Upload
hoangdien
View
217
Download
0
Embed Size (px)
Citation preview
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper1
QSEC –ISMS / eGRCaccording to international standards and methods
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper2
GRC
WMC ConsultingStart
„Best in Class ist
nie ein
Zufall!“
Software SolutionCompany Consulting
GRC QSECPresentation
SicherheitMade in Germany
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper3
WMC – IT GRC / ISMS Software + Consulting
QSEC multi-standard compliance managementaccording tointernational standards!
QSEC – references – implementation and operation in „time and budget“
QSEC – partner
B + W
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper4
WMC synergies and benefits
project management
business process analysis
service process analysis
governance analysisresponsibilities
risk management method
assessment
awareness
projectRealization in time and budget
methodbest practice GRC method
concept development , realization & implementation
cost savingssustainability
WMC consulting is based on long-lasting experience as well as approved methods and approach. Our experienced consultants provide your projects form initiation till completed implementation.
PotentialitiesSe
rvic
es a
nd so
lutio
n
WMC know how results
compliance managementsecurity managementguideline competence
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper5
GRC – status in your company
Do you have a person responsible for IS?I.
Do you have method and processes for IS?II.
Are the roles and processes well implemented in the organization?III.
Is there a defined scope and is it approved constantly?IV.
Is an IT risk management established?V.
Is budget available in equivalent height?VI.
Do you provide an IS report for the management board?VII.
yes nopartial
yes nopartial
yes nopartial
yes nopartial
yes nopartial
yes nopartial
yes nopartial
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper6
Definition of target for information security
Stage model of information security
Policies Information security policy does not exist
Information security policy partialavailable
Information security policy area-wide established
Information security policy area-wide established, constantly monitored and audited
Organization
o IS-rolls and responsibilities are not defined
Some IS-rolls defined and established
CISO appointed Headquarter IS Organization (incl.
CERT) established IS Org established in headquarter
and also in other areas
CISO and CIO report directly to different top management areas
Explicit roll definition and review of controls on all organization levels
Process
o IS-process are not definedo No business impact analysis
executed
Main IS-process defined Business critical processes partial
defined
IS-process implemented Business critical processes
analyzed and risks identified and evaluated
ISMS according to ISO/IEC 27001 complete company wide IS-processes at all levels
Complete business continuity-management for all business critical processes
Technologyo IS basicso IS systems basic established (e.g.
AV, firewall)
Prevention systems for some critical assets established
“State of the Art” prevention and detection systems for all critical assets established
Holistic “State of the Art” prevention, real time detection and monitoring system established
Culture No security culture Low security culture
Some employees trained Security culture established All employees trained
“alive” security culture permanent employee trainings
ignoredobserved
extendedexcellent
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper7
QSEC – "all in one compliance“
QSEC - more results, faster!
Easy ExpressEnterprise EditionGRC Edition
QSEC – our products Standard browser application Administration-Tool / User authorization
Technology
International standards (ISO 27001/2/5; ISO 20000 etc.) Use patterns, measure proposal, risk catalogContent
Mail System , Active Directory, Ticket System Data Migration (CSV, XML )
Interfaces
ISMS process (Compliance-, Risk assessment, BIA/BCM) Measure-, document and incident management
Process support
More than 45 reports with maturity degree report Dashboard
Reporting
High user acceptance because of user friendlyness Permanent software support and continiuous improvement
processUsability
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper8
QSEC – Suite 5.x - what‘s new?
Selectable user mode: e.g. user or expert mode
Preparation for Wizard technology (Workflow-Engine)
Several extensions (risk management, security level etc.)
