RM Studio Manual 4.0

Last Updated on 10 February 2012

| Print |

1. INTRODUCTION

Can we change this to: RM Studio is dynamic risk management software, used by organizations of all types on a global scale to to implement risk management processes and policies.·The program is based on the methodology of the ISO/IEC 27001:2005 and ISO/IEC 27002:2005 security Standards. RM Studio is a Microsoft-compatible software that is developed in Microsoft Visual Studio. Software development is done in accordance with procedures from Microsoft Solution Framework and certified by the British Standards Institution in accordance with ISO 9001 and ISO/IEC 27001.

1.1.1. ABOUT THIS MANUAL

This is the User Manual for the RM Studio application, Version 4.0

1.1.2. CONTACT AND FEEDBACK

Please send any suggestions or comments regarding this manual or the software to Stiki by sending an email to support@stiki.eu, or by calling +354 5 700 600. Any input will be recorded, viewed and used in future revisions of the software.

2. GETTING STARTED

2.1.1. REQUIREMENTS

The software and hardware requirements necessary for installing and running RM Studio version 4.0 are as follows:

Minimum system requirements for XP Pro:

Processor: Intel 1.5 GHz or similar

Memory: 512 MB

Operating System: Windows XP Pro with service pack 3

Disk space: 2 GB free disk space

Display: 1024x768

For local database: SQL Express 2005 Advanced with SP3 or 2008 express R2 with Management Studio

Minimum system requirements for Vista and Windows 7:

Processor: Intel 1.8 GHz or similar

Memory: 1024 MB

Disk space: 2 GB free disk space

Display: 1024x768

For local database: SQL Express 2005 Advanced with SP3 or 2008 express R2 Management Studio

Recommended system requirements for XP Pro:

Processor: Intel 2.4 GHz or similar

Memory: 2 GB

Operating System: Windows XP Pro with service pack 3 and above

Disk space: 2 GB free disk space

Display: 22”, 1680x1050

For local database: SQL Express 2005 Advanced with SP3 or 2008 express R2 Management Studio

Recommended system requirements for Vista and Windows 7:

Processor: Intel 2.4 GHz or similar

Memory: 2 GB

Disk space: 2 GB free disk space

Display: 22”, 1680X1050

For local database: SQL Express 2005 Advanced or 2008 express R2 Management Studio

For more information on SQL Server see also:

http://www.microsoft.com/sqlserver/en/us/editions/express.aspx

2.1.2. SHORTCUTS

During the installation of RM Studio, shortcuts are created on the desktop and in the Start menu under the path Start > All programs > Stiki > RM Studio.

2.1.3. EXPIRATION

When the trial license is about to expire the system will remind you by showing how many days are left on the license (image 1.1).

For license information, contact Stiki ehf. by sending an email to support@stiki.eu or phoning +354 5 700 600.

1.1 Image 1.1 - Expiration Notice

By default there is only one account in RM Studio, the Administrator account. The Administrator account uses the username: “Administrator” and the password “Administrator”. The first thing you should do after you log in is to connect to / create a database and change the password for the Administrator account. To change a Users password navigate to the Users tab in the Security dialog (image 1.2).

1.2a Image 1.2 - RM Studio Security Dialog

There select the appropriate User and click on the Change Password button. The window in image 1.3 should pop up. You can only change the password for RM Studio Users not Windows Users.

1.3 Image 1.3 - Change Password Dialog

Remember that the usernames and passwords are case sensitive. Users can either be Active Directory Users (Windows Users) or defined in RM Studio, as local RM Studio users which are defined and used only within the application. When logging in you will see a drop down box which gives you the choice between the two (image 1.4). When logging in as a Windows User you can choose to use the Current Domain by checking the “Use Current Domain” box (image 1.4).

1.4 Image 1.4 - RM Studio Login Window

2.1.4. LICENSING

To add a new license to RM Studio users must click on the Registration button (image 1.5) on the RM Studio menu (Red button in the top left corner). We will go into details about licensing in chapter 2.For license information, contact Stiki ehf. by e-mailing support@stiki.eu or phoning +354 5 700 600

1.5rmmenu Image 1.5- RM Studio Menu Bar

When the Registration button is pressed the licensing window will appear (image 1.6).

1.6 Image 1.6 - Licensing window

RM Studio's Menu (image 2.1) has been moved in the RM Studio button in the top left corner to make RM Studio's workspace bigger. In this menu you can save, access the Security, Properties, change Languages, Register new license, access the help/manual and change the look and feel of RM Studio with the Application Styles.

2.1rmmenu Image 2.1 - RM Menu

3.1.1. SAVE FUNCTION

There are two save functions in RM Studio. One is the Single Save Button (image 2.2), this button saves only the current tab you are working on. The other is the Cascading Save Button (image 2.2) or Save All button, this button saves all the information on all tabs that you are working on.

3.1 Image 2.2 - Single Save Button and Cascading Save Button

You will also find the save functions under the RM Studio button (image 2.3).

Image 2.3 - RM Studio Menu

If you right-click on tabs when working in modules you will get a context menu with similar functionality where you can choose to save, save and close the tab, or simply close the tab (image 2.4).

3.3 Image 2.4 - Tab Commands

3.1.2. CLEAR USER CACHE

Clear User Cache button (image 2.3) will revert all adjustments and customizations that you have made for your user regarding the user grid, this reloads layout of tables, filters, etc. This function will not reset any data that has been entered or edited in the grid. This is very helpful if you may have filtered lists with·search and you forget to clear the filter and data is not appearing in your lists. All you need to do is to clear the user cache and your data will reappear in your lists.

3.1.3. SECURITY

The fourth item in the menu (image 2.5) is the security features in RM Studio. Here you can define exactly the roles of different user groups.

The basic element used to construct a Role are the Operations. RM Studio has different operations that together define everything that can be done in RM Studio. These operations can be further grouped into Tasks. Roles can then be defined to include certain Operations or Tasks.

2.2 Image 2.5 - Security Dialog

3.1.4. ROLES

RM Studio comes with a predefined set of six Roles. If you need to add a new Role click on the Add Role button (image 2.6) and the dialog box in image 2.7 will appear. When you have filled out the necessary information click OK.

2.3 Image 2.6 - Add Role Button

After you have created a Role you can then define it under the Definition tab (image 2.5). By clicking the "Add" button you can add Operations, Tasks, or sub Roles to the new Role as appropriate.

The third tab is the "Members" tab. Here you can assign different users to the Role. Likewise, under the "Users" tab you can assign Roles to individual users.

2.4 Image 2.7 - Add Role

3.1.5. TASKS

Tasks define what a particular role can do in RM Studio. Adding a new Task is similar to adding a new Role; you need to navigate to the Tasks Panel and click the "Add Task" button. One Task is made up from many Operations. Adding Operations to a Task is just like adding Tasks, Operations and sub Roles to a Role. You can even add other sub Tasks to a Task just like you could with Roles.

3.1.6. USERS

The Users of RM Studio can be either Integrated Windows users (Active Directory) or locally defined RM Studio Users.

To add a user, navigate to the User Tab and click on the "Add User" button. The window in image 2.8 should appear. If you select Integrated Windows user you will have to fill in the "Windows login" and "Password". In RM Studio you can also use Domain authentication.

2.5 Image 2.8 - Add User

If you choose RM Studio User you will have to make a new password and confirm it (image 2.9).

2.6 Image 2.9 - Adding RM Studio User

3.1.7. PROPERTIES

The fifth item on the Menu Bar is Properties (image 2.10). The Properties window is divided into three areas, Database, Reporting and Authorization Store.

3.1.8. DATABASE

Under the Database node you can configure which Server RM Studio uses. By default the application will have no Servers defined (image 2.11).

2.7 Image 2.10 - Properties Window

3.1.9. ADD A DATABASE SERVER

To add a your current Database Server click on the "Add" button below the list of Servers. A "New Database Server" window will appear (image 2.11). In this window you will have to fill in the Name, Server, Database Name, and Integrated Security fields. The Name field is a name that you gave the Database instance, Server is the name of the server where the Database resides on your network, Database Name is the name of the RM Studio database on your server and Integrated Security dictates whether or not IWA (Integrated Windows Authentication) is used on the Server.

When you have entered the necessary information and clicked OK you can test the connection by clicking on the "Test Connection" button. If the icon turns green then a connection with the server was established. If the icon turns red the connection failed.

2.8 Image 2.11 - New Database Server

3.1.10. UPGRADE DATABASE

If you have a previously installed RM Studio database and would like to continue using it, you can upgrade it to the latest version. Before continuing we strongly suggest you back up your Database.

Start up RM Studio and open the Properties dialog. Make sure that you have a connection string to the database you wish to upgrade. If it is not there, enter it and remember to mark it as default. Click Test Connection if you wish to verify that it is correct. If the string was already correct and marked as default you can continue directly with the upgrade. If not, you must mark the database you would like to upgraded as default and restart RM Studio. Then repeat this step to upgrade.

2.9 Image 2.12 - Upgrade Database

Click on the Check Version button (image 2.12), it should tell you the version number and if your database is·out of date. If your Database is out of date the upgrade button should become enabled.

Note that there are several large, atomic actions taken, so the progress bar may seem to stand still for a while. Please wait patiently and allow the upgrade to complete. If for any reason the upgrade fails, restore your database and restart the upgrade.

Note: ·To be able to upgrade your database, you must be signed in as DOMAIN ADMINISTRATOR, LOCAL ADMINISTRATOR privledges may not enable you to upgrade the Database.

Once it completes, the properties window should tell you that your database version is upgraded and RM Studio is now ready for use. Restart RM Studio.

3.1.11. CREATE NEW DATABASE

The Create New Database button (image 2.13) allows you to create a New RM Studio database on the Database Server's that you can connect to from within RM Studio.

Note ! To be able to create a new database, you must be signed in as DOMAIN ADMINISTRATOR, LOCAL ADMINISTRATOR privledges may not enable you to create the new Database.

To create a new RM Studio database make sure that you name the connection in a descriptive manner, that you have the name of the server, a name for the Database and the type of security settings that apply to your network. Click "OK" (image 2.11). Creating a new database will take a few moments. Afterwards you will need to mark that database as default and restart RM Studio. After restarting RM Studio navigate to the Properties window again and press the "Test Connection" button (image 2.13). If you get green check mark you have created and made the new database as your new default Database.

2.10 Image 2.13 - Create New Database

3.1.12. Deploy Database

When a Database has been imported (new database created on the server and not from within RM Studio), you need to Deploy the Database. That is done by selecting the newly created Database you have added ( see above Add New Database Server) and then you press Deploy Database (image 2.13). You will be asked to confirm your request (image 2.14). When you Deploy you are actually adding the schema to the Database. This process is only needed when you add an older Database to RM Studio or a database you created directly on the SQL server itself. When you create new Databases (see above) they get Deployed automatically.

2.11 Image 2.14 - Deploy Database

3.1.13. Standard Data

Under Database > Standard Data you can see all the Standards you can deploy into your RM Studio. You can also reset the Standards to their original state if you have made changes to the Standards in the Standards Module in the Common node.

2.12 Image 2.15 - Standard Data

3.1.14. Deploy Standard

To deploy a Standard into RM Studio, you will have to have bought the Standard and have the right key registered in the registration window (image 1.6). If all these steps have been completed the Standard Data window should show the Standards available to you. The key you have registered will open up the standards you can deploy and the standards you cannot deploy are greyed out (locked). Further detail on installation of Standards will be covered in the chapter "STANDARDS" .

3.1.15. DEFAULT DATA

Here Administrators can reset all predefined data to their original state. This action will only reset the data that came with the software and will not affect Threats, Categories, Evaluation Templates or Threat Categories created by the user after installation of RM Studio.

The options are, All Default Data, Threats only, Categories only, Evaluation Templates or Threat Categories (image 2.16).

2.13 Image 2.16 - Reset to Default Data

When you have selected the option you would like to reset press the Reset Default Data button. When pressed all changes made to the selected data will be reverted to its original state. This will not affect data entered into the Risk Management and Risk Treatments.

3.1.16. REPORTING

There are two options under Reporting "Servers" and "Logos".

Under Servers (image 2.17) you can configure wheather you like to use the Local Reporting Module or the Microsoft Reporting Services. Local Reports are selected by default in RM Studio. If your company wants to use the MS Reporting Services you need to configure the Server version, the Reporting Path, the Reporting Service Path and the Report Path. You will have to ask for the server reports from our Customer Service department, they are not shipped with the software by default.

IT IS RECOMMENDED TO USE LOCAL REPORTS FOR FASTER REPORT GENERATION

When using the Local Reports Module the Reporting Server is incorporated into RM Studio and there is no network configuration needed to run the reporting services and reports can be generated with ease without any configuration.

In the case of shared customized reports we recommend using Server Reports. We have an installation manual for those who prefer to set up Reporting services. Please send an e-mail to our This e-mail address is being protected from spambots. You need JavaScript enabled to view it asking for a copy of the Microsoft Reporting Services Installation Guide.

2.14 Image 2.17 - Reporting Servers

Under Logos (image 2.18) you will find a list of the logos you can use when generating Reports from RM Studio. This list is empty by default. You can upload your own logos.

When you add a logo to the RM Studio application you will have to define them as "Large" or "Small", this categorizes the logos so that they will appear in the respective lists when you generate reports. Large logos are used for the front page and Small logos are used for the header of each page in the report. Please note in case you are using Reporting Server it must have access to the location where the logos are stored.

2.15 Image 2.18 - Reporting Logos

3.1.17. AUTHORIZATION STORE

The Authorization Store is where authorization information is kept in RM Studio. Here the data defining Users, Roles, Tasks and Operations is stored.

In order for this information to be accessible globally the Authorization Store must be stored in a global location, e.g. global server.

To do this copy the XML file from its default location ( C:\Program Files\Stiki\RMStudio\RMStudioPolicyStore.xml )and paste it into a shared folder on your SERVER. Open the Properties window in RM Studio > Authorization Store > Options and point to the file in the shared folder on your SERVER. (image 2.19).

Note! This file is not to be used by more than one computer and will not store user information added into another compuer on the same domain. When you have created user in RM Studio on computer X, that user is only defined to use that instance of RM Studio and you will not be able to log into RM Studio instance on computer Y, even if the Authorization Store is stored globally. Two RM Studio instances are not able to use the same Authorization Store.

2.16 Image 2.19 - Properties Window

3.1.18. LANGUAGES

The sixth item on the Menu Bar is Languages. RM Studio currently supports English, German and Icelandic (image 2.20). ·The BCM Module is not available in German at this time.·

2.21 Image 2.20 - Languages

RM Studio is shipped with English as the default language. If you wish to run RM Studio in German or Icelandic please contact our This e-mail address is being protected from spambots. You need JavaScript enabled to view it in order to obtain a license that will open up these options. Entering licenses will be covered in the "Registration" section.

3.1.19. REGISTRATION

In order to learn more about the price structure of the license system please contact our This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

To enter a new license click the Registration button on the Menu Bar. The Licenses window in image 2.21 will appear. Enter the Serial Number that you were provided into the text box and click on the "Apply License" button. All available features will then be displayed.

2.22 Image 2.21 - Registration

3.1.20. HELP

By pressing the "Help" button you will open up the Manual. ·For further assistance please contact our customer service department at support@stiki.eu . ·

3.1.21. ABOUT

The last item in the Menu is the About window. The About window displays information such as Version number and copyright notices.

3.1.22. APPLICATION STYLE

On the right side of the Menu Bar you will find Application Style. The Application Styles contains 8 predefined RM Studio looks. By default the RMStudioBlue is selected.

3.1.23. Exit from RM Studio

Under the RM Studio button you will also find an Exit button (Image 2.22) to close the application.

Image 2.22 - Exit RM Studio

4. NAVIGATING RM STUDIO

The Navigation Tree is on the left hand side of the RM Studio window (Image 3.1). The Navigation Tree groups the various functions into Common Entities,Assessment and Treatment·and Business Continuity Management. From the Navigation tree you can access all these functions by double clicking on them.

navigate Image 3.1 - Navigation

4.1.2. TABS

RM Studio utilizes tabs to provide the user with a clean and orderly working environment. New elements are opened up in a new tab (image 3.2) so the user can easily navigate between different items and functionalities in RM Studio.

2.26 Image 3.2 - Tabs in RM Studio

5. FEATURE USAGE

5.1.1. THE GRID

The RM Studio Grid that is used to display most of the items stored in the application is a versatile tool that deserves some attention. The user can sort by columns using the grids customizable interface. The Grid also has powerful search capabilities as well as the ability to export its data to a number of formats including Excel and PDF.

5.1.2. GROUPING BY COLUMN

The Grid allows the user to drag a column to a grouping area placed above the column titles (image 4.1) and sort the contents of the grid into groups based on the column selected. To revert to the default list you must only drag all grouped columns back out of the group-by area. This should return the Grid to its original state.

3.4 Image 4.1 - Sort By Column

To revert to the default list you must drag all grouped columns back out of the group-by area. This should return the Grid to its original state.

5.1.3. GROUPING BY SUBCATEGORIES

The user can also group by sub categories once a list has been sorted by a specific column (image 4.2).

3.5 Image 4.2 - Sort By Sub Category

This works in the same way as grouping by a single column.·To do this, simply·drag the next column the user wishes to sub categorize by into the group-by area next to the current grouped-by column (image 2.26).

5.1.4. POWERFUL SEARCH

The Grid offers the User the capability to search by a variety of criteria. Amongst those are free text search and search by parameters such as "less than" and "equal to" to name a few. To use the search you must click on the Search button found on the Toolbar (image 4.3).

Image 4.3 - Toolbar

If you click on the drop down box you can choose which criteria you wish to search by (image 4.4).

3.7 Image 4.4 - Search

5.1.5. EXPORT FACILITIES

All the lists can be exported to Excel and Portable Document Format (PDF). To do this you must use the buttons with the appropriate icons on the Toolbar (image4.5).

Image 4.5 - Toolbar

6. INTRDUCING RM STUDIO MODULES

6.1.1. COMMON ENTITIES

6.1.1.1. BUSINESS ENTITIES

Business Entities are the entities that are to be assessed and treated (image 5.1). The information needed here are the detailed information on the entity in question. The information are entered before starting the Risk Assessment.

Image 5.1 - Common Entities

6.1.1.2. CONTACTS

Contact Information are the detailed information about those connected to the entitites that are to be assessed and treated (Image 5.2)

contacts Image 5.2 - Contact Information

6.1.1.3. TEAMS

Teams are a new module in RM Studio and the reason for Teams in RM Studio is to meet the reqirements for the BCM Module to use Teams. Teams are set up to assign roles and responsibilty in the BCM Processes (image 5.3). As for now Teams are not used in·Assessment and Treatment.

teams Image 5.3 - Teams

6.1.1.4. CATEGORIES

Users of RM Studio can define their own Categories for Assets or modify the system library. Categories can be defined as Parent or Sub Categories (image 5.4).

Image 5.4 - Categories

To add a new Parent Category click on the single + button (image 5.5) and type in the Name and Description in the appropriate fields. To add a new Sub Category first select the appropriate Parent Category from the list and then click on the "double + sign". Type in the name of the Sub Category and the description.

newcategory Image5.5 - Add/Remove Categories

6.1.1.5. ASSETS

Before you can start working with Assessments you will have to define your Assets (as it is the Assets which are being assessed). When you work with an Assessment you will retrieve the Assets pertaining to that Assessment from the Asset list. Remember that an Asset must have an owner and must be assigend to a Category to be able to use it in an assessment (image 5.6, 5.7 & 5.8).

Image 5.6 - Asset

Image 5.7 - Category Tab

Image 5.8 - Asset Category

6.1.1.6. THREATS

This section contains all Threats defined in RM Studio. RM Studio comes with a set of 149 predefined Threats (image 5.9), covering most of the Risks you would expect to run into when assessing information security (ISO/IEC 27000). You can modify or define any Threats that you need for other objects that are up for assessment in RM Studio. Create new Threats by clicking on the New Threat button (plus sign) (image 5.10).

