Hypotensive medicinal plants according to ethnobotanical ...
ISMS and GRC according to international standards and ...
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of ISMS and GRC according to international standards and ...
„WMC - Best in Class is not a coincidence!“
2
Consulting ISMS, GRC & data protection software Sectors
19 years' experience
- Consulting
- Project Management
- Process Management
12 years' experience
- Software development
- Software maintenance
- Implementation of an IMS
© 2020 WMC GmbH
Goals of GRC, ISMS und DSMS
© 2020 WMC GmbH3
1. Cost optimization
2. Hedging company values
3. Risk reduction
4. Reduction of liability
5. Image gain and competitive advantage
better manage better protect perform better
Standardized and automated procedures
Valid, consistent, comparable data collection
Optimize effort
Improve quality and efficiency
Risk transparency
Implementing appropriate activities against threats
permanent improvement of process and information security
Proof of responsibleaction
Optimization ofinvestments
Reduce the cost of certification and re-certification
Business processes
© 2020 WMC GmbH4
Laws and standards in interaction with business processes and IT assets
Mo
del
ing
Req
uir
emen
ts&
sp
ecif
icat
ion
s Laws Info
rmatio
n Secu
rity Man
agemen
t System
Specifications
KonTraGSOX /
EuroSOXBSI
KritisV BDSG Basel IIIEU 8th
Directive Solvency II VDA PTS
Standards and Norms
ISO 27001
ISO 27019
ISO 9001ff
IT-Grundschutz
and much more
Company strategyInformation Security strategy
CompanyPolicies
Policies
Policies
Policies• Compliance Management• Risk Management• Measures Management• Incident Management• Business Continuity Management• Assessment of maturity degree
PlanAct
Check Do
Development Production Logistics Administration FinancePurchase HR
Supplier info. Patents Production info. Transport info. Information Contract info. Employee info.
IT- Processes
Treats
confidentiality, availability, authenticity, integrity
Data Data Data Data Data DataApplications
Systems Weak Points
ISO 27005
GDPR
© 2020 WMC GmbH5
All ISMS and industry-specific IT requirements are supported sustainably!
QSEC® - Multi-Norm Compliance
QSEC® - ResultsReduction of liability
Securing corporatevalues
Risk reduction
Image improvement/ competitive advantage
Cost optimization
comprehensive sustainable cost-saving
© 2020 WMC GmbH6
Essential standards by industry
QSEC® - Multi-Norm Compliance
Logistics Healthcare Energy Trade Industry Finances
ISO 27001ISO 27005ISO 22301BSIEU GDPR
ISO 27001ISO 27005ISO 22301BSIEU GDPR
ISO 27001ISO 27005ISO 22301ISO 27019IT security cat.BSI EU GDPR
ISO 27001ISO 27005ISO 22301EU DSGVO
ISO 27001ISO 27005ISO 22301BSIEU GDPR
ISO 27001ISO 27005ISO 22301EU GDPR
ISO 9001ISO 14001ISO 20000DIN ISO 45001TapaISO 28000Inches
ISO 9001ISO 13485ISO 14001ISO 20000IEC 80001
ISO 9001ISO 20000PCI DSSDIN ISO 45001
ISO 9001ISO 14001ISO 20000DIN ISO 27009DIN ISO 45001VDA TISAX
BaFin BAITBaFin KAITBaFin VAITBaFin MaRiskBasel IIISO 20000
Information Security
Compliance
Methods
Processes
Compliance-ProcessesISMS-ProcessesBCM-ProcessesBIA-ProcessesRisk-Processes
Act Plan
Check Do
securityIs a
process
P-D-C-A-process
Authorities
ISO 27001ISO 27005ISO 22301BSIEU GDPR
Grundschutz 200-1Grundschutz 200-2Grundschutz 200-3Grundschutz 100-4
ISO 9001ISO 14001ISO 20000DIN SPEC 27009DIN ISO 45001DIN ISO 50001Smart Meter Gateway
© 2020 WMC GmbH7
DIMS - data-protection-, information-security-management system
QSEC® - integrates data protection and information security
information security data protection
KRITIS
IT-Sicherheitsgesetz 2015production environments
established specifications: ISO/IEC 27001 & ff BSI
business processes procedures
information personal data
assets assets
office infrastructure
ISM (Information Security Management); no legal requirements
established specifications: ISO/IEC 27001 & ff BSI …
risk management risk management
General Data Protection Regulation (GDPR)
shall apply fron 25 may 2018 standardised, european data
protection law immediate replaces national regulations obliges business and public
