QSEC Modules

Kachel_Compliance Kachel_Massnahmen Kachel_IT-Risiko Kachel_Business Impact Analyse Kachel_Security Incidents
Kachel_Dokumente Kachel_Berichte Kachel_Dashboard Kachel_Stammdaten Kachel Information Assets
Kachel_Interview-Wizard Interview-transfer Measure-Rating-Wizard Kachel_Self-Assessment-Wizard Risk-Rating-Wizard
Kachel_Security Level Wizard kachel_tasks-neu kachel_administration technik

 

IT Compliance

With the selection of the compliance tile the functions of the compliance module will be activated. About this the valuations for the chosen scope will be carried out. The norms, policies, laws and standards can be assessed with the deposed questionnaires in the chosen scope. On the basis of the answered questions and if any the connected measures the maturity level of the requirements (controls, captures and more) will be valued. The evaluation could be managed by the assets management information.

Do you have a detailed assessment of the current security level including maturity degree of the company?

As part of the self-assessments, a differentiated evaluation of IT compliance status per scope, according to the selected standard is executed. Resources and processes are not only associated, they also can be evaluated with regard to maturity degree (target/actual comparison) – and valued based on the respective standard.
For the assignment is a predefined questionnaire with interview questions is available, including the ability to answer them online as well.

Existing, company-specific questionnaires are also capable of being integrated as other nouns.

An excerpt of the features and the already available within QSEC standards:

  • Scopes individual representable
  • ISO 27001, ISO 27002 (2005 and 2013) completely integrated
  • ISO 9001 (2008 and 2015)
  • ISO 14001, ISO 20000, BS OHSAS 18001:2007 and 18002:2008, BDSG, PCI DSS and VDA protection of prototype (optional)
  • VDA Assessment

The procedure enables:

  • Integrated status assessment based on the Plan Do Check Act Methodology (PDCA)
  • IT compliance assessment based on various efforts (incl. The questionnaires for the implemented rules and standards)
  • Maturity assessment with target/actual performance comparison on control level
  • automatic, adjustable follow-up of controls
  • Definition of IT compliance target values
  • Identification of gaps
  • Generating measures to achieve the IT compliance targets
Compliance Bewertungsübersicht

Compliance Control Review – on the example of ISO 27001

EU DS-GVO im Compliance Modul

Compliance Control Review – on the example of GDPR

General Data Protection Regulation in QSEC

The GDPR with all chapters and maturity level assessment questions is already integrated in the compliance module of QSEC. In addition to the established ISO norms (ISO/IEC 27001 ff, 27019 etc.) and the IT baseline security all necessary valuations in accord with the GDPR can be carried out. An existing procedure report meets all requirements for the demanded accountability report.
The business processes (methods) are assessed with the required valuation criteria in accord with the EU GDPR (responsible position, purpose, recipient, capacity, privacy by design, privacy by default, impact analysis, order processing, approvals, regulators contact) in QSEC.
The connected information is ranked by the confidentiality, integrity, availability, data protection relevance (with the additional attributes: affected persons, data category, third countries, deletion date, access authority).
All criteria can be customized individually. With this integrated procedure the requirements of information security and data security are met simultaneously and without additional expenditure.

 

Measure Management

With the selection of the measure tile the functions to register and edit the measures will be activated. All measures in the modules including compliance, risk, security incident and BCM/BIA can be edited. The measures will be shown in traffic lights based on the resubmission marking. The measures can be edited and updated. Double existing measures can be combined and the responsible can be informed per mail function directly. The measures directly will be combined with the compliance- and risk assessment and the maturity level improvement or risk reduction will be quoted. The corresponding security budgeting can be expended by the cost finding.

With the selection of the document tile the functions to register and edit the measures will be activated. In QSEC document management all relevant documents can be managed. Alternative, the link to if any a document management system can be proceeded. Documents can be linked to for example controls in compliance management, security incidents, assets, measures and more in order that the documents are available to everybody who need them.

IT risks can only be minimized if concrete measures can be derived from detected vulnerabilities and threats and their implementation can be ensured.

In this module, the status is taken from the risk management and it is generated a list of measures to Implement the necessary activities.
The QSEC Suite provides comprehensive functionalities in measure management. From all modules proposed measures can be adopted or also customized. By the integrated status request controls can be easy reassessed after the successful implementationof measures. The history shows all the temporal variation.

The measures are of course linked within the QSEC suite with the modules IT risk, compliance, document and incident management.

An extract of the features:

  • Individual visualization of inspection areas
  • Acceptance of automatically suggested measures with adaptability
  • Creation of individual measures
  • Assignment of responsibilities and representations
  • Scheduling and date tracking
  • Status check at any time
  • Relationship with projects
  • Relationship with controls, risks, documents, security incidents
  • Re-evaluation of relevant parts after implementation of measures
  • Risk acceptance in case of non-execution of measures
Maßnahmen Übersicht

Measure Management Overview

 

IT-Risk Management

With the selection of the risk tile the function of the risk modules will be activated. In this module implemented operative risk method is based on the norm ISO/IEC 27005. The calculation method and the classification chart are predefined and can be customized individually to current requirements. The deposited threat and weakness catalogues will be assigned and valued by the existing asset types. An assignment is possible every time by using the administration tool. At the evaluation the measures to reduce the risk and the linked security incidents will be shown.
It will be calculated following areas: protection need, probability of occurrence, risk value in €, risk step, net risk.

