QSEC - ISMS / eGRC

according to
international standards an
methods

1
2014 WMC GmbH

WMC IT GRC / ISMS Software + Consulting

Consulting

Software and Support

Information Security Management

Information Security Management

Compliance Management

Compliance Management

Information Security

QSEC multi-standard
compliance management
according to international
standards!

IT Security
IT Risk Management
Data Security

IT Risk Management

Security Incident Management

Measure Management
Business Impact Analysis (BIA)

Business Impact Analysis (BIA)

Data Security

Business Continuity Management

Reporting

+ more: PCI DSS; SOX, ISO 20000

QSEC references implementation and operation in time and budget

QSEC partner

WMC

PKA

2
2014 WMC GmbH

GRC ISMS - definition and strategic objectives

With GRC and ISMS organizations
pursue important targets:

Governance, Risk Management and Compliance (GRC)

the generic term for all activities of an organization
to establish
governance und control
reduction of risks
compliance to standards, laws and rules

= Governance
= Risk Management
= Compliance

Coverage of company values by steady

improvement of the process security and
information security
Risk reduction by creation of transparency and
implementation of adequate activities against
threats

Information Security Management System (ISMS)

management system with all procedures and rules necessary to
implement information security permanent and sustainable in an
organization

Liability reduction by providing the proof of

their responsible action

Image improvement and competitive advantage

by gaining of trust (with customers, suppliers,
banks, insurances and investors)

define,
steer,
check,
maintain and
Improve constandtly

Cost optimization by increase of the cost value

ratio

the status of the infomation security

QSEC

3
2014 WMC GmbH

IT-GRC / ISMS the situation today!

Complexity:

Challenge:

Risks control is a factor of the iteraction of human beeings, organization and technics!
24,148 Apps
heruntergeladen vom
Apple AppStore

mobility

463 mobil bankingtransactions in Europe

user behavior

70+ new domains

registered

Actual:

510,000 comments on
facbook

168 million
emails sent

Complex IT infrastruture and

shared data management

1,500 and more Blogposts

applications

Method:

social media

60

IN
SEconds

Countless access on
business data

Increasing risks and threats for

the core business

ISO / IEC or DIN/ISO norms are international accepted standards for the implementation of
Information Security, Risk and Compliance Management Systems

Implemenation of IT GRC / ISMS up to now:

Dilemma:
complex

Solution:

costly in
terms of
time and
staff

expensive

intransparent

risky

often
incomplete

often only
technical

QSEC the IT GRC / ISMS all in one solution!

Consulting

4
2014 WMC GmbH

IT GRC / ISMS - topics of managerial level

Management
+ The cost of non-compliance can
not be ignored!
+ Know the legal liability risks and
minimize!
+ Define management processes
and control!
+ Protect the values of the
company!
+ Improve the company image and
protect the future!

Summary

Responsible person (e.g. CIO,

CISO, DPS, IS RM)
+ Reduce the cost of eGRC with
ISMS!
+ Provide a high level of process
quality!
+ Know and assess the operational
risks!
+ Implement best practice
methods and processes for
eGRC!
+ Identifiy liability risks!
+ Identify and minimize business
process Impacts!
+ Classify the values of the
company and assure them!
+ Plan new technology!

Staff (e.g. IS-agent)

+ Monitor, evaluate and optimize
business processes and business
process change!
+ Conduct compliance reviews
quickly and effectively!
+ Keep documentation up to date!
+ Create effective measure
management!
+ Plan costs on valid data!
+ Optimized, uninterrupted work
+ Improve knowledge management
Where, Who, When, Why, How

5
2014 WMC GmbH

QSEC operates exactly according to standards and guidelines

Act

Plan

Check

Do

6
2014 WMC GmbH

Processes of information security

Processes of the management system

Information security management processes (ISMS)

ISMS

plan, support, operate, measure,

improve

ISMS improvement process for

each Control

Technical process

Risk

Assessment of IS-risks
Treatment of IS-risks

Disciplinary process for security

breach

IT management process

Document

Document management

Employee recruitment, -lead,

and exit precess

Policy creation process

Compliance

Legally-, contractual-,
organizational requirements

sensitization processs

BIA / BCM process

Audit/Review

Review process for KVP and

Compliance

Information classification
process

Security Incident process

Asset inventorying /
classification process

Monitoring process

Consulting

7
2014 WMC GmbH

QSEC: IT-GRC / ISMS complete solution with added value

Sustainable software support by the combination of:
Method /
Process

Best Practice

Programming/
Technology

International accepted standard ISO

27001/2 plus further standards like
ISO 9001, ISO 14001, ISO 20000, OHSAS
18001, SOX, PCI DSS (optional)

extensive support , guidance and

provided content

Microsoft SQL data base (SQL

Server 2008/2008R2) and .Net web
technology (Windows Server 2003
2008 R2, Microsoft IIS, ASP.NET 4.0),
Client (Web Browser, SSL)

