COMPARISON OF TOOLS FOR INFORMATION SECURITY MANAGEMENT SYSTEM

COMPARISON OF TOOLS FOR INFORMATION SECURITY MANAGEMENT SYSTEM Štefan Antolík Abstract: The article deals with the analysis of risks in information security management system, briefly describes the current international standards focused on information security. Follow, article describes the process of the risk analysis in the process of information security management, describes the methods used for risk analysis. In conclusion, the article is a comparison of selected methods used for risk analysis. Keywords: security, analysis, tools, information 1. Introduction Information security (IS) as any area of human life develops dynamically. A typical problem for some organizations is the lack of attention to information security, lack of time and financial resources to this area, insufficient number of independent skilled workers who deal with information security, improper configuration of some key IT equipment and low level of awareness of most workers in the security policy of the organization. The process of analysis and valuation of risk used in the information security management system (ISMS) to identify and quantify the risks the organization of information security. The organization then responds to these identified risks creating security measures that aim to reduce these risks to a tolerable level. This process is repeated periodically. The quality of the analysis is thus strongly linked with the quality of the ISMS, or the rate at which protects the organization [7, 8]. 2. Characteristics of existing international standards in the field of IS The most important standards in the field of information security include the following standards [9]: - ISO/IEC 27000:2005- Information technology Security techniques Information security management systems Overview and vocabulary, - ISO/IEC 27001:2005- Information technology Security techniques Information security management systems Requirements, - ISO/IEC 27002:2005- Information technology Security techniques Information security management systems Code of practice from information security management, - ISO/IEC 27003:2010- Information technology Security techniques Information security management systems Information security management systems implementation guidance, - ISO/IEC 27004:2009- Information technology Security techniques Information security management systems Information security management measurements, 7

- ISO/IEC 27005:2011- Information technology Security techniques Information security management systems Information security risk managements, - ISO/IEC 27006:2011- Information technology Security techniques Information security management systems Requirements for bodies providing audit and certification of information security management, - ISO/IEC 27007:2011- Information technology Security techniques Guidelines for information security management systems auditing, - ISO/IEC 27035:2011- Information technology Security techniques Information security incident management. 3. Status of risk analysis in the process of information security management Risk analysis in information systems is essential for an effective system for protecting information systems. The objective of risk analysis is to identify and assess threats to which the information system is exposed in order to be selected relevant measures. The risk analysis identifies threats, and their risks, that is a need to be accepts or correct. In the context of information systems security, risk analysis includes: analysis modules of asset, threat analysis, vulnerability analysis respectively protective measures. To build an effective information security management system we are ISO standards, in particular the specific ISO/IEC 27001, ISO/IEC 27002, TNI ISO/IEC TR 13335 (the world's third and fourth parts of this standard, replacing the standard ISO/IEC 27005:2008) and ISO/IEC 20000 [1]. Risk analysis is the process, through which are identified security risks that need to be checked and accepted [2, 4]. Risks are assessed in terms of the possible impact caused by disruption of attribute information. ISO/IEC TR 13335-1 provides four basic approaches to risk analysis (basic difference between these approaches is the level of depth of risk analysis) [3]: Use the same basic approach for all information systems. And regardless of the risk to which they are exposed and systems to accept that level of security is not always adequate, - Use an informal approach to risk analysis and focus on the information systems that are viewed as systems exposed to the highest risk, - Perform a detailed analysis of the risks of using a formal approach for all information systems, - Perform a combined approach. This means first starting to realize a general analysis of the risks and identify information systems exposed to high risks. Consequently, for these systems perform a detailed analysis of the risks and all the other systems apply standard measures. 8

4. General procedure of risk analysis In the following figure is the procedure and steps, which risk analysis consists. Risk Analysis Determine the boundaries of the analysis Identification of assets Asset valuation and determination of dependency Assessment of threats Assessment of vulnerability Identification of existing / planned measures Evaluation of risk Figure 1 The process of risk analysis comprising a detailed description [6] - Determination of the boundaries of the risk analysis: Limit the risk analysis is an imaginary line dividing the assets, which are included in the analysis of other assets. In determining the boundaries of the analysis is based on the plans of management, or from the initial study. Assets that are due to the ongoing process to reduce the risk to the relationship management will be included in the analysis and will lie inside the boundaries of the analysis. Other assets will lie outside the limits of risk analysis, - Identification and valuation of assets: In this step, there is the formation of the list of assets included in the business environment, processes and information that will be evaluated within the scope of the ISMS design, - Assessment of threats: In this step, there is the formation of the list of threats looming assets generally making use of the list of threats, - Assessment of vulnerability: In this step, there is the formation of the list of potential vulnerability for existing assets based on the list of well-known vulnerabilities, - Identification of existing and planned security measures: Step serves to identify and document all existing and planned measures, which are linked to a list of assets, - Evaluation of risks: Step serves to calculate risk based on established lists of threats and vulnerabilities associated with the assets included on the list. 5. The selected tools used in the process of risk analysis 5.1 Callio Callie Secura 17799 Tool created by Callie Technologies is a Web-based tool. Working with databases and allows the user to implement and operate information security management system (ISMS). Supports standard 17799 and ISO 27001. It can produce documents that are required to obtain certification of these standards. It also provides document management and editing database you use this tool. This tool is also available in the demo version, which is available on the Web site Callie Technologies for trying. From a user perspective, this tool is easy to use since it is a web solution intuitively divided into sections. It contains a system, that is in the work of user helpful explanations and instructions. 9