Further performance improvements
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper9
QSEC-Enterprise and GRC Edition – module overview
QSEC Enterprise Edition QSEC GRC Edition QSEC extensions
QSEC Versions
DashboardCompliance Security-Incidents
ReportingRisk Measures Document
Business Continuity BCM
Business ContinuityBIAMaster Data Administration
Core Server, Common platform, Permissions
QSEC interfaces:Mail system, Asset Management (e. g.. SAP, Spider),
AD, Ticket system (e.g. SAP, helpLine)Catalog Tool (KEP) Administrations
Tool
Wizards (Process-Workflow) Information Assets
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper10
QSEC – surface modes
customizing / administration toolAdministrator
QSEC administration (Web)
Expert
User
Adm
inis
trat
ion
ofal
l mod
ules
and
wiz
ards
Power User
Super User
Action User
Power User
Wizard(process mode)
Power User
Super User
Super User
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper11
Wizards QSEC version 5.1Process oriented and efficient working
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper12
Preview Wizard QSEC Version 5.1Requirements
• Simple, self-explanatory operator guidiance• Low training costs• Description and explanation of process steps• Guided working• Useable without expert know how• No unintentional quit of working process• Start via Link possible
Start/introcudtion choose interview prepare interview choose interview partner name interview business process informationen assets
Example: process steps for the interview wizardISO interview with a process owner in a business area
Wizards• IS-assessment-wizard• Interview-wizards• Security level wizard• IS-risk-wizard• Security incident wizard
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper13
Wizards – IS processes / workflow engine
Interview
Interview Acceptance
IS Risk Assessment
IS Risk Evaluation
Interview
InterviewÜbernahme
ISReifegrad
ISRiisko Ass
ISRisiko
introduction business unit scopetime specification +
responsibilityresult
introduction asset group protection requirement threat vulnerability risk result
introduction selection business process information asset group
introduction selection preparation interview partner name interview business process information
introduction evaluation method IS-catalog question control result
21 3 4 5 6 7
asset group
8
IS Maturity Degree
SecurityLevel
introduction asset group recommendation confirmation resultselection
Security level
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper14
Dashboard – Group Status as of Version 5.1 (for international organizations)
Global Technik
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper15
QSEC creates Transparency – Valid Data via Reporting
available reports:
standard reportsmanagement reportwork reportSOAActionsRiskmaturity degree
individual reports on demand
0,0
1,0
2,0
3,0
4,0
5,0
6,0
7,0
8,0
9,0
10,0
A5 A6 A7 A8 A9 A10 A11 A12 A13 A14 A15
asse
ssm
ent
Controls for ISO 27001
IT security level Q4/2010, Q1/2011 and Q1/2012
Status 2010 Q4Status 2011 Q1Status 2012 Q1Status of
020406080
100120140160
it green
it yellow
it red
total number of
compliancemeasure status
13%13%
15%
19%10%
7%
23%
IT security level
<7 7 8 9 10 11 12
0 20 40 60 80 100
SchmidtRat
MeyerKehr
SchulzWeidemann
UlrichMüller
WüpperführtGroßklage
red
yellow
green
responsibel employees - measures (Top 10)sortet by red
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper16
IS - Key Performance Indicator (IS-KPIs) / business ratio by QSEC (excerpt)
IS-Organiztion Maturity degree employee role
Compliance Management Maturity degree per Scope / Scope-comparison / measure per control incl. degree of realization
BIA/BCMNumber of ciritical business processes, critical asset groups; asset groupactual-theoretical comparison (GAP analysis), number of disaster recoverypan and IT disaster recovery plan
Security Incident Management
Measure Management Number of security measures, due date per employee, costs, maturitydegree
Document Management Number of documents, editing status, follow-up
Risk Management Cirtical asset groups incl. risk, measure or risk acceptance
numberofroles
number of employees
20
6
410
16
8
84
Maturity degree of scope
Scope1Scope2
Scope3Scope4
Number of security incidents per asset group and business process
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper17
QSEC integrates into the existing IT landscape via interfaces!
asset groupcriticalitybusiness processesconfidentialityavailabilityintegrity
asset groupvulnerabilitymeasures
mail advice
user authorization
business processes
security incidents
QSEC-SuiteISMS / BDSG
IntegratedManagement
System
Active Directory (AD)
Mail SystemIncident
ManagementSAP / helpLine
Asset Management
SAP / Spider
VulnerabilityManagemente.g. Qualys
Prozess ManagementAris / Adonis
operational risks eventRisk Management SIEM
© 2016 WMC GmbH / Short-Presentation QSEC – Suites / Werner Wüpper18
QSEC-Suite - Technical Specs
QSEC a web browser based application:
QSEC-Suite - comprehensive IT GRC / Information Security Management System (ISMS) according to ISO/IEC 2700x
Client Web-Server Data base
• Web-Browser• SSL• No installation• No maintenance
• Microsoft Windows Server 2008R2/2012R2
• Microsoft IIS• ASP.NET 4.0
• Microsoft SQL Server 2008/2008R2
• Interfaces to further systems
Programming by Microsoft Visual Studio 2010
Current Version: 5.x
Risk Manager
ComplianceManager
SecurityManager
Auditor
Administrator
Key User
Mitarbeiter
Prozessowner
Vorstand / GF
Aufsichtsrat
CIO
Revision
Datenschutz-beauftragter
Werkschutz
Maßnahmen
BewertungenVorgaben
Genehmigungen
Risiken Chancen
Reifegrad
Analysen
AnforderungenCompliance
Informationssicherheit
Risikomanagement
MethodenNormen & Gesetze
ISO 27001
ISO 27005
Business Impact Analyse
Risikomanagement
Compliancemanagement
WirksamkeitsverbesserungSicherheitsverbesser
ungHaftungsreduzierung
ErgebnisseProzesse