Information Assets

Information Assets

In the QSEC module “Information Assets” the information assets (business processes, information and the supporting assets) are managed. These are divided in QSEC®, according to the required procedure of ISO 27005 (risk management in information security), into

  • Physical values
  • Personnel
  • Services incl. Cloud

The aim is to obtain the most exact picture of the assets of an organization(s) in the selected scope. The assets identified as critical are subject to a detailed consideration in risk management, the less critical assets can be subject to a basic examination based on predefined elementary hazards.

The possibility of recording assets within the asset groups is intended for organizations that cannot use an asset management system (ITAM) due to technical circumstances or for which the effort is too big. This option can be used, for example, for production environments, control systems and technical environments with few assets.

 

Presentation-of-Assetgroup-Map

QSEC® – Map of asset group

Features (extract):

  • Modeling of the complete company structure:
    • Business units,
    • Business processes,
    • Information,
  • Assets (individual assets and asset groups)
  • Entry of the asset groups with the specification of the responsible person and the specification of the asset group type for the assignment of the risk catalogue
  • Entry of BIA-relevant data (RTO actual/RPO actual) planned
  • Hierarchical asset group display for a clear structure view
  • Tabular asset group listing for a clear editing view
  • Map asset group view for a clear overall context
  • Within the asset groups, the assets (individual assets: notebooks, production systems, network components, etc.) can be managed manually using the “management criteria” (e.g. manufacturer, serial number, location, etc.): Assignment of business processes and information on the asset groups;
  • Inheritance of business process and information criticality assessments for the protection needs analysis of asset groups in risk assessment (the asset groups covered are assessed in risk management);
  • The security levels are evaluated completely for each asset group for all assets;
  • Form customization: For a better overview, the complex forms are divided into tabs!

QSEC modules

Data-Protection-Management-System-QSECInformation_AssetsCompliance_Management_System
IT-Risk-kachelSecurity Incident ManagementMeasure-Management
Document-ManagementMaster-Data-qsecBusiness_Continuity_Management
Reporting-DashboardInterview-WizardInterview-transfer-Wizard
Compliance-WizardRisk-Assessment-WizardSecurity-Level-Wizard
Measure-Evaluation-WizardUsabilityTask-Manager
AdministrationTechnology

Document-Manangement

Document-Manangement

In the QSEC® Document-Management module, all required documents, such as information security policy, classification policy, user policy, etc., can be managed

  • in connection with the document management system (DMS) already in use, and
  • with WebDAV devices
 

Every document change is recorded in QSEC®.

 

The documents listed in QSEC are provided with document features. In the document features the following is displayed

  • The name of the document
  • The document content type
  • The responsible employee
  • Resubmission date
  • Versioning
  • Degree of Completion
  • Status

and other document descriptions. All 3 document storage locations mentioned above are taken into account and can be operated parallel.

 

Document-Management-overview

QSEC®: Document-Management overview

Features (excerpt)

  • Documents can be defined and authorized per business unit, examination area and roles
  • Sample documents of relevant policies (e.g. security policy, classification policy, user policy, client security policy, etc.) are integrated
  • Storage in the QSEC® database or connection of already existing document management system/storage locations
  • Storage of author and responsible person
  • Versioning
  • Consideration of special features for contracts
  • Individually required field extensions
  • All common file types possible
  • Intelligent search function:
    • Download function/display directly in the browser
    • History function

QSEC modules

Data-Protection-Management-System-QSECInformation_AssetsCompliance_Management_System
IT-Risk-kachelSecurity Incident ManagementMeasure-Management
Document-ManagementMaster-Data-qsecBusiness_Continuity_Management
Reporting-DashboardInterview-WizardInterview-transfer-Wizard
Compliance-WizardRisk-Assessment-WizardSecurity-Level-Wizard
Measure-Evaluation-WizardUsabilityTask-Manager
AdministrationTechnology

Data Protection Management

Data Protection Management

QSEC® meets all requirements for an integrated data protection and information security management system (DIMS)!

