Information Security Forumhttp://www.securityforum.org) and had an interesting conversation about its activities, reports and Member services. The ISF is an independent authority on information security that delivers practical guidance and solutions through its expertise and the collective knowledge and experience of its Members.
As a product manager for BWise, one of my responsibilities is to look into best practice on the market and see how we can accommodate any new methodology. The end goal is to evaluate the potential of each new approach, see if it fits our GRC platform, and work out what is required to get a perfect fit.
We looked at the ISF's comprehensive Standard of Good Practice and its Benchmarking services for information security professionals, with the goal of creating a working solution in BWise that follows the ISF's recommended methodology.
Our initial evaluation covered the ISF's Information Risk Analysis Methodology (IRAM) process. Here's what we found:
Information Risk Analysis Methodology
The IRAM process consists of three phases:
- Business Impact Assessment (BIA) - to determine which applications are most critical for an organization (confidentiality, integrity, availability). The rating of a system determines the depth of the T&VA. BWise Open Assessment functionality (questionnaires) and the risk workshop provide much needed functionality to structurally perform, rate and document every step of the BIA;
- Threat and Vulnerability Assessment - to determine what threats have an impact on the BIA rated systems and how known vulnerabilities exploit that threat. This produces a likelihood rating which, together with the BIA rating, determines the information risk. Our Risk Workshops help participants rate threats and vulnerabilities from different dimensions, and we can even support calculations to propose overall ratings.
- Control Selection - to determine what controls need to be in place to appropriately mitigate the information risks. These can be documented in BWise and placed into a shared controls library for reuse.
GRC, IT Governance and Umbrellas
On 22 December, BWise is releasing service pack number 2 for Version 4.1. Looking at the new functionality that included in this service pack, it could almost be a new version! Although BWise already supports much of the ISF IRAM methodology, it will become even more powerful in our newer versions. We are continuously working on integration with other systems: for example, 'vulnerability scanning' is of particular interest. When this is integrated into a BWise system that also includes the ISF IRAM methodology, we can use existing vulnerabilities to update the Information Risk Rating dynamically. This would enable users to see directly which vulnerabilities should get priority, based on a well thought through approach for rating information risks.
This is another example of how I think the Umbrella GRC function of BWise can add a lot of value to GRC efforts and help to converge the diverse landscape of GRC- or IT Governance-related applications.