Kachel_IT-Risiko

In this area you execute the entire IT risk management in accordance with the ISO 27005 norm and identify all vulnerabilities and threats within your scope.

Great advantage of the approach according to the methodology of ISO 27005: it is based on the alignment of the IT risk management on the business processes of the company. The business processes are evaluated on their criticality and the assets which support the business processes are allocated to them. Identified critical assets (IT systems consisting of applications, databases and hardware) are analyzed on the availability, integrity, confidentiality, privacy relevance and its financial value. Thus allows the derivation of concrete action plans for the prevention of threats and closure of vulnerabilities.

Because the assessment of criticality is a very company-specific value, criteria can be configured flexibly, of course.

An extract of the features:

  • Individual visualization of inspection areas
  • Approach in accordance with the ISO 27005 norm (threat lists and vulnerabilities list incl. possible combinations)
  • Criticality capture of business processes possible
  • Flexible configurable asset group-value-criteria
  • „Information“ as further primary asset type in addition to the business processes
  • Identification of vulnerabilities and threats of protection items
  • Display of processing, completed and aborted measures per valuation
  • Display of security incidents per valuation
  • Identification of individual risk values of protection items
  • Identification of potential impacts of risks on the business processes
  • Creation of measures to reduce the risks
  • Generating a risk acceptance report on non-implementation
IT-Risk Management Übersicht

IT-Risk Management Overview

 

Business Impact Analysen/Business Continuity Management
(BIA & BCM)

Within BCM (business continuity management) you execute the BIA (business impact analysis) – and analyze your business processes and the impacts of failures and administer your documentation for the emergency planning.

Impact Analyze
Investigation of risk acceptance level

For every regarded process an impact analyze will be executed for each possible impact category. The period for the impact assessment (maximum process disruption period [days]) is defined for all processes over all systems (for example 30 days).
The scale depends on the typical damage process of the company’s business processes in the industrial sector.

An extract of the features:

  • Individual visualization of inspection areas
  • Visualization of processes for the BIA assessment
  • Capture the specifications for MTPD, RPO, etc.
  • Assessment of business processes upon the criteria for finance, reputation, legal control (individually adjustable)
  • Calculation of criticality
  • Visualization of gap analysis (to be-/as is RTO) and creation of measures for each asset group
  • Determination of emergency planning and emergency tests for critical business processes
  • Check and assessment of the documentation for critical asset groups (IT emergency plan, operations manual, disaster recovery plan), individually adjustable
QSEC BIA-Rating

BIA Review

 

IT Incident Management

Here you execute the IT incidents and targeted manage the IT incident measures.
The requirements for a complete reporting system for security and data privacy incidents are increasing. In the Incident Management module relevant security and data privacy incidents are evaluated in order to use them for better risk assessment.

Kachel_Security Incidents

Documented are the damage category and the severity of an incident as well as the amount, class and type of damage. At any damages or accidents, as already known from the other modules, a status with reminders and responsible is maintained, which is linked to corresponding measures and security targets.
Detected incidents are not assigned to specific scopes. Nevertheless, by the related objects, specific analyses per scope are possible.

An extract of the features:

  • Capture the category, severity, damage value, its class and its nature
  • Capture the concerned asset groups and individual persons
  • Capture the security target
  • Responsibility, follow-up
  • Relationship with other objects in the QSEC reporting
  • Assessment of the systems maturity degree
  • Predefined standard reports for various target groups
  • Individual reports possible
  • Increased value with meaningful graphics
IT Incident Managemrnt Übersicht

IT Incident Managemrnt Overview

 

Information Assets

With the selection of the information assets tile you get to the module where you can register and edit information assets. The order in QSEC is based on the method of ISO 27005 (risk management in the information security), in business processes, information and assets.

Kachel Information Assets

The target is a precise reflection of the assets of an organization in the scope. The critical identified assets will be subjected to a detailed inspection in the risk management; the less critical assets can be subjected to a basic inspection.

 

An extract of the features:

  • Depiction of a complete business structure: business processes, information, assets (single assets and asset cluster)
  • Capture of affected asset groups and persons
  • Capture of safety risks
  • Capture, assessment and maintenance of information assets
  • Responsible employee for the information assets
  • Assessment of security needs and determination of criticality
  • Customizing: define flexible your own security targets or more features to capture, for example assets

NEW in the version 5.3

  • Within the asset groups, the assets (single assets: notebooks, production systems, network components, etc.) can be managed manually with the “management criteria” (eg manufacturer, serial number, location, etc.)
  • Mapping of business processes and information to the asset group
  • New report for asset groups with list of captured assets and asset criteria
  • Risk rating of the asset groups (the identified asset groups will be valued in risk management)
  • The security level for each asset group will be valued completely for all assets
  • Form customization: For a better overview, the complex forms are divided into tabs! In the version 5.3 you will find the asset group form with 7 tabs.

