g qsec suitzxe
DESCRIPTION
sdafTRANSCRIPT
-
2014 WMC GmbH
1
QSEC - ISMS / eGRC
according to
international standards an
methods
-
2014 WMC GmbH
2
WMC IT GRC / ISMS Software + Consulting
Consulting
Information Security Management
Compliance Management
Information Security
IT Security
IT Risk Management
Data Security
Business Impact Analysis (BIA)
Business Continuity Management
QSEC multi-standard compliance management according to international standards!
Information Security Management
Compliance Management
IT Risk Management
Security Incident Management
Measure Management
Business Impact Analysis (BIA)
Data Security
Reporting
+ more: PCI DSS; SOX, ISO 20000
PKA
QSEC references implementation and operation in time and budget
Software and Support
WMC
QSEC partner
-
2014 WMC GmbH
3
GRC ISMS - definition and strategic objectives
Information Security Management System (ISMS) management system with all procedures and rules necessary to implement information security permanent and sustainable in an organization define, steer, check, maintain and Improve constandtly the status of the infomation security
With GRC and ISMS organizations pursue important targets: Liability reduction by providing the proof of
their responsible action
Coverage of company values by steady improvement of the process security and information security
Risk reduction by creation of transparency and implementation of adequate activities against threats
Image improvement and competitive advantage by gaining of trust (with customers, suppliers, banks, insurances and investors)
Cost optimization by increase of the cost value ratio
Governance, Risk Management and Compliance (GRC) the generic term for all activities of an organization to establish
governance und control = Governance reduction of risks = Risk Management compliance to standards, laws and rules = Compliance
QSEC
-
2014 WMC GmbH
4
24,148 Apps heruntergeladen vom
Apple AppStore
463 mobil banking- transactions in Europe
70+ new domains registered
168 million emails sent
1,500 and more Blogposts
510,000 comments on facbook
@
@
@
@
mobility user behavior
social media
applications
IN 60 SEconds
IT-GRC / ISMS the situation today!
Consulting
Implemenation of IT GRC / ISMS up to now:
expensive complex risky
costly in terms of time and staff
often incomplete
intransparent
often only technical
ISO / IEC or DIN/ISO norms are international accepted standards for the implementation of Information Security, Risk and Compliance Management Systems
Complex IT infrastruture and shared data management
Countless access on business data
Increasing risks and threats for the core business +
Complexity: Risks control is a factor of the iteraction of human beeings, organization and technics!
QSEC the IT GRC / ISMS all in one solution!
+
Challenge:
Actual:
Method:
Dilemma:
Solution:
-
2014 WMC GmbH
5
IT GRC / ISMS - topics of managerial level
+ The cost of non-compliance can not be ignored!
+ Know the legal liability risks and minimize!
+ Define management processes and control!
+ Protect the values of the company!
+ Improve the company image and protect the future!
Summary
Management Staff (e.g. IS-agent) Responsible person (e.g. CIO,
CISO, DPS, IS RM)
+ Reduce the cost of eGRC with ISMS!
+ Provide a high level of process quality!
+ Know and assess the operational risks!
+ Implement best practice methods and processes for eGRC!
+ Identifiy liability risks! + Identify and minimize business
process Impacts! + Classify the values of the
company and assure them! + Plan new technology!
+ Monitor, evaluate and optimize business processes and business process change!
+ Conduct compliance reviews quickly and effectively!
+ Keep documentation up to date! + Create effective measure
management! + Plan costs on valid data! + Optimized, uninterrupted work + Improve knowledge management
Where, Who, When, Why, How
-
2014 WMC GmbH
6
QSEC operates exactly according to standards and guidelines
Plan
Do Check
Act
-
2014 WMC GmbH
7
Processes of information security
Processes of the management system Information security management processes (ISMS)
ISMS
Risk
Document
Compliance
Audit/Review
ISMS improvement process for each Control
sensitization processs
Employee recruitment, -lead, and exit precess
Disciplinary process for security breach
Information classification process
Asset inventorying / classification process
Technical process
Security Incident process
BIA / BCM process
IT management process
Policy creation process
Monitoring process
Consulting
plan, support, operate, measure, improve
Assessment of IS-risks Treatment of IS-risks
Document management
Legally-, contractual-, organizational requirements
Review process for KVP and Compliance
-
2014 WMC GmbH
8
QSEC: IT-GRC / ISMS complete solution with added value
Method / Process
Best Practice
Programming/ Technology
extensive support , guidance and provided content
Microsoft SQL data base (SQL Server 2008/2008R2) and .Net web technology (Windows Server 2003 2008 R2, Microsoft IIS, ASP.NET 4.0), Client (Web Browser, SSL)
International accepted standard ISO 27001/2 plus further standards like ISO 9001, ISO 14001, ISO 20000, OHSAS 18001, SOX, PCI DSS (optional)
Consulting
Sustainable software support by the combination of:
ISO 27001/2 original text complete and exact represented Risk Management methodology according to ISO 27005 complete implemented BIA according to ISO 22301 complete implemented Guidance through the whole process (plan-do-check-act) of ISO method Implementation of all demands and requirements out of the ISO standards Logic interconnection of all data and information with their dependent
relationship
Worldwide approved best practice are offered within the solution Usability Outstanding measure management Approved pattern documents Progress supervision, mail reminder Integration of compliance and risk management, measure management, security
incident management and document management
integrated programming (MS Visual Studio 2010) Flexible adabtability to customer needs Extensive reporting-Functions Authorization concept Language option Data migration from existing systems (interfaces)
No double collection of data Reduction of mistakes
-
2014 WMC GmbH
9
QSEC connects business processes and IT assets over all levels
-
2014 WMC GmbH
10
QSEC: IT-GRC / ISMS the solution with added value!
