QSEC - ISMS and GRC according to international standards and methods WMC GmbH / short presentation QSEC Suiten / Werner Wüpper

Transcription

1 QSEC - ISMS and GRC according to international standards and methods

2 Best in Class is not a coincidence! Consulting ISMS & GRC software Sectors 2

3 C O N S U L T I N G S O F T W A R E + S U P P O R T WMC GmbH GRC & ISMS Software + Consulting Our core issures Our references Information security management Compliance management IT-security Risk management Business impact analysis (BIA) Business continuity management Data privacy Measure management Reporting More: PCI DSS; ISO 9001; ISO QSEC multi-standard compliance management according to international standards 3

4 Best practice with QSEC-Suite Risk Management Transparency and Minimization Strategy Governance Guidelines Policies Processes sustainable complete organisation-wide People Standards Laws Compliance Technology Guided IT-GRC Measures QSEC Ethical conduct Increased economic efficiency Improved effectiveness Sustainable Information Security 4

5 QSEC Advatages and Benefit Achievement Usability and easy to use (WEB- / wizard technology) Flexibility and comprehensive configuration Content fully integrates subject to the standard (norm/low) Fully integrated IT Risk Management based on the business prozesses and information Integrated central database Workflow and business prozess support according to tasks and roles (experts and users) Test cases, test assets,measure proposal, sample documents for each sectors fully integrated Product support permanent Updates Benefits can be used for any authorized employee high transparency about all activities and status within the Compliance and IT Risk Management permanent information about all changes and improvements optimization of the IT investments with transparency of the business-critical processes (peak risks) possible savings of about % of the internal and external costs during the ISMS implementation /operation reduction of efforts for certification / recertification company-wide and unified traceability of compliance Improved image and competitive advantage 5

6 QSEC "all in one compliance QSEC our products Standard browser application Easy Express Enterprise Edition GRC Edition BSI Edition Technology Content Administration-Tool / User authorization International standards (ISO 27001/2/5; ISO etc.) Use patterns, measure proposal, risk catalog Samples for business processes, assets for some sectors QSEC more results, faster Interfaces Process support Reporting Usability Mailsystem, Active Directory, Ticket System etc. Individual data transfer (CSV, XML etc.) ISMS process (Compliance-, Risk assessment, BIA/BCM) Measure-, document and incident management More than 65 reports with maturity degree report Dashboard High user acceptance because of user friendlyness Permanent software support and continiuous improvement process Well-defined steps with wizard-technology 6

7 QSEC Integrated Management System An expert system for every employee Capture and maitenance of organisational data Business units Employees with roles, function & IS-share Assessment of the standards and lows Compliance assessment of maturity degree Statement of Applicability (SoA) Capture, rating & maitenance of Information Assets Business prozesses & information Asset groups (buildings, infrastructure, ITsystems etc.) Assessment of the confidentiality, integrity and availability of data Determination of Security Level für IT-Assets Risk Management Security needs Treats & Vulnerabilities Brutto- / Nettorisks Probability of occurrence and Risk value in Business Impact Analyse / Emergency management Security Incidents Document management/report/dashboard 7

8 QSEC-Enterprise and GRC Edition module overview Task-Manager Compliance Risk Security- Measures Document Incidents Reporting Dashboard Wizards (Prozess-Workflow) Information Assets Master Data Administration Business Continuity BIA Business Continuity BCM Catalog Tool (KEP) Administrations Tool QSEC interfaces: Mail system, Asset Management (z. B. SAP, Spider), AD, Ticket system (z. B. SAP, helpline) Core Server, Common platform, Permissions QSEC Versions: QSEC Enterprise Edition QSEC GRC Edition QSEC extensions 8

9 QSEC - Wizard Technology Requirements Simple, self-explanatory operator guidiance Low training costs Description and explanation of process steps Guided working Useable without expert know how No unintentional quit of working process Start via Link possible Wizards Interview-Wizard Interview transfer-wizard Compliance-Wizard Measure-Rating-Wizard Self Assessment-Wizard Risk Rating-Wizard Security Level-Wizard Example: process steps for the interview wizard ISO interview with a process owner in a business area Interview Interview Start/introcudtion choose interview prepare interview interview partner name interview business prozess information asset group 9

10 QSEC - Wizards Process-oriented, efficient working Businessowner 2. Compliance Wizard Risk-Status Expert IS-Status Security Level Compliance Wizard

11 Modeling Requirements & specifications QSEC Suite combines: Laws, standards and specifications with systems, applications and business prozesses Laws KonTraG Standards / Norms ISO ISO ISO ISO 9001ff ISO and much more Purchase SOX / EuroSOX Specifications BSI KritisV BDSG GDPR Basel III Act Check Company strategy Information Security strategy Compliance Management Risk Management Measures Management Incident Management Business Continuity Management Assessment of maturity degree Business processes Plan EU 8th Directive Solvency II Development Production Logistics Administration Finance Do VDA PTS Company Policies Policies Policies Policies Supplier info. Patents Production info. Transport info. Information Contract info. Employee info. IT- Processes Applikationen Systeme confidentiality, availability, authenticity, integrity Data Data Data Data Data Data Weak points Treats HR Information Security Management System 11

12 Compliance / Sectors some important standards methods act check P-D-C-A-process Security is a process plan do logistics healthcare energy trading industry finance ISO ISO ISO GDPR ISO ISO ISO GDPR ISO ISO ISO ISO GDPR Information security ISO ISO ISO GDPR ISO ISO ISO GDPR ISO ISO ISO GDPR authorities ISO ISO ISO GDPR processes Compliance compliance - processes ISMS - processes BCM - process BIA - process risk - process SOX ISO 9001 ISO ISO Tapa ISO SOX ISO 9001 ISO ISO ISO IEC SOX ISO 9001 ISO ISO OHAS DIN ISO Smart Grid SOX ISO 9001 ISO PCI DSS OHAS SOX ISO 9001 ISO ISO DIN ISO OHAS VDA PTS SOX Bafin MA Risk Solvency II Basel II ISO

13 QSEC creates transparency valid data via reporting and dashboard Integraded reports Standard reports management report work report measure reports risk status report compliance / maturity degrees (SOA) special reports budget report security incident report information governance report Individual reports on demand Dashboard 13

14 QSEC-Suite Technical Specs QSEC-Suite a web browser based application: Client Web-Server Database Web-Browser SSL No installation No maintenance Microsoft Windows Server 2008R2/2012R2 Microsoft IIS ASP.NET 4.6 Microsoft SQL Server 2008R2 / 2012R2 Interfaces to further systems Programming by Microsoft Visual Studio 2010 Current Version: 5.2 QSEC-Suite - the save and toolbased way to a comprehensive IT GRRC / Information Security Management System (ISMS) according to ISO/IEC 2700x 14

15 QSEC integrates into the existing IT landscape via interfaces Asset Management SAP / Spider asset group criticality business prosesses confidentliality availibility integrity User authorization Active Directory (AD) Vulnerability Management e.g. Qualys asset group vulnerability measures QSEC-Suite business prosesses Prozess Management Aris / Adonis Mail System Mail advice Integrated Management System security incidents Incident Management SAP / helpline Risk Management Operational risks event SIEM 15

16 Questions? Don t hesitate to contact us! Visit our webside and ask for a QSEC live presentation or just give us a call! Your contact partner for questions: Mr. Dierick Schröder Account Management / Sales Phone.: 040/ dierick.schroeder@wmc-direkt.de Wüpper Management Consulting GmbH on the Internet: