FAQ's

How do you support RM Studio users with after sales service?

One of Stiki's main focuses is customer service. Our team of experts provides outstanding service assisting customers either by phone or via Team Viewer. We have a group of in-house consulting specialists, providing tailor made services such as training and courses, through the web and on site. At Stiki, we are here to help!

Is RM Studio a web based solution?

RM Studio is a client server database system. It is Microsoft compatible and the data base can easily be stored in an Azure cloud, for an example. It can also be run as a standalone solution for one user only. A comprehensive web based solution is currently being tested and is due for launch in 2012.

What is the ideology of RM Studio?

RM Studio is modular software. In RM Studio, the attempt is made to take a holistic approach to risk management. The Risk Assessment module comes with a comprehensive asset library and a threat library. In addition, a variety of standards can be implemented and used within the software. The Business Continuity module gives the opportunity for the user to use the results of risk assessments when creating business continuity plans. Other modules in the pipeline include Audit, Processes and Policy documents.

Is it possible to create my own evaluation templates?

Yes, many of our customers create their own evaluation templates. RM Studio has been designed to be scalable and flexible to accommodate customer requirements and their changing needs. The software comes with a default predefined evaluation templates to help users getting started in risk assessment. The user manual clearly guides you through the simple process of creating your own evaluation templates.  

Is it possible to add new standards to the software?

Version 3.0 of RM Studio, released in January 2011, included 9 optional standards. Any other standards can be embedded in any language; the lead time is approximately 3 working weeks.

Is RM Studio suitable for different industry sector needs?

Yes, RM Studio's versatility enables users in all industry sectors to manage their specific governance, risk and compliance requirements.

How does RM Studio manage residual risk?

Please refer to the following article.

Is RM Studio a risk analysis tool?

Yes, it is. Many users feel that their needs are unique regarding risk analysis. This is true to a degree; users may experience different threats and risks in their businesses. However, the methodology that RM Studio is based upon gives the users necessary flexibility to define their own risk analysis procedure and implement knowledge based libraries and appropriate standards according to their needs.

What is accreditation?

Accreditation is certification by a duly recognized body of a party's competence to perform particular tasks and projects. Further details: http://www.ukas.com/

What are business continuity plans?

Business continuity management is a component of information security management in accordance with international standards in this field. The goal of business continuity management is to protect critical business processes from the effect of major failures or disasters. With integrated measures through prevention and error recovery, the effects of disruptions and crises are reduced to an acceptable limit.

Business continuity plans are an integral part of business continuity management. Such plans include categorizing operations by importance as well as specifying parties with well-defined roles during emergencies, actions to be performed in order to recover operations in a timely fashion, and regular testing. Business continuity plans need to be reviewed regularly to remain valid.

Business continuity plans are also called disaster or contingency plans.

What is certification?

Certification is confirmation by a third party that operating procedures comply with stated criteria. An organization can be certified in part or in whole. The scope of the operations to be certified must be known, and the certification is limited to those activities. Certification is accredited if the certifying party has been validated by a government-recognized accreditation body. One example of such a government-recognized accreditation body is the United Kingdom Accreditation Service (UKAS). The British Standards Institution in London, which has a branch in Iceland, is an accredited certification body. Certification is not accredited if the certification body itself has not been validated by a government-authorized accreditation body. For example, Vottun hf. in Iceland is not an accredited certification body.

What does data traceability mean?

In all software, it is important that developments and change in data can be examined. This applies particularly to software used in risk and quality management. In software offering traceability, the following needs to be recorded as a minimum upon each change to data:

* Who made the change

* The status of the data before the change

* The status of the data after the change

* When the change took place

* The effects of the change on individual parts of the system or the system as a whole

Data traceability is a key component in Stiki's software.

What is encryption?

* Encryption:

The process of scrambling information so that only the intended recipient can unscramble and read the information. When words or number sequences are encrypted, they are converted through the use of an algorithm into a secret code. To make the data understandable again, they need to be decrypted, i.e. converted back to their original form. Encryption uses a secret sequence of characters called an encryption key.

* One-way encryption:

Encryption without an encryption key. Input, as a word or a number sequence, e.g. an ID number, is converted into a sequence of characters that cannot be traced back using a decryption key. This is often done using a mathematical formula called a one-way hash function.

* Symmetric encryption:

A single key is used for both encryption and decryption. Input, as a word or a number sequence, is converted using a certain algorithm and key. The person performing the encryption chooses the key and needs to keep it secret from outsiders. The same key is used to reconvert the encrypted data to its original form.

* Asymmetric encryption:

Two different keys are used in asymmetric encryption, one for encryption and one for decryption. Initially, a pair of mathematically related keys is created. Despite the relationship between them, the decryption key (or private key) cannot be derived from the encryption key (or public key). When this type of encryption is used, it is vital to keep the decryption key secret. This encryption method is commonly used in e-mail communications. The sender encrypts the e-mail text and attachments using the recipient's public key. After delivery, the recipient decrypts the e-mail using his private key.

What is an information security management system (ISMS)?

An information security management system (ISMS) is part of an organization's overall management system. It is intended to maintain information security. The ISMS extends to the organization's activities and customer relations. It covers a company's organization chart, its policies, internal structure, division of responsibilities, work routines, procedures, processes and resources.

The scope of an ISMS can include an organization's total operations or specific parts of its activities. The ISMS needs to cover the information systems, including assets, services and software, used in the operations specified under the defined scope.

What is an information system?

An information system includes the data collection and a data processing system that together form an integrated system for the storage and use of information. Information systems also include personnel, equipment, software, services, funds and other factors in relation to the provision or distribution of information.

What are ISO 27001, ISO 27002 and ISO 9001?

ISO/IEC 27001:2005 Information technology - Security techniques - Information security management systems - Requirements. This standard contains specifications for information security management.

ISO/IEC 27002:2005 Information technology - Security techniques - Code of practice for information security management.

ISO 9001 Quality management systems - Requirements. This is a standard for quality management systems.

Further details: http://www.bsigroup.com , http://www.iso.org/iso/en/ISOOnline.frontpage

What is risk assessment for data processing?

Risk assessment is the total process of risk analysis and risk weighting in accordance with ISO/IEC 27001:2005, and the evaluation of risks to data and data processing, their effects, sensitivity to such risks and the probability of occurrence of the risk events. This includes assessment of the risk of an outside party accessing information, altering it or otherwise compromising its security. Risk assessment also covers the scope and results of the risk with reference to the nature of the data being used. The goal of risk assessment is to provide a basis for selecting security measures. Risk assessments are reviewed annually.

What is a Statement of Applicability?

A statement of applicability (also known as an SOA) is a document which identifies the controls chosen for your environment, and explains how and why they are appropriate. The SOA draws upon the results of the risk assessment and, if ISO/IEC 27001 compliance is to be achieved, must directly relate the selected controls back to the original risks they are intended to mitigate. The controls are normally selected from ISO/IEC 27002, but it is possible to also include proprietary controls. A number of sector-specific schemes are being introduced which stipulate additional mandatory controls.

The SOA should make reference to the workflows, processes, policies or other documentation/systems through which the selected control will actually be implemented.

It is also good practice to document the rationale explaining why non-selected controls were excluded.

Auditors ask for the SOA in the certification process. The SOA is also a good marketing document for stakeholders such as customers, employees, shareholders, and also for surveillance authorities.

An implementation program is the next step after issuing the Statement of Applicability.