qsec - isms and grc according to international standards ... · international standards (iso...

QSEC - ISMS and GRC according to international standards andmethods

© 2017 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

2 © 2017 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

„Best in Class is not a coincidence!“

Consulting ISMS & GRC softwareSectors

3

WMC GmbH – GRC & ISMS Software + Consulting


Our core issures Our references

QSEC multi-standard compliance managementaccording to international

standards

Project management

CO

NS

UL

TI

NG

Management consulting

Information security management

SO

FT

WA

RE

+

S

UP

PO

RT

Compliance management

IT-security

Risk management

Business impact Analysis (BIA)

Business continuity management

Data protection

Measure management

Reporting

More: PCI DSS; ISO 9001; ISO 20 000

http://www.signal-iduna.de/

http://www.signal-iduna.de/

4

Best practice with QSEC-Suite

Governance

StandardsLaws

Transparencyand Minimization

Guidelines Policies

QSECMaturity assessmentfor standards and laws

GuidedIT-GRCMeasures

sustainablecomplete

organisation-wide

Strategy

Technology

Processes People


RiskManagement

Compliance

5

QSEC – the USP‘s at a glance


Multi-norm compliance

Support of worldwide recognized standards including ISO 9001 (Quality Management), ISO 14001 (Environmental Management), ISO 20000 (IT Service

Management), ISO 22301 (BIA & BCM), ISO 27001/2 (Information Security Management), ISO 27005 (IT Risk Management) PCI DSS, SOX, Basel II, OHSAS

18001 (Occupational Health and Safety). Subject to individual requirements own contents or sector-specific standards can be integrated

Competitive edge

No other IT-GRC solution is as comprehensive in terms of best practices in the field of measure management

Comprehensivecontent in „all in one“

no moduls missing, QSEC comes complete

Interfaces

Via interfaces QSEC integrates into existing IT-landscape

Usability

Customers confirm high operational guidance (Wizard Technology) and a clear user interface

Quick implementation

QSEC is a flexible “out of the box” software that can be implemented on a tight schedule with accurate cost planning

6

QSEC – Advatages and Benefit

can be used for any authorized employee

high transparency about all activities and status within the Compliance and IT Risk Management

permanent information about all changes andimprovements

optimization of the IT investments with transparency of the business-critical processes (peak risks)

possible savings of about 30-50 % of the internal and external costs during the ISMS implementation /operation

reduction of efforts for certification / recertification

company-wide and unified traceability of compliance

Improved image and competitive advantage

Usability and easy to use (WEB- / wizard technology)

Flexibility and comprehensive configuration

Content fully integrates subject to the standard(norm/low)

Fully integrated IT Risk Management based on thebusiness prozesses and information

Integrated central database

Workflow and business prozess support according totasks and roles (experts and users)

Test cases, test assets,measure proposal, sample documents for each sectors fully integrated

Product support – permanent Updates

Achievement


Benefits

7

QSEC – "all in one compliance“


QSEC more results, faster

Easy Express Enterprise Edition GRC Edition BSI Edition

QSEC – our products Standard browser application Administration-Tool / User authorizationTechnology

International standards (ISO 27001/2/5; ISO 20000 etc.) Use patterns, measure proposal, risk catalog Samples for business processes, assets for some sectors

Content

Mailsystem, Active Directory, Ticket System etc. Individual data transfer (CSV, XML etc.)Interfaces

ISMS process (Compliance-, Risk assessment, BIA/BCM) Measure-, document and incident management

Processsupport

More than 65 reports with maturity degree report DashboardReporting

High user acceptance because of user friendlyness Permanent software support and continiuous improvement

process Well-defined steps with wizard-technology

Usability

8

QSEC – Integrated Management System


An expert system for every employee

Tech

nic

al

spec

sR

isk

Co

mp

lian

ceU

sab

ility

- Cost savings- Transparency- Efficiency

1. Usability – simply usage through Wizard technology

2. Low training expenditures

3. Configuration possibility – flexible and extensive

4. Automatized resubmission, system task

5. International standards (ISO, GDPR, ITIL)

6. Consistent procedure and leadership based on PDCA-method and extensive measures proposal

7. Risk management based on ISO 27005 (31000)

8. History of all relevant changing data

9. Distribution of responsibility and task sharing

10. WEB-usage – Browser based

11. Integration in the existing IT- infrastructure (AD, SAP, assetsystem)

12. Central data base, incl. data deposition

9 © 2017 WMC GmbH / short presentation QSEC – Suiten / Werner Wüpper

QSEC-Enterprise and GRC Edition – module overview

QSEC Enterprise Edition QSEC GRC Edition QSEC extensions

QSEC Versions: New since V6.1: additional module for data protection to join all relevant data protectioninformation for a compact overview and edit.