administration
© 2020 WMC GmbH8
DIMS - data-protection-, information-security-management system
QSEC® - integrates data protection and information security
DIMS
confidentiality
integrity
availability
privacy relevance
ISMS
DSMS
business processes
privacy-related business processes
service processes
assets
information business processes
DPMS = Data Protection-Management-System ISMS = Information-Security-Management-SystemDIMS = Data protection-Information security-Management-System
related
pro
tection
need
s
pro
tection
need
s
IMS
QSEC® - modules
© 2020 WMC GmbH9
Core Server, Common platform, Permissions
QSEC® interfacesMail system, Asset Management (SAP, Spider), AD, Ticket system (SAP, helpLine)
Catalog Tool (KEP)(Catalog creation, maintenance tool)
Administration Tool
Admin
Task-Manager / Workflow Manager
GDPRRiskSecurity-Incidents
Compliance Measures Reporting DashboardDocuments
Information Assets
Master Data
Assessment
Service Provider
Business Continuity
BIABusiness Continuity
BCM
COLOR CHART- Color backgrounds: availability within the QSEC® -
QSEC®ENTERPRISE QSEC®GRC QSEC® Erweiterungen
Wizards (Prozess-Workflow)
User mode
Working according to IT-Grundschutz with the BSI extension
© 2020 WMC GmbH10
Methodical procedure according to the IT - Grundschutz catalogs
BSI IT – Grundschutz
1 Mapping of the organization in QSEC
2 Determining the scope
3 Assessment of IT-Grundschutz Catalog 200-2
4 Capture of Information Assets
5 Assessment of asset groups / risk assessment
QSEC® is named by BSI as an alternative to GSTOOLand is thus suitable for implementationthe BSI standards and IT-Grundschutz catalogues.
© 2020 WMC GmbH11
Complete parallel operation of the IT-Grundschutz and the ISO / IEC 270xx requirements
BSI IT-Grundschutz and ISMS according to ISO 27001
IT-Grundschutz
Determining the organization and scopes Capture of IT with structural analysis Capture of business processes and information Storage of component catalogues Risk analysis based on the hazard catalogues and the
implemented measures Risk level assignment with gross and net risks Measure catalogues completely integrated Document management / Security Incidents …
ISO/IEC 27001
Determining the organization and scopes Capture of IT (grouping) with structural analysis Capture of business processes and information Assessment of maturity degree and SoA report Risk analysis based on threats and vulnerabilities Risk level assignment with gross and net risks Measure catalogues completely integrated Document management / Security Incidents …
Critical infrastructure water industry
Implementation of the requirements of water industry based on IT-Grundschutz
Special features of the risk methods
Critical infrastructure energy utility
Implementation of the requirements of the Bundesnetzagentur (Federal Network Agency)
IT-Sicherheitskatalog and ISO 27019
© 2020 WMC GmbH12
Guided process support
QSEC® - Workflow – Wizard Technology
Simple, self-explanatory operator guidance
Low training costs
Description and explanation of process steps
Guided working method
Useable without expert know how
No unintentional quit of working process
Start via Link possible
Requirements
Interview Wizard
Interview transfer Wizard
Compliance Wizard
Measure Rating Wizard
Risk Assessment Wizard
Security Level Wizard
Interview
Start/introcudtion choose interview prepare interview interview partner name interview business prozess information
21 3 4 5 6 7
asset group
8
Interview
Example: process steps for the interview wizardISO interview with a process owner in a business area
Wizards
© 2020 WMC GmbH13
Task support via email
QSEC® - Workflow - Task Manager
Simple, self-explanatory user guidance
No training costs for workflow participants
Guided workflow setup by experts
Mail confirmation, / processing outside of QSEC by mail
Usable without expert knowledge
No unwanted leaving the process
Start via link click possible
Requirements
Exception permit
Confirmation of actions
Change and release of the action status
Risk acceptance
