Search
Contact
DEDeutschENEnglish
Menu
  1. Home
  2. Sustainability
  3. Information security / Cyber security

Information security / Cyber security

The Group's strategy is based on comprehensive risk management. Information technology (IT) is an essential component of supporting HOCHTIEF's business activities. For this reason, the security of IT systems and data is given a very high priority.

The achievement of an appropriate level of security in the use of information security through technical and organizational security measures is not only determined by legal provisions, but is also part of the obligations towards HOCHTIEF's customers and business partners as well as the protection of its own interests. Security in the use of information technology is therefore in the interest of all parties and thus becomes an important objective for HOCHTIEF.

The goals to be achieved are in particular:

  • Compliance with legal and contractual obligations
  • Compliance with internal and external requirements
  • Protection against access by unauthorized persons
  • Protection against manipulation of data
  • Adequate availability of data and systems

All security objectives relate directly to HOCHTIEF Aktiengesellschaft and its subsidiaries. In the case of minority shareholdings, HOCHTIEF ensures that these companies have equivalent goals and measures.

 

Information Security Management Program

Information Security Management Program

The "HOCHTIEF Information Security Management Program" describes the positioning of information security at HOCHTIEF. At HOCHTIEF, it is the framework for developing, implementing and managing security policies and practices.

The content of the Information Security Management Program is continuously adapted to the changing threat landscape and technological requirements. The program has the goal of continuing to avoid security breaches. It refers to the company's own activities, but also makes clear the standards that HOCHTIEF sets for its business partners.

With the following components, the Information Security Management Program aims to protect the integrity, availability and confidentiality of information at HOCHTIEF over the entire life cycle and thus protect against unwanted access, changes, disclosure, disruption or deletion.

Security organization

Security organization

The planning, implementation and maintenance of information security is ensured by the Information Security Organization, which supports the Executive Board, which in turn is controlled by the Supervisory Board.

In the Executive Board, the CEO is responsible for information security. An external CISO as a Service completes the organization at the management level.

In the Supervisory Board, the topic of Information Security / Cybersecurity is part of the Sustainability / Corporate Responsibility topic and is thus anchored in the Audit/Sustainability Committee. The Audit/Sustainability Committee, including Prof. Dr. Mirja Steinkamp, has the appropriate technical expertise.

The members of the Supervisory Board and Management Board have extensive experience in managing risks, including the assessment of information security / cybersecurity security risks, due to their many years of work in various companies and positions.

The Information Security Organization consists of

  • the Chief Information Security Officer (CISO) of HOCHTIEF Aktiengesellschaft, and
  • CISOs of the Divisions (CISO Divisions) with their sub-organizations.

The Chief Information Security Officer (CISO) of HOCHTIEF Aktiengesellschaft reports directly to the member of the Executive Board responsible for Information Security. secunet Security Networks AG, as the leading cybersecurity company in Germany, provides the CISO as external CISO as a Service as part of a contractually agreed service for HOCHTIEF.

HOCHTIEF works closely with leading IT security service providers on the basis of framework agreements in conceptual and operational matters. This long-standing cooperation guarantees access to additional professional advice and support from trained and experienced specialists in the broad as well as deep field of information security. This service is used not only in conceptual consulting, but also in the assessment of security risks, support in the event of security incidents and also in decision-making in the various committees.

The Information Security Organization is provided with sufficient financial and time resources to carry out its information security tasks properly. Sound knowledge and experience are a prerequisite for internal managers but also for external consultants.

To ensure that all departments within the organization drive forward the topic of information security in the interests of the Executive Board, the Executive Board delegates implementation responsibility to the divisions (Information Security Policy as part of the IT Directive).

This information security organization enables the board to be regularly informed about cyber risks, the current security strategy and trends. Thanks to this integration, a comparison of the business strategy with the information security strategy is guaranteed.

Monitoring, Risk Assessment and Reporting

Monitoring, Risk Assessment and Reporting (Vulnerability Analysis / Reporting)

Through active and continuous observation of the threat situation, the identification, evaluation, classifying and prioritizing of threats and vulnerabilities, effective risk management is established, the IT infrastructure and the associated processes are continuously adapted to changing requirements and potential damage is minimized.  

To achieve this goal, the following measures have been implemented, among others:

  • Continuous search for threats and vulnerabilities based on newsletters, the evaluation of CVE reporting and the use of professional thread reporting teams.
  • As part of the supply chain management, the structured evaluation of resources provided by third parties (consultants, software, hardware, providers, cloud services,...) with relevance to IT-supported business processes.
  • Monitoring and detection systems at various points within the IT infrastructure that analyze network traffic for suspicious activity, preventing unauthorized access and targeted attacks.
  • Security event management systems that correlate events to detect anomalies 24x7x365, enabling a rapid response to any security incident.
  • Regular automated and manual penetration testing
  • Periodic internal audits, which detect deviations in security settings and improve the effectiveness of the preventive measures.
  • Processes for evaluating internal exemption requests.
  • Structured evaluation of new requirements before test, pilot or productive operation.

Regular reporting on the security status of the organization, as well as situational communication on threats and incidents, serves to provide structured information to the responsible stakeholders. In addition to the threat situation, the impact and the measures taken to minimize risk, the reporting also includes measures to avoid future risks.

Reporting and escalation processes

Reporting and escalation processes (Report of incidents, vulnerabilities and suspicious activities)

Defined and communicated reporting and escalation processes regarding suspicious activities, vulnerabilities or incidents guarantee adequate response times and the structured involvement of the responsible authorities. The HelpDesk is trained to take adequate immediate measures.

