Master Data Management

Master Data Management

In QSEC master data management, the necessary data for the QSEC® software is set up in a simple and flexible manner.

QSEC master data consists of all user-specific company data that is required for the implementation of compliance, measures, document and risk management, such as

  • Legal entities and organizational units
  • Scope with the definition of In-Scope and Out of Scope
  • Employees with authorizations and responsibilities
  • Employee Roles
  • Teams
  • Addresses
  • Service provider
  • Responsibilities
Master-Data-overview

Master Data Management – Organizational Units Overview

Features (excerpt)

  • Recording of the entire or relevant company structure in organizational units;
  • Creation of scopes (combination of organizational units and related norms and standards) for the ISMS and other norms;
  • Import of employee master data from Active Directory/LDAP or SAP;
  • Team functionality and assignment of responsibilities;
  • Role-based rights management;
  • User-specific task overview after login;
  • Succession and substitution regulations;
  • Mail notification about current resubmissions;

QSEC modules

Data-Protection-Management-System-QSECInformation_AssetsCompliance_Management_System
IT-Risk-kachelSecurity Incident ManagementMeasure-Management
Document-ManagementMaster-Data-qsecBusiness_Continuity_Management
Reporting-DashboardInterview-WizardInterview-transfer-Wizard
Compliance-WizardRisk-Assessment-WizardSecurity-Level-Wizard
Measure-Evaluation-WizardUsabilityTask-Manager
AdministrationTechnology

Security Incident Management

Security Incident Management

When implementing an ISMS according to ISO 27001, a complete reporting system for security and data protection incidents should be should be also considered. Furthermore, it is essential to proceed in a structured and methodical way in case of a security incident in order to have an overview of the situation at any time.

The QSEC module Security Incident Management offers this along an integrated risk management process. The relevant security and data protection incidents are recorded. Security incident measures are managed in a structured way, in order to improve the risk assessment within the ISMS process according to ISO 27001.

In addition to the category and degree of severity of an incident, the following points are documented

  • Amount of damage,
  • Severity,
  • Damage class and
  • Type of damage.

A status with resubmissions and persons responsible is maintained for each damage or incident, which is linked to corresponding measures and security objectives.

Incidents recorded in Security Incident Management are assigned to business units and the asset groups affected by them.

 

Security Incident Management – overview

Features (excerpt)

  • Recording of category, severity, amount, class and type of damage
  • Registration of affected asset groups and persons
  • Indication of the associated risk scenarios
  • Acquisition of the security target
  • Responsibility, resubmission
  • Link to other objects
  • Integration into the QSEC Risk Management

QSEC modules

Data-Protection-Management-System-QSECInformation_AssetsCompliance_Management_System
IT-Risk-kachelSecurity Incident ManagementMeasure-Management
Document-ManagementMaster-Data-qsecBusiness_Continuity_Management
Reporting-DashboardInterview-WizardInterview-transfer-Wizard
Compliance-WizardRisk-Assessment-WizardSecurity-Level-Wizard
Measure-Evaluation-WizardUsabilityTask-Manager
AdministrationTechnology

Reporting / Dashboard

Reporting / Dashboard

The management dashboard in QSEC provides all required information in a transparent way. The numerous reports and dashboards provide an adequate view for every employee (management, team leader, responsible person etc.).

Furthermore, in QSEC all required and necessary work and management reports for the ISMS activities can be executed, e.g.

  • predefined
  • individually and
  • daily updated

This means that you have an actual information security status of your company at any time using clear and graphically prepared reports. The export of reports, e.g. to MS Word, Excel, PowerPoint or other formats, is also possible.

 

The maturity level display enables you to compare the current status of information security with the targeted maturity level in your company.

 

SoA-Bericht

Reporting – SoA report in ISMS QSEC®

Features (excerpt)

  • Compliance Maturity Level
  • SOA – Statement of Applicability
  • Risk Status / Peak Risks
  • Risk Response
  • Critical Business Processes
  • Measures with budget planning
  • Document Status Report
  • Asset Group Status

QSEC modules

Data-Protection-Management-System-QSECInformation_AssetsCompliance_Management_System
IT-Risk-kachelSecurity Incident ManagementMeasure-Management
Document-ManagementMaster-Data-qsecBusiness_Continuity_Management
Reporting-DashboardInterview-WizardInterview-transfer-Wizard
Compliance-WizardRisk-Assessment-WizardSecurity-Level-Wizard
Measure-Evaluation-WizardUsabilityTask-Manager
AdministrationTechnology

Measure-Management

Measure-Management

The GRC software QSEC® provides an extensive range of functionalities for the management of measures.

