal audits. The audits cover internal areas as well as subsidiaries and suppliers. In addition, an independent external audit is carried out at least every two years. Penetration tests and vulnerability scans are also carried out regularly for all relevant systems and applications.

Access and authorization management: Access and authorization management ensures that each employee only has the access/authorizations required to complete their tasks in accordance with the "need to know" and "need to have" principle. The assigned rights are regularly recertified.

Security systems: Firewalls are used at all network transitions to separate the various security zones and environments in the network. The firewall at the Internet access is multi-level, and access from the Internet is always terminated in a demilitarized zone (DMZ). The firewalls have modules for analyzing attack patterns/detecting anomalies in network traffic. These are updated promptly in the event of new attack patterns. The Internet connection is protected by a service to prevent distributed denial of service attacks (DDoS). The service analyzes the network traffic on the basis of statistical evaluations and signatures and can initiate countermeasures for the services accessible via the Internet if anomalies/threshold values are exceeded.

Monitoring systems: LBBW has implemented several monitoring systems, such as SIEM and NuKo. Security Information and Event Management (SIEM) is a system for the central collection, transmission, storage and evaluation of log data from network components, operating systems and applications. The aim of SIEM is to identify suspicious network activities. Data traffic is regularly evaluated and analyzed as part of usage controls (NuKo) (mail traffic, clouds, etc.). Monitoring is used to register data leaks of sensitive information. If fraudulent activities are detected, these monitoring systems can be used to initiate appropriate countermeasures.

Threat intelligence & incident response planning: Information security emergency procedures typical of the industry or required by regulation are also established at LBBW (preventive and reactive). LBBW uses threat intelligence to evaluate the possibility of gaining early, evidence-based information about cyber attacks and incidents and analyzing this information. This creates an early warning system that leads to a reduction in the risk of security incidents.

Training & awareness: LBBW ensures that individuals who carry out activities with an impact on the organization's information security performance have the necessary skills based on appropriate education, training or experience. In addition, great importance is attached to raising employee awareness (both internally and externally). This is implemented through comprehensive training and communication concepts as well as regular phishing simulations.