Security awareness and training

Security awareness and training (Information Security Awareness Training)

Information security is not only a technical but also a human aspect. For this reason, continuous training and awareness-raising is held at all levels of the organization, ensuring that each employee knows their role in the protection of information and the importance of complying with the established policies.

Information security is a shared responsibility and an ongoing commitment, so current challenges of the digital environment are also included to ensure asset protection and stakeholder trust.

Training in the field of information security / cybersecurity includes mandatory general training, update training as a refresher and special training on current topics or areas (e.g. phishing). The aim of all activities is also to ensure that the departments responsible for information security are accepted and used contact persons for employees through suitable and target-oriented training measures.

Technical Controls

Technical Controls (Technical Measures)

The use of technical solutions, such as firewalls, encryption and access control, ensures the security of IT systems.

In this sense, amongst others the following has been implemented:

  • Continuously assessment, redesign and renewal of the internal network architecture, avoiding technological obsolescence and minimizing vulnerabilities that could facilitate the spread of malware. This includes equipment upgrades, network segmentation and adoption of advanced security technologies.
  • Isolation of infrastructure from the internet, ensuring that systems have minimal exposure and that access is strictly controlled through network security elements.
  • Bastioning off external equipment, applying secure configurations, rigorous access controls and automated update and patch policies and processes to minimize the risk of vulnerabilities being exploited.
  • Protection of mobile devices, by implementing security policies such as data encryption, multifactor authentication and mobile device management (MDM) tools to prevent unauthorized access.

Internal and External Audits

Internal and External Audits (Internal Audits / Independent External Audits)

In order to achieve the security goals, in addition to the issuance of an information security policy, monitoring the implementation is an essential component. This is done through internal audits and independent external reviews:

  • IT Monitoring
    A plan that is adapted annually to current requirements is used by IT to review the specifications.
  • IT Audit
    An independent, internal review is carried out by the internal audit department. The audit department also structures the measures with the help of an inspection plan tailored to the requirements.
  • Annual Audit by the external Auditor
    The independent audit of the financial statements verifies that the financial information can be considered reliable. In the course of a risk-oriented audit approach, the process flows are examined in addition to the pure business figures. This includes company tours, surveys, contract reviews, balance sheet analyses, but also the examination of IT-supported business processes.
  • Penetration Test
    To check cybersecurity, tests are carried out regular by professional, external security companies.

Disaster Management and Recovery

Disaster Management and Recovery (Information Security Business Continuity Plans)

Plans and processes for prevention, but also rapid response to security incidents and recovery of affected systems are designed to prevent or limit business disruptions.

The divisions ensure that business-critical IT-supported workflows are implemented in a fail-safe manner and that a restart is ensured through coordinated plans and tests.

The following measures have been implemented, among others:

  • Disaster recovery plans (technological and non-technological)
    Ensuring business continuity through automated backups, restoration testing and data redundancy strategies.
  • Incident response procedures (playbooks)
    Detailing specific steps for containment, eradication and recovery in the event of any kind of incident (technological or non-technological), periodically testing the process. Playbooks with predefined communication minimizing reaction times.
  • Forensic analysis
    To investigate the root cause of incidents and the implementation of corrective measures to prevent them from recurring.
  • External Incident Response Teams
    In the event of an incident, contracts with external experts ensure professional support.

Information Security Policy

Information Security Policy

By developing and implementing clear formal policies and procedures, the standards for protecting data and systems are ensured. The content is based on standards but also best practices, referring not only to internal activities, but also to partners and suppliers. Continuous testing and adaptation of the content to constantly changing requirements and threat situations ensures that the measures described are up-to-date and effective.

In accordance with the following passages of the ACS Information Security Policy (as of 19.12.2024), HOCHTIEF complies with all the requirements listed by ACS in the ACS Information Security Policy:

ACS Information Security Policy – 4. Scope of application

This Policy applies to the entire ACS organization, as well as to suppliers and clients providing services or maintaining relationships with ACS, projecting itself onto ACS Group companies.
In those affiliated companies where this Policy is not directly applicable, ACS will, to the extent possible, promote alignment of their policies with those of ACS through its representatives on their governing bodies.

This Policy will also apply, as appropriate, to temporary business alliances, joint ventures, and other equivalent associations, whether domestic or international, where any of the companies within the ACS Group have control over their management, always within the legally established limits.

ACS information security policy binding for HOCHTIEF

Based on their employment contracts, all employees are obliged to comply with the guidelines at HOCHTIEF. The measures of the Information Security Policy that are relevant to employees are available to all employees. The managers ensure compliance and implementation.

At the same time, the Information Security Policy also applies to the provision and operation of IT, regardless of whether this service is provided by internal resources or by external IT service providers. This also includes IT processes contractually commissioned to external IT service providers (e.g. outsourcing incident management to an external IT service provider).

The Information Security Policy of HOCHTIEF Aktiengesellschaft with all its measures and processes is based on Security Standards. All critical IT-supported business processes are based on business units certified to Security Standards or provided by external IT Services Providers certified to Security Standards. The Security Standards used at HOCHTIEF are ISO27001, NIST and BSI Grundschutz.

At HOCHTIEF "Security by Design" is the default. The primary goal is the use of technical measures in which a secure working environment is an integral part of the implementation through the system design or system configuration. If organizational measures have to be used, they are integrated into structured, documented processes with control processes. Technical analysis systems flank the measures.

Warning of invoice and procurement fraud!

Invoice and procurement fraud attempts are currently taking place. In these cases, fraudsters pose as HOCHTIEF employees and attempt to place orders with suppliers in their name or obtain quotation data...

Further information