QSEC – ISMS / eGRC according to international … · service process analysis. ... prevention, real time detection ... QSEC-Enterprise and GRC Edition – module overview: QSEC

© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper1

QSEC –ISMS / eGRCaccording to international standards and methods


GRC

WMC ConsultingStart

„Best in Class ist

nie ein

Zufall!“

Software SolutionCompany Consulting

GRC QSECPresentation

SicherheitMade in Germany


WMC – IT GRC / ISMS Software + Consulting

QSEC multi-standard compliance managementaccording tointernational standards!

QSEC – references – implementation and operation in „time and budget“

QSEC – partner

B + W

http://www.edigital-media.com/

http://www.edigital-media.com/

http://www.signal-iduna.de/

http://www.signal-iduna.de/


WMC synergies and benefits

project management

business process analysis

service process analysis

governance analysisresponsibilities

risk management method

assessment

awareness

projectRealization in time and budget

methodbest practice GRC method

concept development , realization & implementation

cost savingssustainability

WMC consulting is based on long-lasting experience as well as approved methods and approach. Our experienced consultants provide your projects form initiation till completed implementation.

PotentialitiesSe

rvic

es a

nd so

lutio

n

WMC know how results

compliance managementsecurity managementguideline competence


GRC – status in your company

Do you have a person responsible for IS?I.

Do you have method and processes for IS?II.

Are the roles and processes well implemented in the organization?III.

Is there a defined scope and is it approved constantly?IV.

Is an IT risk management established?V.

Is budget available in equivalent height?VI.

Do you provide an IS report for the management board?VII.

yes nopartial

yes nopartial

yes nopartial

yes nopartial

yes nopartial

yes nopartial

yes nopartial


Definition of target for information security

Stage model of information security

Policies Information security policy does not exist

Information security policy partialavailable

Information security policy area-wide established

Information security policy area-wide established, constantly monitored and audited

Organization

o IS-rolls and responsibilities are not defined

Some IS-rolls defined and established

CISO appointed Headquarter IS Organization (incl.

CERT) established IS Org established in headquarter

and also in other areas

CISO and CIO report directly to different top management areas

Explicit roll definition and review of controls on all organization levels

Process

o IS-process are not definedo No business impact analysis

executed

Main IS-process defined Business critical processes partial

defined

IS-process implemented Business critical processes

analyzed and risks identified and evaluated

ISMS according to ISO/IEC 27001 complete company wide IS-processes at all levels

Complete business continuity-management for all business critical processes

Technologyo IS basicso IS systems basic established (e.g.

AV, firewall)

Prevention systems for some critical assets established

“State of the Art” prevention and detection systems for all critical assets established

Holistic “State of the Art” prevention, real time detection and monitoring system established

Culture No security culture Low security culture

Some employees trained Security culture established All employees trained

“alive” security culture permanent employee trainings

ignoredobserved

extendedexcellent


QSEC – "all in one compliance“

QSEC - more results, faster!

Easy ExpressEnterprise EditionGRC Edition

QSEC – our products Standard browser application Administration-Tool / User authorization

Technology

International standards (ISO 27001/2/5; ISO 20000 etc.) Use patterns, measure proposal, risk catalogContent

Mail System , Active Directory, Ticket System Data Migration (CSV, XML )

Interfaces

ISMS process (Compliance-, Risk assessment, BIA/BCM) Measure-, document and incident management

Process support

More than 45 reports with maturity degree report Dashboard

Reporting

High user acceptance because of user friendlyness Permanent software support and continiuous improvement

processUsability


QSEC – Suite 5.x - what‘s new?

Selectable user mode: e.g. user or expert mode

Preparation for Wizard technology (Workflow-Engine)

Several extensions (risk management, security level etc.)

Further performance improvements


QSEC-Enterprise and GRC Edition – module overview

QSEC Enterprise Edition QSEC GRC Edition QSEC extensions

QSEC Versions

DashboardCompliance Security-Incidents

ReportingRisk Measures Document

Business Continuity BCM

Business ContinuityBIAMaster Data Administration

Core Server, Common platform, Permissions

QSEC interfaces:Mail system, Asset Management (e. g.. SAP, Spider),

AD, Ticket system (e.g. SAP, helpLine)Catalog Tool (KEP) Administrations

Tool

Wizards (Process-Workflow) Information Assets


QSEC – surface modes

customizing / administration toolAdministrator

QSEC administration (Web)

Expert

User

Adm

inis

trat

ion

ofal

l mod

ules

and

wiz

ards

Power User

Super User

Action User

Power User

Wizard(process mode)

Power User

Super User

Super User


Wizards QSEC version 5.1Process oriented and efficient working


Preview Wizard QSEC Version 5.1Requirements

• Simple, self-explanatory operator guidiance• Low training costs• Description and explanation of process steps• Guided working• Useable without expert know how• No unintentional quit of working process• Start via Link possible