Image 5.9 - Threatlist

Image 5.10 - the Toolbar

When creating new Threat, the new Threat must have a Name, be assigned to a Category and have assigned a Mitigating Control from the standard you are preparing to implement. To bo able to assign a Mitigating Control you must have the Standard/Controls you are going to use for the assessment already deployed into your database (see here how to).

6.1.1.7. THREAT TYPES

Threat Types are a way to categorize threats for easy identification for the users.

6.1.1.8. STANDARDS/CONTROLS

This section contains the code of practice, i.e. all the Standard clauses and the implementation guide for each Standard (image 5.11). The user may add a custom Standard and format the Standard clauses according to its structure. The controls from a Standard are used in the Assessment and Treatment Process. A user defined Standard can be grouped into header sections and subsections.

New User Defined Standards are inserted by clicking the single plus signs and new Controls are inserted by clicking the double plus sign.

You can also buy fully implemented standards from Stiki. Which are ready for deployment. You will get a license key from Stiki which will unlock the Standard you bought and make it available in RM Studio (image 5.12).

Image 5.11 - Standards and Controls

Image 5.12 - Deployed Standards

6.2. ASSESSMENT AND TREATMENT

6.2.1.1. Assessment and Treatment

6.2.1.2. RISK ASSESSMENT

The first step is the Risk Assessment, which contains all Assessments that have been performed.

An Assessment is an evaluation of all Assets in the organization in regards to their selected evaluation factors. ·The evaluation template factors are·Confidentiality, Integrity and Availability. An Assessment also takes into account which Threats are relevant to those Assets and the Impact & Probability of the related Threats along with the Vulnerability of the Asset in light of that Threat.

6.2.1.3. GAP ANALYSIS

The second step is Gap Analysis. Gap Analysis is an assessment tool enabling the user to compare their actual state in regards to a particular Standard with what is needed to be eligible for certification. Gap Analysis answers two questions:

Where are we?

Where do we want to be?

The Gap Analysis is typically done as a precursor to the certification process. A Gap Analysis·will reveal the extent of a·given Standard your organization currently complies to.

6.2.1.4. RISK TREATMENT

The third step is Risk Treatment. Risk Treatment is an integral part of Standard compliance and defines if, how and when you will address the issues that you have defined in earlier steps.

6.2.1.5. WORKING WITH THE STEPS

Having double clicked on one of the Steps, say Risk Assessment, from the navigation tree you are presented with a list of all assessments available in your system . The information will vary slightly between modules but the overall functionality is the same, we will go into further details about each module later in the Manual. Along with this list you are presented with a pane, found at the bottom of the screen, that provides an overview of the information available for each module, in this case Assessment (image 6.1).

4.7 Image 6.1 - Information Pane

4.6 Image 6.2 - List of Assessments

When you run the program for the first time there will be no defined process entities in the database so each list will be empty.

If the list is populated (image 6.2) you can reopen any item by choosing it in the relevant list, the information will then be presented on the information pane. As discussed before in the Navigation chapter, to work with an individual process element you must double click on the item to have it opened in a separate tab.

6.2.2. REPORTING

6.2.2.1. Reports

RM Studio offers a variety of reporting possibilities. This gives the user a clearer, more detailed overview of the·Assessment and Treatment information·(image 6.3).

4.8 Image 6.3 - Example of a Report

6.2.3. TEMPLATES

6.2.3.1. Evaluation Templates

The Evaluation Templates is the heart of the calculation matrix. Users can define their own templates for calculation or use the default calculation templates delivered with RM Studio by Stiki (image 6.4). More information on Evaluation Templates can be found in the Starting to use RM Studio chapter.

evaltemplates Image 6.4 - Evaluation Templates

6.3. BUSINESS CONTINUITY MANAGEMENT - NEW MODULE

BCMmodule BCM Module

This module is new in RM Studio.··The BCM Module was developed utilizing BS 25999 framework and is meant to simplify the BCM process in a centralized repository.

6.3.1. ORGANIZATION

This node is to register Organizations for business continuity management.··Here you register/identify stakeholders, resources/processes and perform impact analysis. ·With in the Organization step, users can also identify the necessary Requirements needed to obtain continuous operations.

6.3.2. INCIDENT RESPONSE/RECOVERY

Here is where you create the Business Continuity plans (BCP). You create each plan, then you create each step in the plan and assign it to a TEAM.

6.3.3. MAINTENANCE

Here you create the test plans for the plan steps in Incident Response/Recovery. You can also create new plans for testing response time and effectiveness of the BCP.

6.3.4. REPORTS/BCM

6.3.4.1. Reports BCM

There are two reports in this reporting module. Incident Management Plan and Business Continuity Plan.

The Incident Management Plan report displays everything entered for the Organization you select to generate a report for.

The Business Continuity Plan report is a subset report and shows a less detailed view than the Incident Management Plan report.

6.3.5. TEMPLATES BCM

6.3.5.1. REQUIREMENT TEMPLATES

Here you define the requirements to reach your goals/plans in the Impact Analysis under Organization.

7. USING RM STUDIO

7.1. BUSINESS ENTITIES

The first thing you need to do when using RM Studio is to define your Business Entities. ·A business entity can be the entire organization, a department, process, another company, a clients, etc.··All Assessments and GAP Analysis are made for a specific Business Entity, Risk Treatments are done for a specific Assessment so before you start you have to define the Business Entities you are going to work with.

Under Business Entities, you can view a list of all Business Entities in the system and create new ones (image 7.1).

5.1 Image 7.1 - Business Entities

7.1.1. CREATING A NEW BUSINESS ENTITY

To create a new Business Entity you must click on the Add New Business Entity button on the Business Entity Toolbar (image 7.2).

For each new Business Entity, you can define the detail information for the Business Entity (image 7.3).

Image 7.2 - Toolbar

Image 7.3 - Business Entity Information

When you have defined your Business Entity remember to press the Save Button (image 7.4).

It is a good idea to regularly save your work to ensure that you don’t loose any data.

You can now use your Business Entity in an Assessment.

Image 7.4 - Save Button

7.2. CONTACTS

Contacts are all the members of the entity that play role in Risk Management. Contacts entered into this module will be available for editors to assign them to assets as owners or the person responsible for an asset.·Contacts are also used to identify the responsible party for the implementation of mitigating controls.

To create Contacts, open the module and press the plus button (image 7.5). Fill out the form that appears (image 7.6) and save it. Repeat this process to create another Contact.

Image 7.5- Add Contact

newcontact Image 7.6 - New Contact Form

7.3. TEAMS (Currently only for those using the BCM module)

This module is new in RM Studio and is linked to the BCM module to create Response Teams to attack·disruptions.

Creating Teams is done by opening up the Teams module and pressing the plus button to add a new team to your list (image 7.7). After giving the Team a name, open up the Contacts Tab to select the Teams Members (image 7.8). Press the plus button and select the members from the list of available Contacts. If your Contact is not in this list, you must create the contact in the Contacts Module prior to add him/her to your Team.

teams Image 7.7 - New Team

teamcontacts Image 7.8 - Add Contacts to Teams

teamcontacts2 Image 7.9 - Select Team Members

7.3.1.1. Team Roles

After you have added Contacts to your Teams you need a Team Leader and a Team Backup Leader. That is done by clicking on the right corner of the column Leader type in front of the name of the Contact you like to assign to a Leading Role (image 7.10)

teamrole Image 7.10 - Assign Leading Role

When you have assigned the roles, you can set the protocol for the contact tree. That is done by right-clicking on the Contact you would like to set values for, in the menu navigate to "Contacted by" and select the Contact (A) that should contact Contact (B) (image 7.11).

teamcontactedby Image 7.11 - Contacted by

7.4. 7.5. CATEGORIES

Categories are any general or comprehensive division of assets. Here specifically it is the division of Assets according to the applicable Standard. Categories are used to categorize Assets to simplify mitigation against Threats. When new Assets are added to the library you need to assign them to a Category. The Category will then connect the Asset, Threat and the Mitigating Control from the Standards.

Click the New Category button (image 8.1) and give the new Category list a name (image 8.2), save the new list. To add sub-categories to this new list, select it and press the double plus sign (image 8.3), save the new list. To continue to add sub-categories to the new list repeat this process. To add children to the subcategories, select the subcategory and then hit the double plus sign, save after you have given it a name (image 8.4).

Image 8.1 - Add New Category button

Image 8.2 - New Category

Image 8.3 - New Category list

Image 8.4 - Sub - Category children

7.6. ASSETS

7.6.1. WHAT ARE ASSETS

Assets are anything that has value to the organization according to the Standard. Assets are therfore the building blocks around which you build an Assessment. They can be as general as “A Building” or as specific as “HP Server named XV-231”. You will define your own Assets. ·

Under Assets you will only define what the Assets are, you will not define their value to your organization until later when you begin an Assessment.

Assets are defined once in the Asset List (image 9.1) and can then be reused across multiple Assessments.

7.6.2. DEFINING ASSETS

To define your company’s Assets you must go to the Asset List by double clicking on Assets in the navigation tree on the left hand side of the RM Studio window.

6.1 Image 9.1 - Assets

7.6.2.1. CREATING A NEW ASSET

To add a new Asset you must click on the Add New Asset icon (image 9.2) on the Asset List Toolbar.

Image 9.2 - Toolbar

A New Asset tab will open (image 9.3). Here you will define all the relevant information for the Asset in question.

In the Categories Tab you can categorize the Asset. You can have the Asset in several different Categories.

It is very important to specify the Asset Category as it is a prerequisite for using it in an Assessment, and is the basis for identifying the Threats associated with the Asset.

Assets cannot be created unless an owner is assigned to the asset.

See further “Owner”.

6.3 Image 9.3 - New Asset

7.6.2.2. DESCRIPTION

The Description text box (image 6.3) gives you the possibility to describe in detail the Asset in question. In this field we encourage our users to give a thorough description so that later users will have an insight into the reasoning behind any given Asset.

7.6.2.3. CATEGORIES

To Categorize the Asset you must click on the Add New Category icon (image 9.4) in the Categories List Toolbar. You will be presented with a list (image 6.4) from which you can choose the appropriate Category.