Business Continuity

BCMBusiness Continuity

BIAMaster Data Administration

Core Server, Common platform, Permissions

QSEC interfaces:Mail system, Asset Management (z. B. SAP, Spider),

AD, Ticket system (z. B. SAP, helpLine)Catalog Tool (KEP)

AdministrationsTool

Wizards (Process-Workflow) Information Assets

Task-Manager

DashboardCompliance Security-Incidents

ReportingRisk Measures DocumentsGeneral Data

Protection RegulationGDPR

10

QSEC - Wizard Technology

Simple, self-explanatory operator guidiance

Low training costs

Description and explanation of process steps

Guided working

Useable without expert know how

No unintentional quit of working process

Start via Link possible

Example: process steps for the interview wizard

ISO interview with a process owner in a business area

Requirements

Wizards Interview Wizard Interview transfer Wizard Compliance Wizard Measure Rating Wizard Risk Assessment Wizard Security Level Wizard

Interview

InterviewStart/introcudtion choose interview prepare interview interview partner name interview business prozess information

21 3 4 5 6 7

asset group

8


Interview

11

QSEC - Wizards

Process-oriented, efficient working

1. 2.

3.

4. 5.

6.

7.

IS-Status

Risk-Status

Security Level

2.

Expert

Businessowner


12

QSEC – Multi-standard system


All standards can be managed in QSEC, existing standard catalogs (as of 06/2017)

Quality Management DIN EN ISO 9001:2015-11 (DE/EN)

Environmental Management DIN EN ISO 14001:2015-11 (DE/EN)

Payment Card Industry PCI DSS 3.2 (EN)

IT-Service Management ISO 20000-1:2005 Chapter 3-10 (EN)

IT Baseline Protection Bausteinkataloge (DE)

ISMS DIN ISO/IEC 27001:D2015-03 (DE/EN)

IS controls for the energy utility industry DIN ISO/IEC TR 27019:2015-03 (DE/EN)

27001 / 27019 in one catalogDIN ISO/IEC 27001:D2015-03 +TR 27019:2015-03

IT Baseline Protection Catalog IT-Sicherheitskatalog 2015 (DE)

Occupational safety OSHAS 18001:2007 inkl. 18002:2008

Cloud security ISO/IEC 27017:2015 (EN)

Personal data/Public Cloud ISO/IEC 27018:2014-08 (DE/EN)

Federal Data Protection Act BDSG (DE)

EU General Data Protection Regulation EU GDPR 2015

Business Continuity Management DIN EN ISO 22301:2014-12 (EN)

VDA - ISMS VDA Version 2.13 (DE/EN)

Energy Management DIN EN ISO 50001:2011-12 (DE)

Medical devices – Quality management DIN EN ISO 13485:2012-11 (DE)

Medical devices – Quality managementDIN EN ISO 13485:2016-08 (DE) (in preparation)

Anti-bribery Management Systems DIN ISO 37001:2016-02 (DE/EN)

13

QSEC creates transparency – valid data via reporting and dashboard

Integraded reports

Standard reports management report work report measure reports risk status report compliance / maturity degrees

(SOA) special reports

budget report security incident report information governance report

Individual reports on demandDashboard


14

QSEC-Suite – Technical Specs


QSEC-Suite a web browser based application:

QSEC-Suite - the save and toolbased way to a comprehensive IT GRC / Information Security Management System (ISMS) according to ISO/IEC 2700x

Client Web-Server Database

Web-Browser

SSL

No installation

No maintenance

Microsoft Windows Server 2016R2 and predecessors

Microsoft IIS

ASP.NET 4.6

Microsoft SQL Server 2016R2 and predecessors

Interfaces to

further systems

Programming by Microsoft Visual Studio 2010

Current Version: 6.0

15

QSEC integrates into the existing IT landscape via interfaces


asset groupcriticalitybusiness prosesses

confidentlialityavailibilityintegrity

asset groupvulnerability

measures

Mail advice

User authorization

business prosesses

security incidents

QSEC-Suite

IntegratedManagement

System

Active Directory (AD)

Mail SystemIncident

ManagementSAP / helpLine

Asset ManagementSAP / Spider

VulnerabilityManagement

e.g. Qualys

Prozess ManagementAris / Adonis

Operational risks eventRisk Management SIEM

Questions? Don´t hesitate to contact us!

Visit our website and ask for a QSEC live presentation or just give us a call!

Your contact partner for questions:

Mr. Dierick SchröderAccount Management / SalesPhone.: 040/650 336-17E-Mail: [email protected]

Wüpper Management Consulting GmbH on the Internet:http://wmc-direkt.de/en/grc-isms-software/online-demo/


mailto:[email protected]

http://wmc-direkt.de/grc-isms-software/webinare