Insight on. The Indispensable Information Security Toolkit. If you are responsible for information security how useful would you find the following?

Size: px

Start display at page:

Download "Insight on. The Indispensable Information Security Toolkit. If you are responsible for information security how useful would you find the following?"

Dinah Gilbert
5 years ago
Views:

Insight on The Indispensable Information Security Toolkit If you are responsible for information security how useful would you find the following?

1 Insight on The Indispensable Information Security Toolkit If you are responsible for information security how useful would you find the following? A database of over 3,000 security controls covering all aspects of information security, cross referenced to the risks they protect against and ranked by effectiveness and cost. A set of tools to support you in achieving certification or compliance against BS 7799 (The British Standard of Information Security) and also ISO (the equivalent international standard). A comprehensive risk assessment method fully compliant with BS Pro-forma information security polices and other useful security documentation. Tools to help you with business continuity planning. The ability to quickly find answers to a wide range of security questions such as: What level of authentication is required for our new e-business application? How can I assess what cryptographic services are required? Does our existing security infrastructure provide adequate protection for our new ERP system? Is the physical security at our data centre adequate? How can I justify security expenditure to the board? You might be happy to find cost-effective support in any of the above areas. However Insight Consulting provides all of these in one amazing package, the CRAMM Version 4 Information Security Toolkit. Insight, the UK s leading provider of independent services and solutions in information security, business continuity and risk management has taken CRAMM, the UK Government s preferred risk assessment method, and completely re-developed it into an indispensable aid for the security manager or analyst. Insight has incorporated its experience and knowledge base from 100 s of client consultancy assignments into CRAMM Version 4, including its successful methodology for gaining compliance with BS Insight was one of the first organisations to be formally certified for BS 7799, and has helped clients such as the Co-operative Bank's "Smile" Internet Bank, Britannic Money and Energis to achieve certification. At a fraction of the usual cost for tools providing this level of functionality and expert knowledge, CRAMM Version 4 provides fantastic value for money. CRAMM Version 4 is already in use in over 300 organisations in 20 countries. Can you afford to be without it?

These controls have been drawn from a wide variety of authoritative sources and recognised standards including the UK Government s Security Authorities, BS7799, the Information Technology Security

2 CRAMM Controls Database The CRAMM Version 4 controls database is hugely valuable in its own right. It covers all aspects of security including technical, physical, personnel, documentation and procedural measures. These controls have been drawn from a wide variety of authoritative sources and recognised standards including the UK Government s Security Authorities, BS7799, the Information Technology Security Evaluation Criteria (ITSEC) and Insight s consultants themselves. Each control is referenced by: The assets for which it is appropriate The type of control, e.g. whether it reduces the threat of, or vulnerability to, security breaches, reduces the impact from these breaches, detects failures or facilitates recovery The risks for which the control is appropriate The effectiveness of the control The cost of the control The BS7799 control objectives that the control supports Users can browse the controls database to identify controls that may be relevant to their business and applications and then explore these in increasing levels of detail. In addition, CRAMM s risk assessment tools can be used to determine whether controls are required, and can be justified, on the basis of the assessed risks. Figure 1: Countermeasure Tree illustrating the hierarchical structure of the CRAMM controls database The CRAMM controls database is regularly updated to keep it in line with the rapid developments in information security processes, standards and technology.

BS 7799 Compliance Tools Insight has developed a well-proven methodology to assist organisations to assess their compliance with BS7799 and then take the actions to achieve compliance.

single questions, to look at organisations, processes, applications or systems, or to investigate complete infrastructure and entire organisations.

Defining the management framework Conducting a Gap Analysis Preparing a Security Improvement Programme Producing a Statement of Applicability Producing an Information Asset Register Undertaking a

3 BS 7799 Compliance Tools Insight has developed a well-proven methodology to assist organisations to assess their compliance with BS7799 and then take the actions to achieve compliance. Key components of this methodology are incorporated into CRAMM, including: Defining the scope of the Information Security Management System (ISMS) CRAMM s risk assessment tools can be used to answer single questions, to look at organisations, processes, applications or systems, or to investigate complete infrastructure and entire organisations. Users have the option of a rapid risk assessment tool or a full, more rigorous, analysis. Defining the management framework Conducting a Gap Analysis Preparing a Security Improvement Programme Producing a Statement of Applicability Producing an Information Asset Register Undertaking a BS7799 compliant risk assessment Risk Assessment Tools CRAMM includes comprehensive risk assessment tools which are fully compliant with BS7799, including: Asset dependency modelling Business impact assessment Identifying and assessing threats and vulnerabilities Assessing levels of risk Identifying required and justified controls on the basis of the risk assessment Effective risk analysis relies upon comprehensive expertise Figure 2: Screen for recording findings from a gap analysis against BS7799

The risk assessment tools are extremely flexible, allowing you to explore different issues and answer many different questions.

strong authentication, encryption, power protection or hardware redundancy Identify the security functionality required for a new application Help

at a new site Examine the implications of allowing users to connect to the Internet Demonstrate compliance with legislation, such as the Data

of security controls on an existing system Demonstrate to a BS7799 auditor that a BS7799 compliant risk assessment has been undertaken, and that

Figure 3: Graphical reporting of business impact analysis CRAMM contains a variety of tools to help with evaluating the findings from the risk