Image 9.4 - Asset Categories

The Categories are important for the calculations of the Security Risk. They are used to connect Assets with Threats in a relationship that is defined as “Risk”.

In the case when you cannot find the appropriate Category or Sub Category, you can add both to meet your specifications. Locate the Categories Node in the Common Entities and add the Categories you find lacking in our list or define your own.

When this is done the Assets can then be used in an Assessment.

7.7. THREATS

The Stiki·predefined·data allows you to use the 149 Threats that are bundled with RM Studio, these are Threats defined by Stiki’s in-house experts. Although the 149 Threats cover the vast majority of the threats you would expect to run into, you can also create new Threats by clicking on the New Threat button (image 10.1).

All Stiki defined Threats can be modified and adjusted to your business and environment. This includes changes to associations with categories and mitigating controls.

Image 10.1 - Toolbar

7.7.1. CREATING A NEW THREAT

When creating a new Threat the first thing you do is give it a name. The more precise the name the better it is for other people to use. Have this in mind also when you write the description of the Threat (image 10.2). Threat Type is used for sorting purposes and can be used to specify Threats for departments etc. For more information on Threat Types click here.

Image 10.2 - Threat

7.7.1.1. CATEGORIES

To assign the Threat to a Category navigate to the Category tab and click on the “Add New Categories” icon (image 10.3). You will then be presented with a list of Categories (image 10.3). Select one Category and click the OK button to assign it to the Threat.

You can add more Categories to a Threat by repeating these steps.

Image 10.3 - Categories

7.7.1.2. THREATENED ASSETS

The Threatened Assets tab aggregates all the Assets from all the Assessments that have been marked as threatened by the respective Threats.

7.7.1.3. MITIGATING CONTROLS

Under Mitigating Controls you can define which Controls work against a given Threat. To add a new Mitigating Control from the Control list (Image 10.4) you must click on the “Add New Mitigating Control” icon on the Mitigating Controls Toolbar (image 10.4).

mittigating Image 10.4 - Mitigating Controls

7.7.2. Threat Types

Threat Types is where you set the name for the Threat type in your Threats list (image 11.1). Every Threat in RM Studio is by default assigned to the Created By Stiki type (image 9.2) and now you can create your own types and categorize your Threats.

threattypes Image 11.1 - Threat types in menu

threatslisttype1 Image 11.2 - Type

The only thing to do here is to open up Threats > Threat Types (image 9.1), press add new button (image 11.3), give the new type a name and save. From there you can navigate to Threats, press the refresh button (image 11.4), create Threats and assign your type to them. You can also change the ones that are Assigned to Stiki to your new type. Furthermore you can also remove the type and leave it BLANK with now type at all.

newtype Image 11.3 - New Threat Type

refresh Image 11.4 - Refresh Threats

7.7.2.1. Working with Types

To assign, remove or delete types right-click the type assigned to the Threat and navigate to Type and change the settings (image 11.5).

threattypeassign Image 11.5 - Assign Type to Threats

7.8. STANDARDS/CONTROLS

Stiki is now offering users 10·ready to be deployed·Standards with Controls.

When a user purchases the software, the license Stiki will issue upon purchase will unlock the Standard bought and the languages needed.

7.8.1. AVAILABLE STANDARDS

ISO 14001 - Environmental management systems

ISO 9001:2008 – Quality management system

BS 25999-2:2007 Business continuity management – Part 2

ISO/IEC 27002 – Information security management systems - Requirements

ISO/IEC 27001:2005 Annex A with implementation guidance from ISO/IEC 27011

ISO/IEC 27011 ISMS for Telecom Organizations

PCI DSS 1&2 - Detail Requirements and Security Assessment Procedures

WLA-SCS:2006 World Lottery Standard

IT Grundshutz - Information Security Standard for the German Market

7.8.2. HOW TO INSTALL A STANDARD

If the license you bought included a·preinstalled Standards the user does not need to create the Standard in the system. To open up the desired Standard you need to enter the Properties > Standard Data (image 12.1)

Image 12.1 - Standard Deployment

The Standards that are available to you will be in dark font while the others that are not available are grayed out.

Select the Standard you would like to deploy and start to use > Select the languages you would like for the Standards and press Deploy Standard (image 12.2)

Image 12.2 - Deploy Standard

This process needs to be done for all the Standards you would like to deploy into RM Studio.

7.8.2.1. RESET STANDARD DATA

The Reset Standard Data button will roll-back every change made to the deployed Standard and revert it to the original state.

Note: This will however not revert the User Defined Controls.

7.8.2.2. STANDARD CONTROLS

You can define your own Standards in addition to the ones offered by Stiki and thus Controls by clicking on the “Add New Standard” icon on the menu bar (image 8.3)

Image 12.3 - Toolbar

Give the new Standard Controls a name and check the Group Header box, save the new standard. Select the new Standard Control in the list and press the double plus sign to create subsections (Children).

By checking in the "Group Header" box next to the Control number (image 12.4) you create a Header where multiple "children“ can be added under.

Image 12.4 - Group Header

7.8.2.3. WORKING WITH THE CONTROLS

The Standard Controls bundled with RM Studio, can be edited. This should be handled with care and only done to adjust the controls to the environment you will be auditing. You can revert to the default library by Resetting the Default Data in the Properties Window under Standard Date - Reset Standard Data.

7.8.2.4. CREATING NEW STADARDS AND CONTROLS

When creating a new Standard or Control the user will have to give the item a number and a name.

The user should then write an Implementation Guide that is as thorough as possible. A thorough, clear and concise Implementation Guide will ensure that the Standard or Control is used in the same way every time (image 12.5).

Image 12.5 - Implementation

8. ASSESSMENT AND TREATMENT

8.1. RISK ASSESSMENTS

8.1.1. WORKING WITH ASSESSMENTS

Assessment is the process you use to assess the level of Base Security Risk for your Business Entity. Assessments identify and evaluate Assets and the Risks associated with them. A Risk is defined as the relationship between an Asset and a Threat.

An Assessment will give you an overview of the collective Risks to a Business Entity.

8.1.2. CREATING AN ASSESSMENT

You can create a new Assessment from scratch or continue with a an Assessment already in the system. A new version will be created each time you save the Assessments and you can, via version history, view previous versions.

To create a new Assessment you must click on the “Add new Assessment” icon (image 13.1) in the Assessments List toolbar.

The following window (image 13.2) will then appear.

Image 13.1- Toolbar - Add , Delete and Copy

Image 13.2 - Select Business Entity

Having chosen the Business Entity and the Evaluation Templates that you wish to work with in the Assessment click “OK” and a new Assessment will be created for you.

The Assessment information pane (image 13.3) will show the basic information about your Assessment along with the level of Security Risk.

Image 13.3 - Assessment Information

8.1.2.1. COPY RISK ASSESSMENT

There is a COPY function that enables the user to make a copy of an existing Assessment. This will enable the user to create many versions of the same Assessment. To copy an assessment, right click on the assessment that is to be copied and press copy.

8.1.3. SCOPE AND BASIC CRITERIA

In the Scope and Basic Criteria field you will enter the defined Scope for your Assessment along with the Basic Criteria that you have given yourself.

The Scope will define all the aspects that you will take into account when doing your Assessment.

The Basic Criteria will state how much Risk you are willing to accept i.e. the minimum level of Risk.

8.1.3.1. EXAMPLE OF BASIC CRITERIA

Risk Criteria
- According to the Standard ISO/IEC 27001:2005
Risk Assessment approach and criteria
- For Risk Assessment according to the Standard: ISO/IEC 27001:2005 Information Technology - Secure Techniques - Information Security Management Systems - Requirements.
- In accordance to Fritz & Son’s information security policy, accepted in March 2009. Fritz & Son’s security forum has approved the method used in·RM Studio·Risk Assessment··process for use in Risk Assessments at Fritz & Son. Information assets have been defined as group assets. Value of assets has been assessed as well as their properties regarding confidentiality, integrity and availability (CIA). Threats to assets have been identified, the probability of occurrence and impact have been estimated. Vulnerability of assets towards a threat has also been estimated.
In this method the risk calculations is based on the following evaluations:
- The value of the asset
- The probability of a specific threat
- The impact of the threat
- The vulnerability of the Asset
- Base Security risk is the real risk as evaluated by the user regarding the 4 variables through a 4th dimensional matrix.

8.1.4. WORKING WITH ASSETS

Under the Assets tab you will find a lists of all the Assets relevant to the selected Assessment (image 13.4).

Image 13.4 - Assets

The next step in the Risk Assessment process is the definition of the Information Assets to be assessed. You can add Assets by clicking on the “Add new Asset” icon on the Asset List Toolbar (image 10.5).

Image 13.5 - Toolbar

8.1.4.1. ASSETS RETRIEVED

When you have clicked the “Add new Asset” icon on the Asset List Toolbar (image 13.5) you are presented with a list (image 13.6) of all the Assets that you have defined under the Asset Entity of RM Studio. From the list choose the Assets that are relevant to the Assessment by highlighting them and clicking on the “OK” button (image 13.6).

Image 13.6 - Asset selection

8.1.4.2. Owner

According to the ISO 27002 Standard, a Responsible Person (Owner) must be registered for all information Assets in addition to assessing their Confidentiality, Integrity and Availability. The Responsible Person cannot be the Business Entity itself, but must be a specific individual who is registered under a name or job position.

The Responsible Person (Owner) is selected from a drop down list of registered users (see the Security section) on the Asset’s Information tab (image 13.7).

Image 13.7 - Asset Information

8.1.4.3. OPERATOR

The Responsible Person and the Operator need not be the same person. The Operator is also selected from a drop down list of registered users (see the Security section) on the Asset’s Information tab (image 10.7).

The System Administrator can be the Operator, while the head of the IT division is the person Responsible for the Asset.

8.1.5. EVALUATION VALUES

The evaluation template chosen upon assessment creation defines the properties that need to be evaluated.

If you are using the Standard Evaluation Template the properties to evaluate are Asset Value, Integrity, Confidentiality and Availability. The example values for the properties are Immense, Very High, High, Medium or Low. The definitions of these terms can be found in the Definitions of Asset Properties and can be adjusted as needed via the Evaluation Templates. It is important to review and adjust the definitions to ensure that the results are always the same when Risk Assessments are repeated.

