QSEC - ISMS and GRC according to international standards andmethods
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
2 © 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
„Best in Class is not a coincidence!“
Consulting ISMS & GRC software Sectors
3
WMC GmbH – GRC & ISMS Software + Consulting
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
Our core issures Our references
Information security management
CO
NS
UL
TI
NG
SO
FT
WA
RE
+
S
UP
PO
RT
Compliance management
IT-security
Risk management
Business impact analysis (BIA)
Business continuity management
Data privacy
Measure management
Reporting
More: PCI DSS; ISO 9001; ISO 20 000
QSEC multi-standard compliance managementaccording to international
standards
4
Best practice with QSEC-Suite
Governance
StandardsLaws
Transparencyand Minimization
Guidelines Policies
QSECEthical conductIncreased economic efficiencyImproved effectivenessSustainable Information Security
GuidedIT-GRCMeasures
sustainablecomplete
organisation-wide
Strategy
Technology
Processes People
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
RiskManagement
Compliance
5
QSEC – Advatages and Benefit
can be used for any authorized employee
high transparency about all activities and status within the Compliance and IT Risk Management
permanent information about all changes andimprovements
optimization of the IT investments with transparency of the business-critical processes (peak risks)
possible savings of about 30-50 % of the internal and external costs during the ISMS implementation /operation
reduction of efforts for certification / recertification
company-wide and unified traceability of compliance
Improved image and competitive advantage
Usability and easy to use (WEB- / wizard technology)
Flexibility and comprehensive configuration
Content fully integrates subject to the standard(norm/low)
Fully integrated IT Risk Management based on thebusiness prozesses and information
Integrated central database
Workflow and business prozess support according totasks and roles (experts and users)
Test cases, test assets,measure proposal, sample documents for each sectors fully integrated
Product support – permanent Updates
Achievement
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
Benefits
6
QSEC – "all in one compliance“
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
QSEC more results, faster
Easy Express Enterprise Edition GRC Edition BSI Edition
QSEC – our products Standard browser application Administration-Tool / User authorizationTechnology
International standards (ISO 27001/2/5; ISO 20000 etc.) Use patterns, measure proposal, risk catalog Samples for business processes, assets for some sectors
Content
Mailsystem, Active Directory, Ticket System etc. Individual data transfer (CSV, XML etc.)Interfaces
ISMS process (Compliance-, Risk assessment, BIA/BCM) Measure-, document and incident management
Processsupport
More than 65 reports with maturity degree report DashboardReporting
High user acceptance because of user friendlyness Permanent software support and continiuous improvement
process Well-defined steps with wizard-technology
Usability
7
QSEC – Integrated Management System
Capture and maitenance of organisational data Business units Employees with roles, function & IS-share
Assessment of the standards and lows Compliance assessment of maturity degree Statement of Applicability (SoA)
Capture, rating & maitenance of Information Assets Business prozesses & information Asset groups (buildings, infrastructure, IT-
systems etc.) Assessment of the confidentiality, integrity and
availability of data Determination of Security Level für IT-Assets
Risk Management Security needs Treats & Vulnerabilities Brutto- / Nettorisks Probability of occurrence and Risk value in €
Business Impact Analyse / Emergency management
Security Incidents
Document management/Report/Dashboard
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
An expert system for every employee
8 © 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
QSEC-Enterprise and GRC Edition – module overview
QSEC Enterprise Edition QSEC GRC Edition QSEC extensions
QSEC Versions:
DashboardCompliance Security-Incidents
ReportingRisk Measures Document
Business Continuity
BCMBusiness Continuity
BIAMaster Data Administration
Core Server, Common platform, Permissions
QSEC interfaces:Mail system, Asset Management (z. B. SAP, Spider),
AD, Ticket system (z. B. SAP, helpLine)Catalog Tool (KEP)
AdministrationsTool
Wizards (Prozess-Workflow) Information Assets
Task-Manager
9
QSEC - Wizard Technology
Simple, self-explanatory operator guidiance
Low training costs
Description and explanation of process steps
Guided working
Useable without expert know how
No unintentional quit of working process
Start via Link possible
Example: process steps for the interview wizard
ISO interview with a process owner in a business area
Requirements
Wizards Interview-Wizard Interview transfer-Wizard Compliance-Wizard Measure-Rating-Wizard Self Assessment-Wizard Risk Rating-Wizard Security Level-Wizard
Interview
InterviewStart/introcudtion choose interview prepare interview interview partner name interview business prozess information
21 3 4 5 6 7
asset group
8
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
10
QSEC - Wizards
Process-oriented, efficient working
ComplianceWizard
1. 2.
3.
4. 5.
6.
7.
IS-Status
Risk-Status
Security Level
ComplianceWizard2.
Expert
Businessowner
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
11
QSEC Suite combines:
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
Laws, standards and specifications with systems, applications and business prozessesM
od
elin
gR
equ
irem
en
ts &
sp
eci
fica
tio
ns Laws In
form
ation
Security M
anagem
ent System
Specifications
KonTraGSOX /
EuroSOXBSI
KritisV BDSG Basel IIIEU 8th
Directive Solvency II VDA PTS
Standards / Norms
ISO 27001
ISO 27019
ISO 9001ff
ISO 14001
and much more
Company strategyInformation Security strategy
Company Policies
Policies
Policies
Policies
Compliance ManagementRisk Management
Measures ManagementIncident Management
Business Continuity ManagementAssessment of maturity degree
PlanAct
Check Do
Business processes
Development Production Logistics Administration FinancePurchase HR
Supplier info. Patents Production info. Transport info. Information Contract info. Employee info.
IT- Processes
Treatsconfidentiality, availability, authenticity, integrity
Data Data Data Data Data DataApplikationen
Systeme Weak points
ISO 27005
GDPR
12
logistics healthcare energy trading industry finance
ISO 27001
ISO 27005
ISO 22301
GDPR
ISO 27001
ISO 27005
ISO 22301
GDPR
ISO 27001
ISO 27005
ISO 27019
ISO 22301
GDPR
ISO 27001
ISO 27005
ISO 22301
GDPR
ISO 27001
ISO 27005
ISO 22301
GDPR
ISO 27001
ISO 27005
ISO 22301
GDPR
SOX
ISO 9001
ISO 14001
ISO 20000
Tapa
ISO 28000
SOX
ISO 9001
ISO 13485
ISO 14001
ISO 20000
IEC 80001
SOX
ISO 9001
ISO 14001
ISO 20000
OHAS 18001
DIN ISO 50001
Smart Grid
SOX
ISO 9001
ISO 20000
PCI DSS
OHAS 18001
SOX
ISO 9001
ISO 14001
ISO 20000
DIN ISO 27009
OHAS 18001
VDA PTS
SOX
Bafin
MA Risk
Solvency II
Basel II
ISO 20000
Information security
methods
processes
compliance - processes
ISMS - processes
BCM - process
BIA - process
risk - process
act plan
check do
Security is a
process
P-D-C-A-process
authorities
ISO 27001
ISO 27005
ISO 22301
GDPR
Compliance
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
Compliance / Sectors – some important standards
13
QSEC creates transparency – valid data via reporting and dashboard
Integraded reports
Standard reports management report work report measure reports risk status report compliance / maturity degrees
(SOA) special reports
budget report security incident report information governance report
Individual reports on demandDashboard
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
14
QSEC-Suite – Technical Specs
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
QSEC-Suite a web browser based application:
QSEC-Suite - the save and toolbased way to a comprehensive IT GRRC / Information Security Management System (ISMS) according to ISO/IEC 2700x
Client Web-Server Database
Web-Browser
SSL
No installation
No maintenance
Microsoft Windows Server 2008R2/2012R2
Microsoft IIS
ASP.NET 4.6
Microsoft SQL Server 2008R2 / 2012R2
• Interfaces to
further systems
Programming by Microsoft Visual Studio 2010
Current Version: 5.2
15
QSEC integrates into the existing IT landscape via interfaces
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
asset groupcriticalitybusiness prosesses
confidentlialityavailibilityintegrity
asset groupvulnerability
measures
Mail advice
User authorization
business prosesses
security incidents
QSEC-Suite
IntegratedManagement
System
Active Directory (AD)
Mail SystemIncident
ManagementSAP / helpLine
Asset ManagementSAP / Spider
VulnerabilityManagement
e.g. Qualys
Prozess ManagementAris / Adonis
Operational risks eventRisk Management SIEM
Questions? Don´t hesitate to contact us!
© 2016 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper
Visit our webside and ask for a QSEC live presentation or just give us a call!
Your contact partner for questions:
Mr. Dierick SchröderAccount Management / SalesPhone.: 040/650 336-17E-Mail: [email protected]
Wüpper Management Consulting GmbH on the Internet:http://wmc-direkt.de/en/grc-isms-software/online-demo/