+
Low
sec
uri
ty le
vel a
nd
hig
h r
isks
an
d c
ost
s
Without QSEC: H
igh
val
ue
crea
tio
n
ho
hes
Sic
her
hei
tsn
ivea
u
sin
ken
de
Ko
sten
/Ris
iken
With QSEC:
QSEC
all security activities and data in one system
complete identification and appropriate treatment of critical business processes
handling of information according to their unique classification
established and implemented security organization to the departments
valid data from the IT risk management provide facts for decisions
faster processes with simultaneous time and cost savings
only selective security
no classification of information
no consistent security organization
no valid data for IT Risk Management
high time and cost effort for incomplete security activities
no reference to business processes
Infrastructure
Applications
Information
Busi- ness
-
2014 WMC GmbH
11
QSEC USPs at a glance
Multi-norm compliance
Support of worldwide recognized standards including ISO 9001 (Quality Management), ISO 14001 (Environmental Management), ISO 20000 (IT Service Management), ISO 22301 (BIA & BCM), ISO 27001/2 (Information Security
Management), ISO 27005 (IT Risk Management) PCI DSS, SOX, Basel II, OHSAS 18001 (Occupational Health and
Safety). Subject to individual requirements own contents or sector-specific standards can be integrated
Competitive edge No other IT-GRC solution is as comprehensive
in terms of best practices in the field of measure management
Variable license model
Easy Express and two
suites fit to all customer needs
Interfaces Via optional interfaces
data from mail systems, Active Directory, asset
management systems (e.g. Spider) and ticket systems
(e.g. helpline) can be integrated into QSEC
Usability
Customers confirm high operational guidance and a clear user interface
Quick implementation
QSEC is a flexible out of the box software that can be implemented on a tight schedule
with accurate cost planning
QSEC
Content
QSEC provides norms including measure catalog, risk management
with threats and vulnerability catalog, as well as measure
proposal
Best Practice
In QSEC implemented methods and processes for ISMS, Risk, BIA, BCM are based on international proven
best practice standards
-
2014 WMC GmbH
12
QSEC "all in one compliance (1/2)
QSEC - more result faster!
QSEC
Easy Express Enterprise Edition GRC Edition
QSEC our products Standard browser application Administration-Tool / User authorization
Technology
International standards (ISO 72001/2/5; ISO 20000 etc.) Use patterns, measure proposal, risk catalog
Content
Mail System , Active Directory, Ticket System Data Migration (CSV, XML )
Interfaces
ISMS Process (Compliance-, Risk assessment, BIA/BCM) measure-, document and incident management
Process support
More than 45 reports with maturity degree report Dashboard
Reporting
High user acceptance because of user friendlyness Permanent software support and continiuous improvement
process Usability
-
2014 WMC GmbH
13
QSEC "all in one compliance(2/2) Sustainable support of all ISMS and IT GRC targets!