The value of the Properties are set on the details pane (Asset Tab) of each individual Asset in the Assessment (image 13.8).

Image 13.8 - Evaluation Values

8.1.5.1. CONFIDENTIALITY

How important the Confidentiality of a particular Asset is to the organization must be qualified. An example would be that a server has an Immense value while an office would have a high one.

8.1.5.2. INTEGRITY

The value of Integrity is based on how important the correctness of the given Information Asset is to the company. An example would be that a certain file or database is of Immense value while another has a low one.

8.1.5.3. AVAILABILITY

The value of Availability is based on how important it is for the organization to have the Asset readily available. An example could be that the Office has an Very High value while an archive has a Medium value.

8.1.5.4. VALUE

The Value of the Asset must be assessed. This Value is used when calculating Security Risks. The Value of the Asset can be Immense, Very High, High, Medium, or Low. It is important to specify definitions to ensure that the results are always the same when Risk Assessments are repeated (image 10.8).

8.1.6. DEFINITIONS OF VALUE AND PROPERTIES

Some examples of definitions of value and properties have been entered in advance. These can be adjusted as needed via the Evaluation Templates. It is important to specify definitions to ensure that the results are always the same when risk assessments are repeated, even by different people. However, these definitions can be changed.

8.1.6.1. RISKS

For each Asset there is a Risk Tab. This tab is located below the Asset List (image 10.4). Here you will find a list with all the Risks associated with an individual Asset depending on how the Asset has been Categorized.

8.1.6.2. ADDING RISKS

To add a risk to an Asset you must click on the “Add new Risk” icon on the Risk List Toolbar (image 10.9).

Image 13.9 - Toolbar

8.1.6.3. AGGREGATED VIEW OF RISKS

Next to the Asset List Tab, located above the Asset List there is another Risk Tab (image 13.10). On this tab there is a list that aggregates all the Risks associated with all the Assets in the individual Assessment.

Image 13.10 - Threat selection

8.1.7. RELATIONSHIP BETWEEN ASSETS AND THREATS

RM Studio contains a database of Threats. If you want to create a new Threat at this point, then you must first save and close the current Assessment before creating a “New Threat” in the Threat module of RM Studio.

Each Threat must be examined. If you do not agree that a Threat is imminent, you can delete it by highlighting the Threat.

Enter information in the Description window to support the Assessment.

8.1.8. EVALUATION VALUES

The values registered for the properties of the Threat are used for calculating the Security Risk. In the Standard Evaluation Template the properties are: Impact, Probability and Vulnerability. The values for each of the properties can be defined as Immense, Very High, High, Medium or Low. The definitions of the terms can be found in the Definitions of Threat Properties.

The properties and their values can be adjusted as needed via the Evaluation Templates. .

10.11 Image 13.11 - Setting Property Value

8.1.8.1.1. IMPACT OF THREAT

The Impact of Threat property assesses how serious the consequences are should the Threat occur.

8.1.8.1.2. PROBABILITY OF THREAT

The Probability of Threat property dictates how likely a Threat is to occur.

8.1.8.1.3. VULNERABILITY OF ASSET

The Vulnerability of Asset property evaluates how vulnerable the Asset is to the Threat.

8.1.8.2. HISTORY

RM Studio provides powerful traceability capabilities, with a complete version history on Risk Assessments. Users can now call up a version history for any Assessment and view previous versions as a whole or dig down into the individual building blocks of the Assessment, such as Assets and Risks. The version history will be applied to other elements of RM Studio and made even more powerful in our future releases.

8.1.8.3. ITEM HISTORY

If you right-click on a Risk Assessment, an Asset in Assessment, or a Risk, you can choose History from the context menu. This will bring up the Item History window (image 13.12). This window shows the entire history for this particular item. You will see the ID of the Change-set associated with the history entry, the action taken, who performed the action and when.

If you then right click on any entry in the Item History window, you can choose “View Item”, “Change-set details”, and if you are viewing the item history for an Assessment, you can choose “View Assessment version”.

Image 13.12 - Item History

8.1.8.4. VIEW ITEM

Right-click an history item and select View Item. This window shows the information associated with a particular item at a particular time in its history. Note that it will show only the information directly related to the item. For example, if you choose to “View Item” on an Asset, it will only show the asset information, not the threat connected to the asset. If you wish to view that relationship in a history entry, use the “View Assessment version” option from the “Item History” window for an Assessment.

Image 13.13 - View Item

8.1.8.5. CHANGESET DETAILS

Each action taken on an Assessment is grouped together into a change-set. A single change-set is created when you save an Assessment. So if you open an Assessment, add two Assets (and several risks that get added automatically), change the evaluation on several other Assets, remove one, and edit the scope of the Assessment, all of these actions will be grouped together in one change-set. By choosing a single history entry and clicking on “Change-set details” you can view all the other actions performed at the same time as that single entry. This window shows the change-set ID, the action taken, the name of the object affected, and the type of the object affected. From here you can also view the specific item.

Image 13.14 - Change Set Components

8.1.8.6. VIEW RISK ASSESSMENT VERSION

In Risk Assessment list, Right-click on an Assessment and select History. In the pop-up window select the date or action you would like to review and right-click it. Select View Risk Assessment Version. This window shows a snapshot of the entire Assessment at any given time in its history. This includes all Assets and Threats, including their evaluations.

Image 13.15 - View Version

8.2. GAP ANALYSIS

Gap Analysis is an assessment tool enabling the user to compare their actual state in regards to a particular Standard with what is needed to be eligible for certification.

That is to say, that the status and necessity of the controls defined in the relevant Standard are evaluated.

8.2.1. CREATING A NEW GAP ANALYSIS

A Gap Analysis is made on a particular Standard for a particular Business Entity. So the first thing to do when creating a new Gap Analysis is to select the appropriate Standard and Business Entity (image 14.1).

Image 14.1 - New GAP Analysis

8.2.1.1. GAP ANALYSIS INFORMATION

After you have selected the Standard you wish to work with along with the Business Entity you will be asked to name the Gap Analysis as well as to state the duration of the Gap Analysis (image 14.2).

The Description of the Gap Analysis should be filled in clearly and concisely along with the reasoning for the Analysis.

Image 14.2 - GAP Analysis Information

8.2.1.2. CONTROLS

Under the Controls tab you will find all the Controls from the Standard you chose to work with when you created the Gap Analysis. Below the list of controls you will find the Control Information Pane that lists information about the Control as well as the Implementation Guide for a particular Control (image 14.3).

Image 14.3 - Controls

8.2.1.3. IMPLEMENTATION

Finally, in the Implementation tab, you will define if and how your organization will implement each Control (image 14.4).

Image 14.4 - Implementation

You can set a responsible person for the implementation of a given Control. To designate a responsible person you must select a registered user from the Responsible drop down box(image 14.5).

Image 14.5 - Person Responsible

8.2.1.4. STATUS

As you go through the Controls you will decide whether the Control is “Not Applicable” for your organization. If you determine the Control is applicable you must then determine whether it is Not Implemented, Partially Implemented, Fully Implemented, or a Future Control (image 14.6). Future Control means that you plan to Implement the Control at a scheduled time in the future.

Image 14.6 - Status

8.2.1.5. JUSTIFICATION

In the Justification text box you should write the clear and concise reasoning for the defined status of each Control. A thorough justification will help you later to remember your reasons for giving a Control a particular Status.

8.3. RISK TREATMENT

A Risk Treatment is based on an Assessment. The Risk Treatment calculates the current and future Risk of your organization based on the status of implemented controls and other information from the Assessment.

In the Risk Treatment process you will go through all the Risks that are associated with a particular Assessment and decide how you are going to manage each one. You will also decide which controls you are going to use to manage that Risk.

Image 15.1 - Risk Treatment

8.3.1. WORKING WITH RISK TREATMENT

When you open the Risk Treatment you are presented with a list of earlier Risk Treatments (image 12.1). To add a new Risk Treatment you must click on the Add New icon on the Risk Treatment Toolbar (image 15.2).

Image 15.2-Toolbar

You can either work with a new Risk Treatment or you can continue working with an older one. To do this you must double click on a selected Risk Treatment from the Risk Treatment list (image 15.1).

After creating the new Risk Treatment, its information will open in a separate tab (image 15.1). Here you can write a description for the Risk Treatment. The description should be concise and clear so that others can easily understand the reasoning behind the Risk Treatment.

Remember to also fill in the Risk Criteria range. The Risk Criteria is chosen using “Upper Mark” and “Lower Mark” text boxes (image 15.3).

You also set the Period for which the Risk Treatment is valid here.

8.3.1.1. RISK CRITERIA

By setting the Risk Criteria limits you are deciding which risks fall out of your risk limit.

Image 15.3 - Risk Criteria

On the image above the Risk Criteria’s Upper Mark is set to 50 meaning that any risks that fall outside of this range will be highlighted with red in the Threat List (image 15.4). These are the risks that have the highest priority.

Image 15.4 - Threat List

When the assessor is in the Management tab, he gets a list of all the Threats and below that the details and guides to implement controls.

8.3.1.2. ASSET LEVEL

To work on the Threats individually you need to select the ‘Asset name’ column and drag it to the grouping area. By doing so you will now get the option to work on the Asset Level (image 15.5). In the Asset level you are able to set the control status for individual Assets Threats, delete controls that are not relevant to the asset, set justification for the status and set the date for future controls. This is a fundamental function that you can only access by grouping assets to the the Asset level.

Image 15.5 Asset Level

To be able to set the status for all assets that a single control applies to you need to go to the Controls tab in the top menu (image 15.6).

Image 15.6 Controls Tab

Image 15.7 Risk Management

The only adjustment the assessor can make if he does not access the Asset level is to go through each Risk and decide what action to take. This is done by assigning a state of Transfer Risk, Avoid Risk, Accept Risk or Reduce Risk in the Manage Risk drop down box in the Treatment Tab.

If the assessor chooses to accept the risk, this means that no action was determined necessary. There could be several reasons that no action is thought necessary, one of which might be that the value of the Asset is to low to justify any action. This requires the formal approval from Management.