Individual workflow processing
New, individual workflow creation
Individual form integration
Task - Workflows
Screenshot
Example Task - workflows measures release
available
© 2020 WMC GmbH15
QSEC® - product variants
QSEC®ENTERPRISE QSEC®GRC
› Business Continuity Management /Business Impact Analysis
Single and complete licenses
The same features as QSEC® Enterprise + module
QSEC®EASY EXPRESS
Information Security Management SystemISMS for medium-sized companies
› Compliance Management› Maßnahmen Management› IT-Risiko Management› Security Incident Management› Dokumenten Management› Reporting› Stammdaten Management› Datenschutz nach EU DSGVO› Katalogerfassungs- und Pflegetool› Administrationstool
Single and complete licenses
› Compliance Management› Measures Management› IT-Risk Management› Security Incident Management› Document Management› Reporting› Master Data › Data protection (GDPR)
Uncomplicated use based on an annual license
Governance, Risk, Compliance –ISMS incl. BIA/BCM
© 2020 WMC GmbH17
Examples
QSEC® - integrates into existing IT infrastructure
confidentlialityavailibilityintegrity
asset groupvulnerability
email notification
user authorization
business processes
security incidents
QSEC® Integrated
Management System
Active Directory (AD)
Mail SystemIncident
ManagementSAP / helpLine
Asset ManagementSAP / Spider
VulnerabilityManagementz. B. Qualys
Prozess ManagementAris / Adonis
operational risks incidentsRisk Management SIEM
asset groupcriticalitybusiness prosesses
measures
© 2020 WMC GmbH18
Extract from reports
QSEC® - dashboard and reporting
special reports budget report security incident report information governance report
Individual reports on demand Dashboard
Standard reports management report work report measure reports risk status report compliance / maturity degrees (SOA)
Integrated reports
QSEC® is a web-based application
Microsoft SQL Server 2016R2 and previous model
Interfaces tofurther systems
Microsoft Windows Server 2016R2 and previous model
Microsoft IIS
ASP.NET 4.6
Web Browser
SSL
no installation
no maintenance
QSEC® - the technology
© 2020 WMC GmbH19
QSEC® - comprehensive IT GRC / ISMS according to specifications ISO / IEC 2700x
Client Web Server Database
Current version: 6.3
Programming by Microsoft Visual Studio 2015/2017
QSEC® - the USP‘s at a glance
© 2020 WMC GmbH20
IKS / IMS functionality – working according to worldwide recognized standards including ISO 9001 (Quality Management), ISO 14001
(Environmental Management), ISO 20000 (IT Service Management), ISO 22301 (BIA & BCM), ISO 27001/2 (Information Security Management), ISO
27005 (IT Risk Management) PCI DSS, SOX, Basel II, OHSAS 18001 (Occupational Health and Safety), KAIT, VAIT, BAIT, VDA-TISAX etc.
optionally available. Subject to individual requirements own contents or sector-specific standards can be integrated
High integration of ISMS and data protection, flexible license model, multi-norm compliance,
comprehensive customizing functionalities, workflow and task (mail) support
Via interfaces: QSEC®integrates into existing
IT-landscape
QSEC® - extensively customizable in the standard and can be implemented on a tight schedule with accurate
cost planning
Clear, customizable user interface, differentiated expert and user mode - workflow and task support
No modules missing, QSEC® comes complete. Suggestions for measures,
including presentation of cost-effectiveness (costs and amount of damage) have been implemented.
Usability
Multi-Norm compliance
InterfacesContent
Competitive edge
Flexible customizing and quick implementation
An excerpt
Our references
IT servicesFinance / InsuranceUtilities / public utilities
Service provider / trading companies Automotive IndustryLogistics
© 2020 WMC GmbH21
© 2020 WMC GmbH22
Publisher of this presentation and owner of the brand QSEC® :
WMC Wüpper Management Consulting GmbH
040 - 650 336 – 20» [email protected]» www.wmc-direkt.de
WMC GmbH - QSEC® distribution and development officeZimmerstraße 122085 Hamburg (Uhlenhorst)
QSEC® follows exactly international laws, standards and guidelines