4 The risk assessment tools are extremely flexible, allowing you to explore different issues and answer many different questions. Example applications of the CRAMM risk assessment tools are as follows: Determine if there is a requirement for specific controls, e.g. strong authentication, encryption, power protection or hardware redundancy Identify the security functionality required for a new application Help in developing the security requirements for an outsourcing/managed service agreement Review the requirements for physical and environmental security at a new site Examine the implications of allowing users to connect to the Internet Demonstrate compliance with legislation, such as the Data Protection Act, which requires the enforcement of appropriate security Develop a security policy for a new system Audit the suitability and status of security controls on an existing system Demonstrate to a BS7799 auditor that a BS7799 compliant risk assessment has been undertaken, and that appropriate security controls have been identified from this. Figure 3: Graphical reporting of business impact analysis CRAMM contains a variety of tools to help with evaluating the findings from the risk assessment, including: Determining the relative priority of controls Recording the estimated costs of implementing the controls Modelling changes to the risk assessment, using what-if? calculations Back-tracking through the risk assessment to show the justification for specific controls.

Risk Modelling Where organisations need to undertake many risk assessments on similar environments, (e.g. similar processes, applications, systems, infrastructures or locations) economies of scale can be achieved by using a CRAMM Risk model.

5 Risk Modelling Where organisations need to undertake many risk assessments on similar environments, (e.g. similar processes, applications, systems, infrastructures or locations) economies of scale can be achieved by using a CRAMM Risk model. A risk model consists of: A generic risk assessment for a typical environment A set of tools to allow the user to quickly bespoke the assessment to their own situation by identifying variances from the generic risk assessment Insight can develop CRAMM Version 4 risk models for any client environment. For example, risk models, developed by Insight for use in the Acute and Primary Care sectors, have been distributed to over 700 NHS users. Business Continuity Tools CRAMM provides tools to support the following key processes in business continuity management and is entirely consistent with the IT Infrastructure Library (ITIL) guidance on Business Continuity Management. Business impact analysis Identification of business recovery objectives Identification of key groups of staff and the time within which they must be operational following a business disruption The minimum facilities and services required by these groups of staff Risk assessment Identification of options for achieving business continuity objectives, including back-up, resilience and stand-by arrangements Pro-Forma Security Policies & Other Security Documentation CRAMM Version 4 contains pro-forma documents and wizards to help the user create a wide range of completed security documentation, including: Information Security Policy A documented Scope for a (BS7799) Information Security Management System A description of the Security Management Framework Risk Analysis Report Risk Management Report System Security Policy Interchange Agreement Reports can be exported directly to MS Word to allow further editing and tailoring. Tailoring Insight can tailor almost every aspect of CRAMM to meet specific client requirements. This can include: A controls database tailored to your own standards, architectures and product sets Security documentation tailored to your own standards Language translations Versions for other risk management subjects such as project risk and corporate governance. For example, Insight has developed tailored versions of CRAMM for the Dutch Government and NATO. Language versions currently exist in Holland and the Czech Republic and are currently in production in German and Chinese. Figure 4: Screen for recording continuity requirements

6 CRAMM Version 4 CRAMM Version 4 Support Services from Insight Consulting Software Licenses Insight Consulting can provide copies of CRAMM Version 4 within 5 working days of an order being placed. A one-time licence fee is payable plus a mandatory annual support fee. The support fee provides access to the CRAMM help desk, which can answer your questions about the tool-set. The Insight help desk is available during normal UK working hours and can be contacted either by telephone, or fax. The support fee also entitles users to all updates, free, as they are released by Insight. Pricing information is available at where orders for CRAMM software can also be placed. Training Insight runs 3-day CRAMM training courses at its offices in Waltonon-Thames, which explore and demonstrate all of the key features and capabilities of the CRAMM V4 tool-kit. The objective of the course is to provide delegates with the skills, knowledge, confidence and hands-on experience to be able to exploit CRAMM Version 4 to its full potential. Tailored and on-site CRAMM courses are run regularly for clients on request. Training places can be ordered on-line at: Consultancy Insight offers a full range of CRAMM consultancy services, including: Tailoring to specific client requirements Support to BS7799 compliance or risk assessment projects that are using CRAMM V4 Quality assurance of security documents produced using CRAMM CRAMM Agents In some territories Insight uses agents to distribute, support and provide training in CRAMM Version 4. Additional agents are being established on a regular basis, but are already in place in: Holland Czech Republic Italy South Africa Switzerland Korea Germany People s Republic of China CRAMM User Group CRAMM has its own, independently managed, CRAMM User Group. The User Group holds an annual conference at different locations around the UK and also runs several special interest groups. The conferences and SIGs are used to promote best practice in the use of CRAMM and to provide a forum for feedback and discussion of future updates. The conferences encompass working meetings, formal presentations, speakers' panels, a reception and dinner with entertainment and, above all, great value for money. Details about the CRAMM User Group can be found at: Further Information Further information is available from Insight on Free CRAMM Version 4 Demonstration Days are held each month. Bookings can be made at ww.insight.co.uk/crammopenday.htm, by ing insight@insight.co.uk or calling Insight Consulting Churchfield House, 5 The Quintet, Churchfield Road, Walton on Thames, Surrey KT12 2TZ Tel +44 (0) Fax +44 (0) web insight@insight.co.uk

Information Governance Policy

Information Governance Policy Version: 4.0 Ratified by: NHS Bury Clinical Commissioning Group Information Governance Operational Group Date ratified: 19 th September 2017 Name of originator /author (s):