Start/introcudtion choose interview prepare interview choose interview partner name interview business process informationen assets

Example: process steps for the interview wizardISO interview with a process owner in a business area

Wizards• IS-assessment-wizard• Interview-wizards• Security level wizard• IS-risk-wizard• Security incident wizard


Wizards – IS processes / workflow engine

Interview

Interview Acceptance

IS Risk Assessment

IS Risk Evaluation

Interview

InterviewÜbernahme

ISReifegrad

ISRiisko Ass

ISRisiko

introduction business unit scopetime specification +

responsibilityresult

introduction asset group protection requirement threat vulnerability risk result

introduction selection business process information asset group

introduction selection preparation interview partner name interview business process information

introduction evaluation method IS-catalog question control result

21 3 4 5 6 7

asset group

8

IS Maturity Degree

SecurityLevel

introduction asset group recommendation confirmation resultselection

Security level


Dashboard – Group Status as of Version 5.1 (for international organizations)

Global Technik


QSEC creates Transparency – Valid Data via Reporting

available reports:

standard reportsmanagement reportwork reportSOAActionsRiskmaturity degree

individual reports on demand

0,0

1,0

2,0

3,0

4,0

5,0

6,0

7,0

8,0

9,0

10,0

A5 A6 A7 A8 A9 A10 A11 A12 A13 A14 A15

asse

ssm

ent

Controls for ISO 27001

IT security level Q4/2010, Q1/2011 and Q1/2012

Status 2010 Q4Status 2011 Q1Status 2012 Q1Status of

020406080

100120140160

it green

it yellow

it red

total number of

compliancemeasure status

13%13%

15%

19%10%

7%

23%

IT security level

<7 7 8 9 10 11 12

0 20 40 60 80 100

SchmidtRat

MeyerKehr

SchulzWeidemann

UlrichMüller

WüpperführtGroßklage

red

yellow

green

responsibel employees - measures (Top 10)sortet by red


IS - Key Performance Indicator (IS-KPIs) / business ratio by QSEC (excerpt)

IS-Organiztion Maturity degree employee role

Compliance Management Maturity degree per Scope / Scope-comparison / measure per control incl. degree of realization

BIA/BCMNumber of ciritical business processes, critical asset groups; asset groupactual-theoretical comparison (GAP analysis), number of disaster recoverypan and IT disaster recovery plan

Security Incident Management

Measure Management Number of security measures, due date per employee, costs, maturitydegree

Document Management Number of documents, editing status, follow-up

Risk Management Cirtical asset groups incl. risk, measure or risk acceptance

numberofroles

number of employees

20

6

410

16

8

84

Maturity degree of scope

Scope1Scope2

Scope3Scope4

Number of security incidents per asset group and business process


QSEC integrates into the existing IT landscape via interfaces!

asset groupcriticalitybusiness processesconfidentialityavailabilityintegrity

asset groupvulnerabilitymeasures

mail advice

user authorization

business processes

security incidents

QSEC-SuiteISMS / BDSG

IntegratedManagement

System

Active Directory (AD)

Mail SystemIncident

ManagementSAP / helpLine

Asset Management

SAP / Spider

VulnerabilityManagemente.g. Qualys

Prozess ManagementAris / Adonis

operational risks eventRisk Management SIEM


QSEC-Suite - Technical Specs

QSEC a web browser based application:

QSEC-Suite - comprehensive IT GRC / Information Security Management System (ISMS) according to ISO/IEC 2700x

Client Web-Server Data base

• Web-Browser• SSL• No installation• No maintenance

• Microsoft Windows Server 2008R2/2012R2

• Microsoft IIS• ASP.NET 4.0

• Microsoft SQL Server 2008/2008R2

• Interfaces to further systems

Programming by Microsoft Visual Studio 2010

Current Version: 5.x

Risk Manager

ComplianceManager

SecurityManager

Auditor

Administrator

Key User

Mitarbeiter

Prozessowner

Vorstand / GF

Aufsichtsrat

CIO

Revision

Datenschutz-beauftragter

Werkschutz

Maßnahmen

BewertungenVorgaben

Genehmigungen

Risiken Chancen

Reifegrad

Analysen

AnforderungenCompliance

Informationssicherheit

Risikomanagement

MethodenNormen & Gesetze

ISO 27001

ISO 27005

Business Impact Analyse

Risikomanagement

Compliancemanagement

WirksamkeitsverbesserungSicherheitsverbesser

ungHaftungsreduzierung

ErgebnisseProzesse


Version 5.x

© WMC GmbH 2016

Documents

QSEC – ISMS / eGRC according to international … · service process analysis. ... prevention, real time detection ... QSEC-Enterprise and GRC Edition – module overview: QSEC