Proposed measures can be taken over from all modules or can be adapted individually.

By means of the integrated status query, affected controls can be immediately re-evaluated after successful implementation of measures.

In order to reduce IT risks, concrete measures and their implementation can be derived from identified and captured vulnerabilities and threats.

The measures can be selected from the QSEC software measure l catalogue or they can be created manually, in order to reduce risks and improve control maturity levels.

The measures are integrated with the QSEC® modules IT risk, compliance, document and incident management.

Measure-Management-Overview

Measure Management – Overview

Features (excerpt)

  • Adoption of automatically proposed measures, from the QSEC standard measures catalogue, with the possibility of adaptation
  • Creation of individual measures
  • Assignment of responsibilities and substitutions
  • Scheduling and deadline tracking
  • Status query at any time
  • Integration with controls, risks, documents, security incidents
  • Re-evaluation of relevant risks after implementation of the measures
  • Risk acceptance in case of non-implementation of measures

QSEC modules

Data-Protection-Management-System-QSECInformation_AssetsCompliance_Management_System
IT-Risk-kachelSecurity Incident ManagementMeasure-Management
Document-ManagementMaster-Data-qsecBusiness_Continuity_Management
Reporting-DashboardInterview-WizardInterview-transfer-Wizard
Compliance-WizardRisk-Assessment-WizardSecurity-Level-Wizard
Measure-Evaluation-WizardUsabilityTask-Manager
AdministrationTechnology

IT Risk Management

IT Risk Management

By selecting the risk module in the QSEC software menu, the risk management functions are activated. The complete IT risk management is carried out here according to the requirements of ISO 27005 and/or BSI. The potential weaknesses and threats of the asset groups in the corresponding scope (scope, consisting of the relevant business units and the associated assets and standards) are determined.

 

The operational risk method implemented in this module works according to the requirements of the ISO/IEC 27005 standard or according to the IT basic protection requirements (200-3). The calculation methods and classification tables are predefined and can be individually customized to meet the specific requirements. The stored threat and vulnerability catalogues (hazard and building block catalogues) are assigned to the existing asset types (infrastructure, IT hardware, IT software, cloud etc.) and evaluated. Since the assessment of the security requirements (asset group value) is a company-specific value, the criteria can be configured flexibly. An adjustment is possible at any time via the administration tool.

 

During the risk assessment, the measures for risk reduction and the associated incidents (security incidents) are displayed. The following values are calculated:

  • Protection requirements (asset group value),
  • likelihood of occurrence,
  • Risk value in EURO,
  • Risk level,
  • Net risk.
 

One of the great advantages of IT risk management assessment according to the methodology of ISO 27005 is the focus on the business processes of the company. The business processes stored in QSEC are evaluated for their criticality and assigned to the required asset groups (buildings, IT infrastructure, etc.).

 

Identified critical asset groups will be checked for

  • Availability,
  • Integrity,
  • Confidentiality,
  • Authenticity,
  • Data protection relevance and
  • their financial value

which determines the need for protection. This enables the identification of concrete action plans to reduce weak points (risk treatment planning).

 

IT- risk-management-overview-sorted-by-status

QSEC®: Tabular IT risk management overview sorted by status

hierarchical-business-process-view-with-IT-risk-overview

QSEC®: hierarchical business process view with the IT risk overview according to the associated asset groups

QSEC®: Risk matrix of the risk levels of the considered asset groups

risk-development-in-IT- risk-management

QSEC®: risk development in IT risk management

QSEC modules

Data-Protection-Management-System-QSECInformation_AssetsCompliance_Management_System
IT-Risk-kachelSecurity Incident ManagementMeasure-Management
Document-ManagementMaster-Data-qsecBusiness_Continuity_Management
Reporting-DashboardInterview-WizardInterview-transfer-Wizard
Compliance-WizardRisk-Assessment-WizardSecurity-Level-Wizard
Measure-Evaluation-WizardUsabilityTask-Manager
AdministrationTechnology