QSEC - ISMS and GRC according to international standards andmethods

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

2 © 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

„Best in Class is not a coincidence!“

Consulting ISMS & GRC software Sectors

3

WMC GmbH – GRC & ISMS Software + Consulting

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

Our core issures Our references

Information security management

CO

NS

UL

TI

NG

SO

FT

WA

RE

+

S

UP

PO

RT

Compliance management

IT-security

Risk management

Business impact analysis (BIA)

Business continuity management

Data privacy

Measure management

Reporting

More: PCI DSS; ISO 9001; ISO 20 000

QSEC multi-standard compliance managementaccording to international

standards

4

Best practice with QSEC-Suite

Governance

StandardsLaws

Transparencyand Minimization

Guidelines Policies

QSECEthical conductIncreased economic efficiencyImproved effectivenessSustainable Information Security

GuidedIT-GRCMeasures

sustainablecomplete

organisation-wide

Strategy

Technology

Processes People

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

RiskManagement

Compliance

5

QSEC – Advatages and Benefit

can be used for any authorized employee

high transparency about all activities and status within the Compliance and IT Risk Management

permanent information about all changes andimprovements

optimization of the IT investments with transparency of the business-critical processes (peak risks)

possible savings of about 30-50 % of the internal and external costs during the ISMS implementation /operation

reduction of efforts for certification / recertification

company-wide and unified traceability of compliance

Improved image and competitive advantage

Usability and easy to use (WEB- / wizard technology)

Flexibility and comprehensive configuration

Content fully integrates subject to the standard(norm/low)

Fully integrated IT Risk Management based on thebusiness prozesses and information

Integrated central database

Workflow and business prozess support according totasks and roles (experts and users)

Test cases, test assets,measure proposal, sample documents for each sectors fully integrated

Product support – permanent Updates

Achievement

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

Benefits

6

QSEC – "all in one compliance“

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

QSEC more results, faster

Easy Express Enterprise Edition GRC Edition BSI Edition

QSEC – our products Standard browser application Administration-Tool / User authorizationTechnology

International standards (ISO 27001/2/5; ISO 20000 etc.) Use patterns, measure proposal, risk catalog Samples for business processes, assets for some sectors

Content

Mailsystem, Active Directory, Ticket System etc. Individual data transfer (CSV, XML etc.)Interfaces

ISMS process (Compliance-, Risk assessment, BIA/BCM) Measure-, document and incident management

Processsupport

More than 65 reports with maturity degree report DashboardReporting

High user acceptance because of user friendlyness Permanent software support and continiuous improvement

process Well-defined steps with wizard-technology

Usability

7

QSEC – Integrated Management System

Capture and maitenance of organisational data Business units Employees with roles, function & IS-share

Assessment of the standards and lows Compliance assessment of maturity degree Statement of Applicability (SoA)

Capture, rating & maitenance of Information Assets Business prozesses & information Asset groups (buildings, infrastructure, IT-

systems etc.) Assessment of the confidentiality, integrity and

availability of data Determination of Security Level für IT-Assets

Risk Management Security needs Treats & Vulnerabilities Brutto- / Nettorisks Probability of occurrence and Risk value in €

Business Impact Analyse / Emergency management

Security Incidents

Document management/Report/Dashboard

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

An expert system for every employee

8 © 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

QSEC-Enterprise and GRC Edition – module overview

QSEC Enterprise Edition QSEC GRC Edition QSEC extensions

QSEC Versions:

DashboardCompliance Security-Incidents

ReportingRisk Measures Document

Business Continuity

BCMBusiness Continuity

BIAMaster Data Administration

Core Server, Common platform, Permissions

QSEC interfaces:Mail system, Asset Management (z. B. SAP, Spider),

AD, Ticket system (z. B. SAP, helpLine)Catalog Tool (KEP)

AdministrationsTool

Wizards (Prozess-Workflow) Information Assets

Task-Manager

9

QSEC - Wizard Technology

Simple, self-explanatory operator guidiance

Low training costs

Description and explanation of process steps

Guided working

Useable without expert know how

No unintentional quit of working process

Start via Link possible

Example: process steps for the interview wizard

ISO interview with a process owner in a business area

Requirements

Wizards Interview-Wizard Interview transfer-Wizard Compliance-Wizard Measure-Rating-Wizard Self Assessment-Wizard Risk Rating-Wizard Security Level-Wizard

Interview

InterviewStart/introcudtion choose interview prepare interview interview partner name interview business prozess information

21 3 4 5 6 7

asset group

8

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

10

QSEC - Wizards

Process-oriented, efficient working

ComplianceWizard

1. 2.