5.2 Cobra Tools made by company C & A Systems Security is a British software system for risk analysis. It allows the organization to focus on the safety of risky assets. Evaluating the potential impact of threats and vulnerabilities, and then generates recommendations and solutions properly. Automatically connects to the impact of possible threats to the assets of the company. It provides the opportunity to ensure as little or no impact on the assets. Tool COBRA is offered only in English language. It is intended primarily for commercial organizations and organizations that are focused on ISO 17799. To test the demo version is available on the manufacturer's website. Control tool should be easy for users who are not familiar with tools for analysis and management of risks. There is also an auxiliary user guide. The tool is based on modules, which can be modified to obtain more accurate solutions and recommendations. 5.3 Countermeasures Countermeasures come from USA made by the company Alion. This tool performed the analysis and management of risks based on a series of US-American standards NIST 800 and OMB Circular A-130. The tool lets the user define the evaluation criteria through a "tailor-made" list provides an objective assessment of the assets and determines the safety aspects. The tool is available to the network, as well as in the working configuration. The tool is available only in English language. It is one of the most expensive tools for risk analysis (Enterprise version - $ 14,500). There is a possibility of getting discounts for the academic sector and government organizations. The tool can be as an independent application or as a Web server. It is intended primarily large multinational organizations such as banks, oil companies, insurance companies, universities and public companies. Price for product incorporates a two-day training to work with the application. The system provides automatic installation and simple user interface with an auxiliary manual. The advantage of product is support included in the price. The tool offers the ability to export documents to MS Excel format or save to a database. 5.4 Ear/Pilar This tool for risk analysis comes from Spain and consists of 2 parts, and it is EAR - a commercial product PILAR - limited to public administration. This tool is supported by the Spanish Agency called CCN (Spanish National Agency for Safety). For analysis and risk management this tool is used mainly methodology "Magerit". Supports management of risks in the long term and provides escalating analysis for continuous improvement of the system. It focuses primarily on the qualitative and quantitative analysis and risk management. Assessed operations evaluate their impact on the business area of the company. The tool is available in 4 languages and English, French, Italian and Spanish. Areas that can get this tool for free or discounted are academic organizations and the Spanish public administration. Other areas for which the EAR / PILAR commercially designated as multinational companies, local government organizations and large companies. The tool is designed as a client / server application. The manufacturer provides support. Tool helps to obtain certification according to the ISO/IEC 27001:2005. The manufacturer provides technical training. Installing the tool is automatic. Using is the intuitive, but the user must be familiar with the methodology "Magerit". 5.5 Ebios Ebios created Central Information Systems Security Division in France. The tool is supported by an organization called Club Ebios. This tool differs mainly in that the 10

software is open source and is mostly free. It works on the principle of the method 5tich EBIOS phases. All the work and results allows the user to capture the resulting documents. The tool is available in 4 languages and English, French, Spanish and German. Its used by EU countries such as France, Belgium, Luxembourg and others. Outside the EU, is used in countries such as Tunisia and Quebec. Today, this tool uses about 1000 known entities from the public but also the private sector. Ebios is assigned for government and supranational organizations, both commercial and non-commercial companies. Ebios is an independent application created the Java programming language that works with the type of XML documents. Therefore, it does not matter, what platform the user uses the services Ebiosu. The tool also supports editing of risks, threats and vulnerabilities. Also, offers treatment of issues in identifying risks. 5.6 Proteus Tool for risk analysis Proteus comes from the workshop of the government of the United Kingdom Infogate. Mainly oriented to government organizations worldwide. Supportive of BSI (British Standards Body), ISF (Information Security Forum) and Institute of HICP. Proteus is a comprehensive tool for working at a web server. It offers analysis and management of security risks especially for government agencies as well as large multinationals. Proteus helps organizations in the implementation of standards and security guidelines such as ISO 17799, BS ISO 27001, BS 25999, SOX, CobiT, PCI DSS and others. 5.7 RiskPAC The system developed by the U.S. CPA firm that specializes in the area of risk analysis. We are talking about an expert system in which they are implemented elements of artificial intelligence. The system by consequential a further package of programs - RecoveryPAC that lets you create disaster recovery plans and IS System Manager, which allows users to create their own questionnaires. System Manager is a tool for quick and easy development of questionnaires. Allows you to create new or modify existing questionnaire. System Manager provides the ability to create or edit questions, manage the creation of assessment questionnaires and provides advice based on the responses of users. System RecoveryPAC is a tool that allows you to create customized action plans recovery systems. Management system recovery activities consists of three basic modules (Project Management module, modeling module data recovery, business recovery planning module) 5.8 RiskWatch RiskWatch is a package of software products used for risk analysis in accordance with the world standards for information security (ISO/IEC 17799), in accordance with the standards for financial institutions FFIEC issued by a governmental agency (The Federal Financial Institutions Examination Council) and by the U.S. of the 2002 Sarbanes- Oxley. This package contains: - RiskWatch for Information Systems & ISO 17799, - RiskWatch for Financial Institutions, - RiskWatch for Physical & Homeland Security, - RiskWatch for Physical Security & C-TPAT. RiskWatch for Information Systems & ISO 17799 provides a convenient base for webbased questionnaire form, which can be installed on the server and use it as a client / server (i.e. can approach it authorized and responsible person for each security from their own workstations). RiskWatch for Financial Institutions used for risk analysis in financial institutions, and issues from the Gramm Leach Bliley Act, California SB 1386 11