It is also possible to transfer risks to a third party – an example would be when responsibility is forwarded to an insurance company. A third option would be to avoid risk – an example would be to move operations to another location, e.g. in the event of risks due to earthquakes. A fourth option is to Reduce the risk by implementing controls.

Justifcations should always be made for decisions below the Manage Risk drop down box (image 15.7). This is done to keep record for later parties why the decision was made.

8.3.1.3. CONTROLS TAB

In the Controls Tab for an individual Threat the system will suggest controls that work against the risk in question. The assessor must go through the list and set the Status (image 15.8) for each one.

Image 15.8- Status

A list of all Controls from the Standard (or the User Defined Standard) appears in a list on the screen.

There are e.g. 133 Standard controls for ISO/IEC 27001. All the controls must be reviewed and a status assigned to them.

Implemented
Not implemented
Partially implemented
Not applicable
Future Control

Note that a control can be partially implemented. This is when a security control has been implemented but not to its full extent. An example of this would be, e.g. if plans for business continuity were well on their way but were not fully complete.

Keep in mind that a Standard control recommended by the system may be inapplicable in some cases. An example of such an instance would be a business without a computer system. If this were the case, there would be various inapplicable Standard controls. Enter information that supports the Assessment under Justification.

You can add controls by clicking on the Add New Control Icon in the Controls Toolbar above the Controls List.

Make sure that all the Standard controls have been reviewed before going on to the next tab in the Risk Treatment.

8.3.1.4. SCHEDULING A FUTURE CONTROL

When scheduling a future control you should enter information in the Justification text box, on why you categorize a Control as a Future Control.

You will then formally schedule the future control in the next tab, Future Controls.

8.3.1.5. FUTURE CONTROLS TAB

The last tab in the Risk Management Tab is Future Controls. In this tab all the Future Controls for a given Risk, selected in the Risk Management List, are displayed.

Here you should schedule when you plan on implementing the given Control.

8.3.1.6. OVERVIEW

The last two tabs on the individual Risk Treatment Pane are Overview tabs. Here you can see an Overview of all the Controls as well as all the Future Controls pertaining to the given Risk Treatment. You can conveniently modify the columns according to your needs (image 15.9).

Image 15.9 - Overview

8.3.1.7. RELOAD ASSETS, THREATS AND CONTROLS

Image 15.10 Reload button

In RM Studio we offer the user the possibility to manually control reloading of Assets, Threats and Controls when working in Risk Treatments (image 15.10). In an earlier version of RM Studio the option was added to the user to e.g. delete controls from the Risk Treatment, that is to change the threat-control associations in the Risk Treatment level to be more aligned to the user's need. This means that the user can now e.g. delete controls from either an asset level (from the Management Tab – grouped by an asset) or from global level (from the Controls Tab).

The function of this button is as follows:

If the list of assets has changed in the Risk Assessment, the new assets and their associated threats from the Risk Assessment get reloaded.
If the list of threats associated to a particular asset has changed in the Risk Assessment the risks are reloaded into the Risk Treatment.
If the mitigating controls to risks in the Risk Assessment have changed those controls get reloaded into the Risk Treatment as mitigating controls to that risk.
If a new control has been added to the Gap or Standard used when creating the Risk Treatment, these new controls are loaded into the Risk Treatment.
In general the list of controls is reloaded, based on the threat-control library as well as the Standard/Gap that was used.

9. REPORTS

RM Studio offers a variety of reports. You can view them on screen, print or save them in a variety of formats including PDF, Excel and Word.

9.1.1. The Standard Reports:

Statement of Applicability (SOA): the Statement of Applicability report is an overview of the status of the Risk Treatment. A Statement of Applicability is a list of all Controls from the Standard used to perform the Risk Treatment which have been labelled as Implemented, Not Implemented, Future Controls or Not Applicable. The descriptions entered for each respective control are also printed out. The status of the Risk Treatment is also displayed graphically. The report is useful for the managers of business units, customers, and agencies, e.g. the Data Protection Authority, which require a declaration of the security of the Risk Treatment in question. It can also be submitted to auditors.

Risk Assessment - Detailed information: the Assessment report contains all information entered into RM Studio for the Assessment in question.

Risk Treatment - Future controls (simple report): this report provides an overview of all Future Controls that have been defined for a given Risk Treatment. They are ranked according to date, so that the Control with the earliest date of implementation is shown first.

GAP Analysis - Future controls (simple report): this report provides an overview of all Future Controls that have been defined for a given GAP Analysis. They are ranked according to date, so that the Control with the earliest date of implementation is shown first.
Assets with Threats: Like the name indicates the Assets with Threats report aggregates all the Assets from a single Assessment and their respective threats. For each Asset the report states which values the Asset Evaluation Values and Threat Evaluation Values have. The report also states the Security Risk for each Asset.
Asset with Controls: This report shows all Assets in Assessment and the Controls used to mitigate their risks. The user can see all controls from the ISO/IEC 27001 Standard as well as any user defined Controls. The status of implementation of each controls is also shown.
Executive Summary: Shows the most important Assets based on the CIA values (Confidentiality, Integrity and Availability). It also shows the most Valuable Assets. The user can choose the number of Assets to be reported.

The Executive Summary report:·A great overview of Security Risk and Ratio of Controls. All calculations are shown graphically in a color coded way and gives the management key information on a single sheet.

Risk Treatment: All risks are listed along with their base, current and future security risk. The list is grouped by the Risk Treatment. Users can sort Risks by Base Security Risk, Current Security Risk, or Future Security Risk. This report provides a total overview of the risks and the treatment for each of them.

Controls With Assets: This report will show you all the Controls in your Risk Treatment, the name of the Control, Status of the Control, and Assets associated with the Control.

Gap Analysis - Results: This report is basically the same report as the SoA which is generated from the Risk Treatment results. This report allows you to generate the same report based on Gap Analysis.

Risk With Controls: This report is only available to those using the Local Reports. This report is useful when information is needed on whether or not a control has been implemented for specific risks (image 16.1).

9.1 Image 16.1 - Risks with Controls

10. TEMPLATES

10.1. Evaluation Templates

Evaluation Templates; these are used to qualitatively evaluate Threats and Assets in RM Studio. Users can add their own Asset or Threat Evaluations or change the definition of the Standard Asset and Threat Evaluations.

2.17 Image 17.1- Evaluation Templates

To add a new Evaluation Template click the "Add Evaluation Template" button (image 17.1) and give the Evaluation Template a name. When you have a new Evaluation Template highlighted in the list on the left hand side you will be able to "Add Template Factor" by pushing the appropriate button (image 17.2). Every Evaluation Template can hold more than one Template Factor.

2.18 Image 17.2 - New Template Factor

When you have added a Template Factor you can add a Factor Value. To do so you need to highlight the Template Factor that you wish to add a Factor Value to. The "Add Template Factor" button will change to an "Add Factor Value" button (image 17.2). Click on it to add a Factor Value.

When Asset Evaluation Templates are in use they can only be partially modified, such as changing the definitions of factor values as well as the defaults for security risk calculations.

10.1.1. SHORTCOMINGS OF EVALUATION TEMPLATES

If an Evaluation Template has no Template Factor then it can not be used as either a Threat Template or as an Asset Template for a new Risk Assessment.

If an Evaluation Template has any Factor Value equal to 0 (zero) then it can not be used as either a Threat or Asset Template for a new Risk Assessment.

There may not be more than one Evaluation Template with the same name, names should be unique for each Template.

There may not be more than one Template Factor in the same Evaluation Template with the same name. Names of Template Factors should be unique within a single Evaluation Template.

There may not be more than one Factor Value in the same Template Factor with the same name. Names of Factor Values should be unique within a single Template Factor.

Every change made to the Standard Templates will affect the calculations in the Processes using the default factors.

The algorithm used for calculating security risk is most accurate when factor values start at value 1 (one) and the increment between values is 1 (one).

11. BUSINESS CONTINUITY MANAGEMENT MODULE

11.1. ORGANIZATION

11.1.1. New Organization

To begin working on the BCP you need to have completed registering the Common Entities. After you finish the Common Entities you continue registering the Organization you want to set up a BCP for. The first thing is to open up the module and select the Organization and press the plus-sign to add the Organization to the module (image 18.1).

new Image 18 .1 - New Organization

After pressing the plus-sign you can choose the Template and the Business Entity (image 18.2).

setuporga Image 18.2 - Select

After you press OK, you will be presented with window in image 18.3. What needs to be registered here are, Name, Scope Definition, Policy, Regulatory Information, Roles and Responsibilities. When you have finished that you continue adding Stakeholder and Resources/Processes.

registorgani Image 18.3

11.1.2. Stakeholders

To add Stakeholders, press the Green plus sign in the navigation tree to add an existing contact from the Contacts or press the brown plus-sign to add a New Stakeholder that does not exist in the Contacts module (Image 18.4 & Image18.5).

newstake Image 18.4 - New Stakeholder

selectcontact Image 18.5 - Select contact

When you have selected/created Stakeholder(s) you need to define their Ranking and Expectations. Ranking sets the importance of the Stakeholder to the Organization. The Expectations are mutual between us and the Stakeholders. To explain further we need an example: Our Expectations towards e.g. our insurance company

In case of a fire, within our company, we might expect suppliers to react more swiftly to our demands and needs. That way we can minimize the disruption caused by the fire. Our clients on the other hand expect us to deliver a particular service e.g. a support during business hours. In case of a fire they may show some understanding and decide they·might be able to go about without our service for three days, after that they might need to change supplier and go to a competitor of ours·(Image18.6).

newstake2 Image 18.6 - New Stakholder

11.1.3. Resources/Processes

Resources and Processes are created similarly to Stakeholders, you can add a new one from Contacts and Assets by clicking on the green plus-sign or you can create new one from scratch by clicking on the brown plus-sign. · You will need to give the Resource/Process a name, assign it to a division/department. ·Additional Requirement Information includes, assessment date and review date. ·Signed of by: is the person responsible for the assessment of this Resource/Process. · You can add notes or comments to each Resource/Process (image 18.7).