Consulting

ISO 27001/2 original text complete and exact represented

Risk Management methodology according to ISO 27005 complete implemented
BIA according to ISO 22301 complete implemented
Guidance through the whole process (plan-do-check-act) of ISO method
Implementation of all demands and requirements out of the ISO standards
Logic interconnection of all data and information with their dependent
relationship

Worldwide approved best practice are offered within the solution

Usability
Outstanding measure management
Approved pattern documents
Progress supervision, mail reminder
Integration of compliance and risk management, measure management, security
incident management and document management

integrated programming (MS Visual Studio 2010)

Flexible adabtability to customer needs
Extensive reporting-Functions
Authorization concept
Language option
Data migration from existing systems (interfaces)
No double collection of data
Reduction of mistakes

8
2014 WMC GmbH

QSEC connects business processes and IT assets over all levels

9
2014 WMC GmbH

With QSEC:

Without QSEC:

hohes Sicherheitsniveau sinkende Kosten/Risiken

High value creation

all security activities and data in one

system

complete identification and

appropriate treatment of critical
business processes

handling of information according to

their unique classification

only selective security

Business

no reference to business processes

Information

no classification of information

established and implemented security

organization to the departments

no consistent security organization

Applications

valid data from the IT risk

management provide facts for
decisions

faster processes with simultaneous

time and cost savings

no valid data for IT Risk Management

Infrastructure

QSEC

Low security level and high risks and costs

QSEC: IT-GRC / ISMS the solution with added value!

high time and cost effort for

incomplete security activities

10
2014 WMC GmbH

QSEC USPs at a glance

Quick implementation
QSEC is a flexible out of the box software
that can be implemented on a tight schedule
with accurate cost planning

Usability
Customers confirm high operational guidance
and a clear user interface

Multi-norm compliance
Support of worldwide recognized standards including ISO
9001 (Quality Management), ISO 14001 (Environmental
Management), ISO 20000 (IT Service Management), ISO
22301 (BIA & BCM), ISO 27001/2 (Information Security
Management), ISO 27005 (IT Risk Management) PCI DSS,
SOX, Basel II, OHSAS 18001 (Occupational Health and
Safety). Subject to individual requirements own contents
or sector-specific standards can be integrated

Variable
license model

Competitive edge
No other IT-GRC solution is as comprehensive
in terms of best practices in the field of
measure management

Easy Express and two

suites fit to all customer
needs

Best Practice
In QSEC implemented methods and
processes for ISMS, Risk, BIA, BCM
are based on international proven
best practice standards

Interfaces
Via optional interfaces
data from mail systems,
Active Directory, asset
management systems (e.g.
Spider) and ticket systems
(e.g. helpline) can be
integrated into QSEC

QSEC

Content
QSEC provides norms including
measure catalog, risk management
with threats and vulnerability
catalog, as well as measure
proposal
11
2014 WMC GmbH

QSEC "all in one compliance (1/2)

QSEC our products

Technology

Easy Express

Standard browser application

Administration-Tool / User authorization

Enterprise Edition
GRC Edition

Content

Interfaces

Process support

Reporting

QSEC - more result faster!

Usability

QSEC

International standards (ISO 72001/2/5; ISO 20000 etc.)

Use patterns, measure proposal, risk catalog

Mail System , Active Directory, Ticket System

Data Migration (CSV, XML )

ISMS Process (Compliance-, Risk assessment, BIA/BCM)

measure-, document and incident management

More than 45 reports with maturity degree report

Dashboard
High user acceptance because of user friendlyness
Permanent software support and continiuous improvement
process

12
2014 WMC GmbH

QSEC "all in one compliance(2/2)

Sustainable support of all ISMS and IT GRC targets!
QSEC - result
Reduction of liability

comprehensively
sustainable
cost saving

Coverage of company
value

threats
+
vulnerabilities

Heatmap number of asset groups per risk merit

8
7
6
5
4
3
2
1
0
S+B (bzw. S*B)^

AG-Wert >

5
8
56
7
4
3
6
2
6
0

43
45
6
7
8
7
4
6
4
1

4
3
3
6
9
8
7
5
3
2

3
4
6
8
8
7
6
2
3
3

5
6
45
4
3
2
3
4
6
4

permanent, extensive and sustainable information security

management

identification of really business critical processes and

adaquadte measures angainst threats

Risk reduction

Image improvement /
competitive advantage

asset groups
Scope: location Hamburg

complete verification of history

and changes

increasing trust from business partners (customer,s

vendors, banks, ensurances , investors)

Cost Optimization

QSEC

increase of security satus and decrease

of risks and at the same time
cost optimization (staff, time and IT budget)
13
2014 WMC GmbH

QSEC-Enterprise and GRC Edition module overview

Compliance

Risk

Audit (in planed)

SecurityIncidents

Measure

Master data

Administration

Administration
Tool

Katalog Tool (KEP)

Document

Report

Dashboard

Business Continuity

Business Continuity

BIA

BCM

QSEC interfaces:
Mail system, Asset Management (e. g.. SAP, Spider),
AD, Ticket system (z. B. SAP, helpLine)

Core Server, Common platform, Permissions

QSEC Versions
QSEC Enterprise Edition

QSEC GRC Edition

QSEC extensions

14
2014 WMC GmbH

QSEC integrates into the existing IT landscape via interfaces!