The ability to capture of the assets within the asset groups is intended for organizations that can not use an asset management system due to technical circumstances, or the effort is too great.
This extention will be used in production environments, control systems and technical environments with few assets.

Information Assets

Information Assets Overview

 

Document Management

In the QSEC module “Document Management” you administer (editing, deposition and review) all the related documents such as security policies, classification guidelines, user guidelines and many more, internally or in conjunction with your document management system.
Each change in a document is completely documented in the QSEC suite.

Dokuments

With the QSEC suite you receive sample documents of all relevant policies that are needed for the implementation and operation of ISMS. This is an advantage, based on expert knowledge, guaranteeing considerable savings in the creation and adoption of documents. All deposited sample documents have been examined in the context of preparations for the ISO 27001 certification by auditors!

An extract of the features:

  • Individual visualization of inspection areas
  • Sample documents of relevant policies (e.g. security policy, classification guideline, user guideline, client security guideline etc.)
  • Stored in the QSEC database, interface to an already available document management system
  • Stored records of author and responsible
  • Versioning
  • All current data types
  • Intelligent search function
  • Document portal (option)
  • Download function
Cocument Management Overview

Document Management Overview

 

Reporting

ReportsKachel_Dashboard

QSEC Suite provides “up-to-date” all labor and management reports – predefined or individual available.
So you can always check the status of your business information security by reports clear and graphically processed. The export of reports, for example to Excel, is of course possible.

The maturity level representation allows you to compare the current state of information security with the desired level of maturity in your business.

An extract of the features:

  • Maturity degree
  • SOA – Statement of Applicability
  • Risk status / Top risks
  • Critical business processes
  • Measure and budget planning
  • Report of document status
  • Report of asset group status
Maturity Degree Report

Maturity Degree Report

 

QSEC Status Report Quastion Implementation

QSEC Status Report Quastion Implementation

 

Dashboard

Dashboard

 

Master data

Master Data

A meaningful IT GRC / Information Security Management System require keeping track of all organizational units and business processes of your company.

In master data management you can manage all the individual company data or your IT GRC ISMS and thus lay the simple and flexible foundation for the use of QSEC.
Here all data is managed, which are necessary for the implementation of the compliance, measure, document and risk management in the company.

These include:

  • Organizational units
  • Scopes
  • Business Processes
  • Asset Groups
  • Employees
  • Employee Roles
  • Teams
  • Addresses

An extract of the features:

  • Capture the entire or relevant company structure in organizational units
  • Formation of inspection perimeters for the ISMS and further norms
  • Capture the business processes and information
  • Definition of asset groups, import interface to an existing asset management (option)
  • Import of employee master data from AD/LDAP or SAP
  • Team building and assignment of responsibilities
  • Roll-based rights administration
  • User-related task overview after login
  • Succession and representation regulation
  • Mail messaging about current follow-up actions
http://wmc-direkt.de/en/wp-content/uploads/sites/5/2016/07/Geschäftseinheiten_Übersicht-EN.png

Business units overview

 

Administration

An extract of the features:

  • Administration of users (create, change, lock)
  • Configuration of QSEC modules subject to individual requirements
  • Extension: configuration administration tool (installation on a separate client system)
  • Direct access to the SQL database (create, delete, rename etc. possible)
    (This module is offered together with an administrator training only.) 
  • Extension: Catalogue capture and administration tool, (installation on a separate client system) to capture individual norms, rules and standards and internal guidelines.
    (This module is offered together with an administrator training only.)
Permission overview

Permission overview

 

Task Manager

tasksThe QSEC task manager starting from version 5.2 provide a fast, simple and dynamic tool to register, to assign and to edit tasks in addition to the measure management.
The manual register of new tasks is in many modules in QSEC possible. Additionally, tasks will be generated automatically according to the system, for example by changing the assessment of information for connected business processes and assets (then a new assessment is needed). This prevent that contents become obsolete unnoticed.

Task list

Task list

The prioritization, status consequences and dating of tasks help you to edit your daily tasks efficiently.  Through the deposited links for each task you quickly get to the right position – whether you link sides in QSEC, their internal folder structure or websites.
A quick overview provides the task list (see screenshot) which is depicted in the tile overview directly after login.  See at a look the next tasks including maturity, status and priority.

 

 

Technique

QSEC is a web-solution with the advantage that no software installation is required for the client!

  • Web front-end for multi-language, browser-based (eg Internet Explorer 8, Firefox, Safari, etc.), enterprise-wide access to the software
  • Current .NET technology
  • Use of MS SQL Server  2008/R2 and MS Windows Server 2k3/R2/2k8/R2
  • QSEC Easy Express MS SQL Server 2008 R2 Express with Advanced Services and Microsoft Windows Server 2k3/R2/2k8/R2, Windows 7
  • secure communications over SSL