newresource Image 18.7 - Add New Resource/Process

11.1.3.1. Impact Analysis

The Impact Analysis is done for each and every Resource/Process you create. ·You need to rank the Resource. ·You need to rank and define the Areas of Impact for each Resource/Process. ·Recovery window offers you the options to set the Maximum Tolerable Period of Disruption, Recovery Time Objective and the Minimum Service Level in case of a disruption (Image 18.8).

impact Image 18.8 - Impact Analysis

11.1.3.2. Requirements·

Here users can identify/define the Requirements needed to fulfill/meet the rrecovery objectives set in the Impact Analysis (image 18.9). ·First select then item category, then press the plus-sign when you have selected e.g. Software/Applications. ·After pressing the plus-sign, users can edit the name, comments and notes at the bottom of the screen. ·

requirements

Image 18.9 Requirements

11.2. INCIDENT RESPONSE/RECOVERY

Here the user creates the BCP's (Business Continuity Plans). ·First thing the user does is to create a new Incident Response by pressing the plus-sign and selecting the Organization (image 18.10)

IncidentResponse Image 18.10 - Incident response

After creating the·Incident Response·the user should give it a name and write a description for the Incident Response (image 18.11).·

· newincident
Image 18.11 - New Incident Response

11.2.1.1. Associated Threats

Here the user can add Threats that are associated to the Incident Response plan that is being created (image18.12).·

associatedthreats
Image 18.12 - Associated Threats

11.2.1.2. Plans

For each Incident Response there can be many Plans. ·The user begins by creating a Plan by clicking on the brown plus-sign and name the Plan. ·Describe the Incident Extent, Purpose and Scope (image 18.13).·

newplanincident
Image 18.13 - New Incident Plan

At the bottom of the page the user must select a Contact that is responsible for the maintenance of this plan (image 18.14)

maintainedby
Image 18.14 - Plan Maintained by

11.2.1.2.1. Steps

Users must create the steps needed to respond to an Incident. ·First thing to do is to press the plus-sign to create a new step, name it, set the timeframe, set the responsible team and write a short description of the step. · Repeat this process until you have all the steps needed to respond to the incident at hand (image18.15).·

newstep
Image 18.15 - Steps

11.2.2. MAINTENANCE

In the Maintenance Step the user can test and update the plans created in earlier steps. ·First thing to do here is to create a new Maintenance plan and give it a name, set the BCM Testing Coordinator and write the overview of the Maintenance Plan (image18.16).

Image 18.16 - Maintenance

11.2.2.1. Test Plans

Create a new test plan by clicking the brown plus-sign. ·Next step is to name the test scenario and if applicable, link it to a Incident Plan. ·The scenario should be reviewed regularly and the user can set the Next to be Tested date and select the Test Coordinator. ·The frequency interval is then written in the Frequency field e.g. twice a year. ·There are four tabs, Description, Goals, Preparations and Participants for the user to fill out and describe (Image 18.17). ·The user can create as many test scenarios as needed.

demomaintplan
Image 18.17 - New Test Plan

11.2.2.2. Test Results

For every Test Plan, one or more Test Results can be created by pressing the brown plus-sign. ·Within a Test Result users set the expected test date and the actual test date, test results and finally Items to review/encountered issues

resultsfromtest
Image 18.18 - Test Results

11.3. REPORTING

11.3.1. REPORTS

The BCM module offers two default reports. ·

reports
Image 19.1 Reports

11.3.1.1. Incident Management Plan Report

This report displays all information that is relevant to the BCM Plan (Image 19.2).·

incidentreport
Image 19.2 - Incident Management Plan Report

11.3.1.2. Business Continuity Plan Report

The Business Continuity Plan Report is a subset of the Incident Management Plan Report and only displays key information regarding the BCM. (Image 19.3.)·

bcpreport
Image 19.3 - BCP Report

11.4. TEMPLATES

11.4.1. REQUIREMENT TEMPLATES

Here users can modify or create their own Requirement Templates, that are used in the Organization node. ·

restemplate Image 20.1

To begin creating a new Template press the plus-sign and a new window will be presented to the user. · In that window (image 20.2) the user gives the Template a name. ·After naming the Template the user starts adding columns to the Template.·

newrestempl
Image 20.2 - New Template

11.4.1.1. Add Columns to a Template

Adding new columns to the Template has no upper or lower limit to it. ·The user can add as many columns to the Template as needed (Image 20.3). ·The only thing to take into consideration is that no two columns should be named with the same name.·

newrestemplate
Image 20.3 - Columns in Template

After creating all the columns the user needs, saving is required. ·If the Template has been used by the user for one or more Organizations, the Columns that have been used from the templates will lock and can not be deleted. Renaming the Columns on the other hands is possible (Image 20.4).

samplecolumns
Image 20.4 - Sample Columns

12. DEFINITIONS

12.1. DEFINITION OF ASSET EVALUATION VALUES

RM Studio comes with a Standard definition of asset and threat properties. These definitions can be changed via the Evaluation Templates. The Standard definitions are as follows:

INTEGRITY

Low

It is not important that the asset is accurate.

Medium

It is important that the basics are accurate.

High

The asset has to be reasonably accurate.

Very High

The asset must be complete and accurate, but details (e.g. appearance) are irrelevant.

Immense

The asset must be complete and accurate.

AVAILABILITY

Low

The asset is not necessary for operating the business entity.

Medium

It is possible to operate the business entity without the asset. It has to be available again in 24 hours.

High

If the asset is not available it is difficult but possible to proceed working for 2-3 hours.

Very High

The asset has to be available during working hours.

Immense

The asset has to be available 24 hours a day.

VALUE

Low

Easy and inexpensive to regain the asset. Medium

Possible to operate business entity for a time period if loss of asset occurs.

High

Difficult to continue operation without the asset. Difficult to regain the asset if loss occurs.

Very High

Very difficult to continue operation without the asset. Very difficult to regain the asset if loss occurs.

Immense

Not possible to operate the business entity without the asset. Immensely difficult to regain the asset if loss occurs.

CONFIDENTIALITY

Low

Public may be aware of the asset. It may be discussed and published.

Medium

Employees have access to or are aware of the asset. Information must be treated with caution towards third party.

High

Most employees are aware of or have access to the asset. Intended for use inside the business entity only. Must not be disclosed to third party.

Very High

Key employees are familiar with the asset but many employees are aware of it.

Immense

Only key employees have access to and are aware of the asset.

DEFINITION OF THREAT EVALUATION VALUES

VULNERABILITY OF ASSET

Low

Despite of the occurrence of the threat, the asset will be unchanged.

Medium

If the threat happens the asset might be damaged or be unusable to some extent.

High

If the threat happens the asset might be damaged or be unusable.

Very High

If the threat happens the asset will be damaged to a great extent.

Immense

If the threat happens the asset will cease to exist or be unusable.

Low

The threat is likely to happen less than once a year.

Medium

The threat is likely to happen once a year.

High

The threat is likely to happen once a month.

Very High

The threat is likely to happen once a week.

Immense

The threat is likely to happen once a day.

IMPACT OF THREAT

Low

Minimal impact of threat

Medium

There is some impact of the threat.

High

Much disturbance in operation. Considerable time and investment required to go back to normal operation.

Very High

Serious disturbance in nearly every part of the operation. Much time and investment to go back to normal operation.

Immense

The consequences of threat are widespread and cause serious disturbance in operation. Very difficult to go back to normal operation.

13. GLOSSARY

ASSESSMENT

An Assessment is the act of evaluating something. Here it means that the organization is evaluated in comparison to Threats that are aimed at its Assets, i.e. Risk.

ASSET

An Asset is anything of value to the organization.

AVAILABILITY

How readily obtainable or accessible a given asset is.

BASE SECURITY RISK

The calculated Risk that a organization faces based on the probability of each threat occurring, the impact it would have on the organization, the organization’s vulnerability towards the threat, and the value of the Assets affected by each threat to the company.

BASIC CRITERIA

A statement of what Risk the organization is willing to accept.

BUSINESS ENTITY

Your organization or part thereof. Business Entities can also be many other things, e.g. a different company or a client.

CATEGORIES

Categories are any general or comprehensive division. Here specifically it is the division of Assets according to the applicable Standard.

CODE OF PRACTICE

A code of practice is an guide on best practices to implement a Standard.

CONFIDENTIALITY

The principle that all information regarding a particular Information Asset needs to be held secret, unless the organization gives consent permitting disclosure.

CONTROLS

A Control is a set of procedures in a particular Standard that once applied act to control, regulate, and hedge against known Threats.

CURRENT SECURITY RISK

Security risk with regards to implemented controls. Each single Threat in the system is related to a number of Controls from the Standard, which hedge against it. The Current Security Risk is calculated with regards to that so the more Controls that are implemented the lower the Current Security Risk is.

FOUR DIMENSIONAL MATRIX

A graphic representation of our Risk calculations. The Significance of a Threat is juxtaposed with the Probability of the Threat. Likewise the Vulnerability of the Asset is juxtaposed with its Value. The resulting value of the conjugated values is then used in the Risk Calculations.

GAP ANALYSIS

Gap Analysis is an assessment tool enabling the user to compare their actual state in regards to a particular Standard with what is needed to be eligible for certification.

IEC

International Electrotechnical Commission. An international Standards organization dealing with electrical, electronic and related technologies.

IMPACT

The effect that it will have on the organization should a given Threat occur.

INFORMATION PANE

A part of the graphical user interface that displays information on a given subject. Here particularly it refers to the lower half of the screen where, when an item is selected in a list above, usually a pane will appear with information on that item.

INFORMATION SECURITY

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.

INTEGRITY

How important it is for the organization that the Information Assets are complete and accurate.

ISO

The International Organization for Standardization (Organization internationale de normalization), is an international-Standard-setting body composed of representatives from various national Standards organizations.

ISO 9001

Is an international Standard for quality management systems. It provides a number of requirements which an organization needs to fulfil if it is to achieve customer satisfaction through consistent products and services which meet customer expectations.

ISO/IEC 14001

ISO 14001 is the international specification for an environmental management system (EMS). It specifies requirements for establishing an environmental policy, determining environmental aspects and impacts of products/activities/services, planning environmental objectives and measurable targets, implementation and operation of programs to meet objectives and targets, checking and corrective action, and management review.