comprehensively sustainable cost saving
QSEC
QSEC - result complete verification of history and changes
Reduction of liability
permanent, extensive and sustainable information security management
Coverage of company value
identification of really business critical processes and adaquadte measures angainst threats
Risk reduction
increasing trust from business partners (customer,s vendors, banks, ensurances , investors)
Image improvement / competitive advantage
increase of security satus and decrease of risks and at the same time
cost optimization (staff, time and IT budget)
Cost Optimization
Heatmap number of asset groups per risk merit
thre
ats
+ vu
lner
abili
ties
8 5 43 4 3 5
7 8 45 3 4 6
6 56 6 3 6 45
5 7 7 6 8 4
4 4 8 9 8 3
3 3 7 8 7 2
2 6 4 7 6 3
1 2 6 5 2 4
0 6 4 3 3 6
S+B (bzw. S*B)^ AG-Wert > 0 1 2 3 4
asset groups
Scope: location Hamburg
-
2014 WMC GmbH
14
QSEC-Enterprise and GRC Edition module overview
Dashboard Compliance Security- Incidents
Report Risk Measure Document
Business Continuity
BCM Business Continuity
BIA Audit (in planed) Master data
Administration
Core Server, Common platform, Permissions
QSEC interfaces: Mail system, Asset Management (e. g.. SAP, Spider),
AD, Ticket system (z. B. SAP, helpLine)
Katalog Tool (KEP)
Administration Tool
QSEC Versions
QSEC Enterprise Edition QSEC GRC Edition QSEC extensions
-
2014 WMC GmbH
15
QSEC integrates into the existing IT landscape via interfaces!
asset group criticality business processes confidentiality availability integrity
asset group
vulnerability
measures
mail advice
user authorization
business processes
security incidents
QSEC
QSEC-Suite ISMS / BDSG
Integrated
Management System
Active Directory
(AD)
Mail System Incident
Management SAP / helpLine
Asset
Management SAP / Spider
Vulnerability
Management
e.g. Qualys
Prozess
Management
Aris / Adonis
operational risks event Risk Management SIEM
-
2014 WMC GmbH
16
QSEC creates transparency valid data via reporting
available reports:
standard reports
management report
work report
SOA
Actions
Risk
maturity degree
individual reports on demand
QSEC
0,0
1,0
2,0
3,0
4,0
5,0
6,0
7,0
8,0
9,0
10,0
A5 A6 A7 A8 A9 A10 A11 A12 A13 A14 A15
assessm
ent
Controls for ISO 27001
IT security level Q4/2010, Q1/2011 and Q1/2012
Status 2010 Q4
Status 2011 Q1
Status 2012 Q1
Status of
020406080
100120140160
it green
it yellow
it red
total number of
compliance measure status
13%
13%
15%
19%
10%
7%
23%
IT security level
-
2014 WMC GmbH
17
IS - Key Performance Indicator (IS-KPIs) / business ratio by QSEC (excerpt)
IS-Organiztion Maturity degree employee role
Compliance Management Maturity degree per Scope / Scope-comparison / measure per control incl. degree of realization
BIA/BCM Number of ciritical business processes, critical asset groups; asset group
actual-theoretical comparison (GAP analysis), number of disaster recovery
pan and IT disaster recovery plan
Security Incident Management
Measure Management Number of security measures, due date per employee, costs, maturity
degree
Document Management Number of documents, editing status, follow-up
Risk Management Cirtical asset groups incl. risk, measure or risk acceptance
Zurck
C WMC GmbH 2014
KPI
number
of
roles number of employees
2 0
6
4
1
0
16
8
8 4
Maturity degree of scope
Scope1 Scope2
Scope3 Scope4
Number of security incidents per asset group and business process
-
2014 WMC GmbH
18
QSEC-Suite technics
QSEC a web browser based application:
QSEC-Suite - comprehensive IT GRC / Information Security Management System
(ISMS) according to ISO/IEC
Client Web-Server Data base
Web-Browser
SSL
No installation
No maintenance
Microsoft Windows Server 2003/2008R2/2012R2
Microsoft IIS
ASP.NET 4.0
Microsoft SQL Server 2008/ 2008R2
Interfaces
to further systems
Programming by Microsoft Visual Studio 2010
Current Version: 4.2
QSEC
Dashboard Compliance Incident Reporting Risiko Manahmen Dokument
BCM BIA Audit (in Planung)
A
Stammdaten
Administration
Core Server, Gemeinsame Plattform, Berechtigungen
QSEC Schnittstellen: Mailsystem, Asset Management (z. B. SAP, Spider),
AD, Ticketsystem (z. B. SAP, helpLine)
Katalog Erfassungs- und Pflege Tool (KEP)
Administrations Tool
Risk Manager
Compliance Manager
Security
Manager
Auditor
Administrator
Key User
Mitarbeiter
Prozessowner
Vorstand / GF
Aufsichtsrat
CIO
Revision
Datenschutz-beauftragter
Werkschutz
Manahmen
Bewertungen Vorgaben
Genehmigungen
Risiken Chancen
Reifegrad
Analysen
Anforderungen Compliance Informationssicherheit Risikomanagement
Methoden Normen & Gesetze ISO 27001 ISO 27005
Business Impact Analyse Risikomanagement Compliancemanagement
Wirksamkeitsverbesserung Sicherheitsverbesserung Haftungsreduzierung
Ergebnisse Prozesse
-
2014 WMC GmbH
19
Version 4.2
WMC GmbH 2014