The EU GDPR is already implemented in the following QSEC® modules:

  • Compliance – the EU GDPR is already integrated in the compliance module within QSEC in form of a catalogue with all chapters and maturity assessment questions. In addition to the requirements of the established ISO norms (ISO/IEC 27001 ff, 27019 etc.), all necessary assessments can be performed according to the EU GDPR.
  • Information Assets – recording of procedures (business processes) and personal data (information). The criteria for the classification of information security (confidentiality, integrity, availability) have been extended to include data security relevance. Additionally necessary evaluations (further attributes) such as concerned parties, data categories, third countries, deleting periods, access authorizations, impact assessment etc.also have to be recorded
  • Risk Management– Integration of data protection criteria into the risk assessment of all (IT) assets.
  • Measures Management– evaluation, recording and implementation of all necessary measures for the fulfilment of the TOM’s (Technical-Organizational Measures)
  • Document Management – recording and administration of the contract management required by the EU GDPR (contract processing contracts etc.). The contracts are linked to the respective procedures (business processes) and service providers. The standard criteria for contract evaluation can be changed at any time.
  • Security Incident – recording of all data protection incidents. A security incident, which is also a data protection incident, is classified and reported as a data protection incident/data protection incident subject to reporting.
  • Master Data – Organization modelling, definition of the scopes and maintenance of all data protection officers.
  • Dashboard /Reporting – In QSEC® all reports required for data protection are available. Many work reports are generated directly from the respective modules via an Excel export.

With this integrated approach, the requirements of information security and data security are met simultaneously without significant additional effort. The information security and data protection management becomes a DIMS (Data Protection Information Security Management System).

 

GDPR-evaluation-of-articles

Within compliance: EU GDPR evaluation of articles with QSEC®

GDPR-QSEC-recording_of_personal_data

Data protection management system: recording and evaluation of personal data/information with QSEC®

GDRP-criteria-evaluation

Data protection management system – criteria evaluation in QSEC®

assessment-of-requirements-GDPR

Data protection management system – assessment of the requirements of the EU GDPR for the business process/procedure

QSEC modules

Data-Protection-Management-System-QSECInformation_AssetsCompliance_Management_System
IT-Risk-kachelSecurity Incident ManagementMeasure-Management
Document-ManagementMaster-Data-qsecBusiness_Continuity_Management
Reporting-DashboardInterview-WizardInterview-transfer-Wizard
Compliance-WizardRisk-Assessment-WizardSecurity-Level-Wizard
Measure-Evaluation-WizardUsabilityTask-Manager
AdministrationTechnology

Compliance-Management

Compliance-Management

In the QSEC® Compliance Management module, the norms, laws and individual requirements catalogues/specifications are evaluated based on existing questions. The maturity levels of the requirements (controls, chapters, etc.) are evaluated based on the questions answered and the related measures. The evaluations can be carried out by the assigned responsible persons in relation to specific issues.

As part of the regular assessments or self-assessments, a differentiated evaluation of the compliance status is carried out according to the requirements of the standard to be examined. The assessments can be performed for defined customer organizational units.

For existing requirements catalogs, predefined question catalogs are available. Since the regularly required evaluations are often only carried out once a year, the evaluators can use the user-friendly Compliance Wizard. The Compliance Wizard guides the user through the processing steps according to predefined processing description tools. All evaluations are historicized and can be evaluated based on compliance reports.

 

Compliance-System-QSEC

QSEC®: Compliance Management System – Wizard

In QSEC Compliance Management not only a variety of norms can be stored and evaluated but also an internal control system can be implemented.
QSEC offers the possibility to flexibly store the variety of norms and requirement catalogues and to audit them according to a structured method.

Features (excerpt)

  • Status assessment according to the Plan Do Check Act methodology (PDCA)
  • IT compliance assessment according to various approaches (including the question catalogues for the implemented rules and regulations)
  • Maturity evaluation with target/actual comparison at control level
  • Automatic, customizable resubmissions for controls
  • Definition of IT compliance target values
  • Determination of the gaps (actual/target value)
  • Generation of measures to achieve the compliance target values
  • Deposition of documents
  • Link to other standards (control-control link)
  • Creation of a Statement of Applicability (SoA) report

QSEC modules

Data-Protection-Management-System-QSECInformation_AssetsCompliance_Management_System
IT-Risk-kachelSecurity Incident ManagementMeasure-Management
Document-ManagementMaster-Data-qsecBusiness_Continuity_Management
Reporting-DashboardInterview-WizardInterview-transfer-Wizard
Compliance-WizardRisk-Assessment-WizardSecurity-Level-Wizard
Measure-Evaluation-WizardUsabilityTask-Manager
AdministrationTechnology