ISO/IEC 27001

Is an information security management system (ISMS) Standard published in October 2005.

ISO/IEC 27002

The Code of Practice for Information Security Management, which lists security control objectives and recommends a range of specific security controls.

MENU BAR

Also known as the Ribbon. It is the top most part of the application where the most common functions are placed for your convenience.

NAVIGATION TREE

A navigational tool that allows the user to expand and collapse items representing parts of the software that have been divided into nodes simulating a tree with branches. This allows users to access nested nodes with ease.

PROBABILITY

The likelihood of the Threat occurring.

PROCESS

A systematic series of actions directed to some end. Here specifically it is the name of the node in the Navigation Tree that groups the Assessments, Gap Analysis and Risk Treatment processes together.

REPORTING SERVICES

A server-based report generation software system from Microsoft. It can be used to prepare and deliver a variety of interactive and printed reports.

REPORT

An account or statement describing in detail an event, situation, or the like, usually as the result of observation, inquiry, etc.

RISK

The relationship between a Threat and an Asset is defined as Risk.

RISK ASSESSMENT

Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat.

RISK MANAGEMENT

Risk management is activity directed towards the assessing, mitigating (to an acceptable level) and monitoring of risks. In some cases the acceptable risk may be near zero. Risks can come from accidents, natural causes and disasters as well as deliberate attacks from an adversary.

RISK TREATMENT

Once Risks have been identified and assessed, all techniques to manage the Risk can be defined as Risk Treatments.

SCOPE

Scope defines the extent or range of the Risk Assessment. That is, which parts of the organization will be taken into account during the Assessment.

STANDARD

A technical Standard is an established norm or requirement. It is usually a formal document that establishes uniform engineering or technical criteria, methods, processes and practices.

STATEMENT OF APPLICABILITY

Is a document which identifies the controls chosen for your environment, and explains how and why they are appropriate.

THREATS

An indication of impending danger or harm. Here specifically towards Information Assets. A Threat is anything that jeopardizes the Confidentiality, Integrity, Availability or Value of the Asset.

VALUE

Value is the relative worth, merit, or importance of an object. Here specifically it is the qualified worth of an Information Asset.

VULNERABILITY

Defines how vulnerable an Information Asset is towards a threat.

14. CONTEXT & FLOW

14.1.1. CONTEXT

Image 21.1 - Context

Figure 21.1 shows abstract diagram of the relationship between the Assets, Categories, Threats and Controls. Additionally the figure shows the scope of each of the three core processes in relation to the aforementioned entities. It should be noted that the relationship on every level is n:n meaning that every asset can have many categories, but every category can be in more than one asset. One consequence of the repeated n:n relationships demonstrated in the figure is that, should a table list all possible connections then it would have several thousand lines. This is one of the reason why in the management tab of the risk treatment window the aforementioned information is represented in two tables.

Image 21.2 - Flow

14.1.2. FLOW

Figure 21.2 Shows an abstract diagram of the relationship between the three core processes and entities of RM Studio. It can be clearly seen that the Risk Treatment uses information from both the Assessment and the GAP Analysis (which is optional). It should also be noted that the GAP Analysis; is independent from the Assessment , and it has no association with the Threats nor the Assets and is therefore a global Process.

15. CALCULATIONS

In these examples the calculations are based on the Standard Evaluation Templates. Calculations for user defined Templates are slightly different.

15.1.1. SECURITY RISK

The security risk is a factor calculated from the values set for the asset value, significance of threat, probability of threat and vulnerability of assets. The security risk ranges between 0% (minimum) and 100% (maximum), where the range is divided into percentages. The security risk can be reduced by implementing the controls suggested by RM Studio. When all the controls suggested by RM Studio have been implemented, the security risk is reduced to MIN.

The different values for the security threats are calculated as follows:

15.1.1.1. First risk calculation

The first security risk calculation which is also known as the base security risk starts with a single risk and is based on four variables, the probability of the risk, the impact of the risk, the vulnerability of the asset towards the risk and the value of the asset of which the threat risk is associated with. All of these four variables have been evaluated on the scale between 1 and 5. What we do is we add all the four evaluations together and divide with the highest possible number, that is 20, but we also shift the result by 3 to the left. So we end up having:

(Probability + Impact + vulnerability + value -3) / (20 -3).

The results for various values of these variables can be seen in the four dimensional matrix at the end of the user manual.

15.1.1.2. Second risk calculation

The second risk calculation is called current security risk or security risk with regards to implemented controls. Each single threat in the system is related to a number of controls from the Standard, which hedge against it. So, for example if we have a threat which was evaluated immense for all the four variables, that particular risk would have the security risk of 100% or Maximum security risk. In this example let’s say that this particular threat is related to 10 controls from the Standard, and let’s say that 8 out of those ten controls have been implemented. We multiply the security risk with the ratio of controls which have not been implemented which in this case is 2/10 so the security risk with regards to implemented controls will go down from 100% to 20%.

15.1.1.3. Third risk calculation

The third risk calculation is similar to the second risk calculation. It takes into consideration both implemented and future controls while the second risk calculation only takes into consideration implemented controls. If we stick to the example given for the second risk calculation, let’s say that the remaining two controls will be scheduled to be implemented in a couple of months and will be changed to future controls. If we now calculate the security risk with regards to implemented and future controls we will multiply the security risk with the ratio of controls which have not been implemented and have not been defined as future controls. In this example the security risk with regards to implemented and future controls will be 0% or Minimum.

15.1.1.4. Security risk of an Asset and the Risk Assessment

The Risk calculations start with a single Risk and are calculated for every Risk in the Risk Assessment. An Asset also has a Security Risk. The Security Risk of an Asset is simply the average of all the Security Risks which are associated with that particular Asset. The Risk Assessment also has a Security Risk, this Security Risk is calculated by getting the average of the Security Risks of all the Assets in the Assessment.

15.1.2. RESIDUAL RISK

Below is the matrix used for establishing the security risk of an Asset in relation to the Threat it is under. This matrix is a supplement to the risk calculation section covered previously in this manual.

Image 22.1 - Calculation matrix

[blockquote]It’s important to realize that when using the security risk calculation with regards to controls, it is possible to get the security risk down to 0%. What this means is that you have done everything you possibly can to minimize the security risk “with regards to the Standard”. You have implemented all the controls which are associated with the threats you have defined in your risk assessment. Therefore the risk calculation tells you that you have 0% or minimum security risk. Please keep in mind that this does not mean that you do not have security risk but it only means that you have done everything in your power, based on the Standard, to hedge against known threats.[/blockquote]

Add comment

JComments

Reykjavik Office

Stiki ehf.
Laugavegur 176
Reykjavík 105, ICELAND
Tel No: (+354) 570 0600
State Reg. No. 420392-2149
Email: stiki@stiki.eu

London Office

Stiki Ltd.
Herschel House, 58 Herschel Street
Slough - SL1 1PG
England
State Reg. No. 936 2174 22
Email: stikiuk@stiki.eu

RM Studio Manual 4.0

1. INTRODUCTION

1.1.1. ABOUT THIS MANUAL

1.1.2. CONTACT AND FEEDBACK

2. GETTING STARTED

2.1.1. REQUIREMENTS

2.1.2. SHORTCUTS

2.1.3. EXPIRATION

2.1.4. LICENSING

3. NAVIGATION

3.1.1. SAVE FUNCTION

3.1.2. CLEAR USER CACHE

3.1.3. SECURITY

3.1.4. ROLES

3.1.5. TASKS

3.1.6. USERS

3.1.7. PROPERTIES

3.1.8. DATABASE

3.1.9. ADD A DATABASE SERVER

3.1.10. UPGRADE DATABASE

3.1.11. CREATE NEW DATABASE

3.1.12. Deploy Database

3.1.13. Standard Data

3.1.14. Deploy Standard

3.1.15. DEFAULT DATA

3.1.16. REPORTING

3.1.17. AUTHORIZATION STORE

3.1.18. LANGUAGES

3.1.19. REGISTRATION

3.1.20. HELP

3.1.21. ABOUT

3.1.22. APPLICATION STYLE

3.1.23. Exit from RM Studio

4. NAVIGATING RM STUDIO

4.1.1. NAVIGATION TREE

4.1.2. TABS

5. FEATURE USAGE

5.1.1. THE GRID

5.1.2. GROUPING BY COLUMN

5.1.3. GROUPING BY SUBCATEGORIES

5.1.4. POWERFUL SEARCH

5.1.5. EXPORT FACILITIES

6. INTRDUCING RM STUDIO MODULES

6.1.1. COMMON ENTITIES

6.1.1.1. BUSINESS ENTITIES

6.1.1.2. CONTACTS

6.1.1.3. TEAMS

6.1.1.4. CATEGORIES

6.1.1.5. ASSETS

6.1.1.6. THREATS

6.1.1.7. THREAT TYPES

6.1.1.8. STANDARDS/CONTROLS

6.2. ASSESSMENT AND TREATMENT

6.2.1.1. Assessment and Treatment

6.2.1.2. RISK ASSESSMENT

6.2.1.3. GAP ANALYSIS

6.2.1.4. RISK TREATMENT

6.2.1.5. WORKING WITH THE STEPS

6.2.2. REPORTING

6.2.2.1. Reports

6.2.3. TEMPLATES

6.2.3.1. Evaluation Templates

6.3. BUSINESS CONTINUITY MANAGEMENT - NEW MODULE

6.3.1. ORGANIZATION

6.3.2. INCIDENT RESPONSE/RECOVERY

6.3.3. MAINTENANCE

6.3.4. REPORTS/BCM

6.3.4.1. Reports BCM

6.3.5. TEMPLATES BCM

6.3.5.1. REQUIREMENT TEMPLATES

7. USING RM STUDIO

7.1. BUSINESS ENTITIES

7.1.1. CREATING A NEW BUSINESS ENTITY

7.2. CONTACTS

7.3. TEAMS (Currently only for those using the BCM module)

7.3.1.1. Team Roles

7.4.

7.5. CATEGORIES

7.5.1.1. Create New Category List

7.6. ASSETS