3.

4. 5.

6.

7.

IS-Status

Risk-Status

Security Level

ComplianceWizard2.

Expert

Businessowner

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

11

QSEC Suite combines:

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

Laws, standards and specifications with systems, applications and business prozessesM

od

elin

gR

equ

irem

en

ts &

sp

eci

fica

tio

ns Laws In

form

ation

Security M

anagem

ent System

Specifications

KonTraGSOX /

EuroSOXBSI

KritisV BDSG Basel IIIEU 8th

Directive Solvency II VDA PTS

Standards / Norms

ISO 27001

ISO 27019

ISO 9001ff

ISO 14001

and much more

Company strategyInformation Security strategy

Company Policies

Policies

Policies

Policies

Compliance ManagementRisk Management

Measures ManagementIncident Management

Business Continuity ManagementAssessment of maturity degree

PlanAct

Check Do

Business processes

Development Production Logistics Administration FinancePurchase HR

Supplier info. Patents Production info. Transport info. Information Contract info. Employee info.

IT- Processes

Treatsconfidentiality, availability, authenticity, integrity

Data Data Data Data Data DataApplikationen

Systeme Weak points

ISO 27005

GDPR

12

logistics healthcare energy trading industry finance

ISO 27001

ISO 27005

ISO 22301

GDPR

ISO 27001

ISO 27005

ISO 22301

GDPR

ISO 27001

ISO 27005

ISO 27019

ISO 22301

GDPR

ISO 27001

ISO 27005

ISO 22301

GDPR

ISO 27001

ISO 27005

ISO 22301

GDPR

ISO 27001

ISO 27005

ISO 22301

GDPR

SOX

ISO 9001

ISO 14001

ISO 20000

Tapa

ISO 28000

SOX

ISO 9001

ISO 13485

ISO 14001

ISO 20000

IEC 80001

SOX

ISO 9001

ISO 14001

ISO 20000

OHAS 18001

DIN ISO 50001

Smart Grid

SOX

ISO 9001

ISO 20000

PCI DSS

OHAS 18001

SOX

ISO 9001

ISO 14001

ISO 20000

DIN ISO 27009

OHAS 18001

VDA PTS

SOX

Bafin

MA Risk

Solvency II

Basel II

ISO 20000

Information security

methods

processes

compliance - processes

ISMS - processes

BCM - process

BIA - process

risk - process

act plan

check do

Security is a

process

P-D-C-A-process

authorities

ISO 27001

ISO 27005

ISO 22301

GDPR

Compliance

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

Compliance / Sectors – some important standards

13

QSEC creates transparency – valid data via reporting and dashboard

Integraded reports

Standard reports management report work report measure reports risk status report compliance / maturity degrees

(SOA) special reports

budget report security incident report information governance report

Individual reports on demandDashboard

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

14

QSEC-Suite – Technical Specs

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

QSEC-Suite a web browser based application:

QSEC-Suite - the save and toolbased way to a comprehensive IT GRRC / Information Security Management System (ISMS) according to ISO/IEC 2700x

Client Web-Server Database

Web-Browser

SSL

No installation

No maintenance

Microsoft Windows Server 2008R2/2012R2

Microsoft IIS

ASP.NET 4.6

Microsoft SQL Server 2008R2 / 2012R2

• Interfaces to

further systems

Programming by Microsoft Visual Studio 2010

Current Version: 5.2

15

QSEC integrates into the existing IT landscape via interfaces

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

asset groupcriticalitybusiness prosesses

confidentlialityavailibilityintegrity

asset groupvulnerability

measures

Mail advice

User authorization

business prosesses

security incidents

QSEC-Suite

IntegratedManagement

System

Active Directory (AD)

Mail SystemIncident

ManagementSAP / helpLine

Asset ManagementSAP / Spider

VulnerabilityManagement

e.g. Qualys

Prozess ManagementAris / Adonis

Operational risks eventRisk Management SIEM

Questions? Don´t hesitate to contact us!

© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

Visit our webside and ask for a QSEC live presentation or just give us a call!

Your contact partner for questions:

Mr. Dierick SchröderAccount Management / SalesPhone.: 040/650 336-17E-Mail: dierick.schroeder@wmc-direkt.de

Wüpper Management Consulting GmbH on the Internet:http://wmc-direkt.de/en/grc-isms-software/online-demo/