Asset
Management
SAP / Spider

Vulnerability
Management
e.g. Qualys

Mail System

asset group
criticality
business processes
confidentiality
availability
integrity

asset group
vulnerability
measures

mail advice

user authorization

QSEC-Suite

business processes

ISMS / BDSG
Integrated
Management
System

security incidents

Active Directory
(AD)

Prozess
Management
Aris / Adonis

Incident
Management
SAP / helpLine

Risk Management

event

operational risks

QSEC

SIEM

15
2014 WMC GmbH

QSEC creates transparency valid data via reporting

IT security level Q4/2010, Q1/2011 and Q1/2012

10,0
9,0
8,0

assessment

7,0
6,0
5,0
4,0
3,0
2,0
1,0

compliance
measure status

160
140
120
100
80
60
40
20
0

it green

available reports:

it yellow
it red
total number of

0,0

A5

A6

A7

A8

A9

A10

A11

A12

A13

A14

Controls for ISO 27001

responsibel employees - measures (Top 10)

IT security level
<7

10

11

12

13%

23%

13%
7%
15%

10%
19%

A15

Status 2010 Q4
Status 2011 Q1
Status 2012 Q1
Status of

Groklage
Wpperfhrt
Mller
Ulrich
Weidemann
Schulz
Kehr
Meyer
Rat
Schmidt

sortet by red

red

standard reports
management report
work report
SOA
Actions
Risk
maturity degree
individual reports on demand

yellow
green

20

40

60

80

QSEC

100

16
2014 WMC GmbH

IS - Key Performance Indicator (IS-KPIs) / business ratio by QSEC (excerpt)

IS-Organiztion

Maturity degree employee role

number 8
6
of
4
roles
1
0

number of employees
0

Compliance Management

Maturity degree per Scope / Scope-comparison /

measure per control incl. degree of realization

Maturity degree of scope

Risk Management

Cirtical asset groups incl. risk, measure or risk acceptance

BIA/BCM

Number of ciritical business processes, critical asset groups; asset group

actual-theoretical comparison (GAP analysis), number of disaster recovery
pan and IT disaster recovery plan

Security Incident
Management

Number of security incidents per asset group and business process

Measure Management

Number of security measures, due date per employee, costs, maturity

degree

Document Management

Number of documents, editing status, follow-up

16

Scope1
Scope2
Scope3
Scope4

Zurck

KPI

17
2014GmbH
WMC 2014
GmbH
C WMC

QSEC-Suite technics
QSEC a web browser based application:

Compliance

Web-Server

Client

Data base

Audit

Incident

Risiko

Dokument

Manahmen

Administration

Stammdaten
(in Planung)

Reporting

Dashboard

BIA

BCM

Katalog Erfassungsund Pflege Tool (KEP)

QSEC Schnittstellen:
Mailsystem, Asset Management (z. B. SAP, Spider),
AD, Ticketsystem (z. B. SAP, helpLine)

Administrations
Tool

Core Server, Gemeinsame Plattform, Berechtigungen

Web-Browser
SSL
No installation
No maintenance

Microsoft
Windows Server

2003/2008R2/2012R2

Microsoft IIS
ASP.NET 4.0

Microsoft
SQL Server 2008/
2008R2
Interfaces
to further systems

Anforderungen

Methoden

Compliance

Normen &
Gesetze
ISO
27001
ISO
27005

Informationssicherheit
Risikomanagement

Security
Manager

Compliance
Manager

Administrator

Analysen
Datenschutz-beauftragter

Bewertungen

Vorgaben

Auditor

Aufsichtsrat

Chancen

Risiken
CIO

Risk Manager

Werkschutz

Revision

Manahmen

Vorstand / GF

Genehmigungen

Reifegrad
Key User

Wirksamkeitsverbesserung
Prozessowner

Sicherheitsverbesser

Business Impact Analyse

ung
Risikomanagement

Haftungsreduzierung

Ergebnisse

Programming by Microsoft Visual Studio 2010

Mitarbeiter

Compliancemanagement

Prozesse

Current Version: 4.2

QSEC-Suite - comprehensive IT GRC / Information Security Management System
(ISMS) according to ISO/IEC
QSEC

18
2014 WMC GmbH

Version 4.2

19

WMC GmbH 2014

2014 WMC GmbH