(Identify Theft Standards) and standards for information systems organization FFIEC issued. 5.9 CRAMM (CCTA Risk Analysis and Management Method) Acronym CRAMM we understand two different things: - UK government methodology for valuation and risk analysis of security, - Support software tool that helps in applying this methodology in practice. There is a tool sold in version 5.2 for the Microsoft Windows operating system. In the nineties was CRAMM used primarily UK government and it also took a number of commercial organizations and government offices around the world. Currently, the most widely is used methodology CRAMM its kind in Europe. Currently distributed in three versions - CRAMM expert CRAMM express and BS 7799 (ISO 27001) Review. It is also possible to order the trial version, which is used for short-term trial of the product. Since this is a robust solution, it also affected the final price of the product, which is now in units of one hundred thousand. As a further disadvantage of the product can be mentioned staff training tool to use and understand methods CRAMM, the inability to use one license on multiple computers and outdated graphical user interface. Due to a complexity of the issue of IS security, data and computer networks can one person be an expert in all areas. Rapid development of IT, constantly changes in IS and new trends in the presumption of safety ever greater demands on limited resources. There is also a wide range of risks that may threaten the security of the information system or network. With so many risks, it is difficult to measure the level and locate vulnerabilities and weaknesses IS. If it also happens, as the introduction of countermeasures for one set, new risks may arise elsewhere. Therefore, there is an objective need for such CRAMM validated method that can serve to promote information security management processes. Risk analysis according to the methodology CRAMM examines the security of IS assets, but gathers them into logical units - models assets, which are then subject to risk analysis. Risk analysis by the tool CRAMM in accordance with the methodology consists of three phases, each of which is supported by questionnaires and instructions: - Identification and valuation of assets, - Determination of risk - analysis of threats and vulnerabilities, - Risk Management proposal of safety measures. 5.10 Casis Advanced Security Audit Trail Analyzer - its goal is to collect data from the information system, the correlation of these data and generate security alerts according to userdefined rules. It contains no methods for risk analysis. 5.11 GSTool Developed by the Federa Office for Information Security (BSI) in Germany. After collecting the necessary information the user has a comprehensive system for reporting performed of structural analysis. 5.12 ISAMM Information Security Assessment and Monitoring Method Collection instructions and best practices in the field of information security based on ISO/IEC 27002. Comprises three main parts: determining the scope, risk assessment, reporting. 5.13 Modulo Risk Manager Software helping organizations to efficiently and automatically perform detailed risk assessment and coordinate projects through a centralized collection of data related to technology (such as software/hardware), not technical assets (such as people, processes) and physical security. Supports standards Sox, PCI, HIPPA, GLBA, FISMA, BASEL II, 12

Callio Casis Cobra Countermeasures CRAMM Ear/Pilar Ebios GSTool ISAMM Modulo Risk Manager Real ISMS Riskwatch RM Studio ISO 27001, BS 25999, COBIT. Produces a risk profile that may have a direct impact on the company and on the direct investment in security. Streamlines and reduces the direct cost to execution of the audits the company. 5.14 Real ISMS On-line solutions for easy implementation and maintenance of ISO 27001 certification. 5.15 RM Studio Supported standards ISO 27001, ISO 9001, ISO 14001:2004, ISO 13485 WLA-SCL: 2006, PCI DSS 1 & 2, BS 25999-2:2007 as well as user-defined standards. RMS combines continuity management processes and risk management. It is based on the methodology of ISO/IEC 27001 and 27005 safety standards. 6. Comparison of selected tools of risk analysis in IS Comparison tools is understood not only in terms of risk analysis, but are taken into account also other tools and features, and it is the ability to identify and opportunity risk management. This comparison allows a better opt for the selection of a suitable tool for when seeking a comprehensive software solution to support the ISMS, or required only a specific functionality. Table 1 Comparison tools- software solutions Tool Identification Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes of risk Risk analysis No No No Yes Yes Yes Yes Yes Yes Yes Yes Yes No Risk management Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Calio C E R T Supported standards ISO 17799 ISO 27001 M O D Table 2 Comparison of selected tools for risk analysis [5] Language Target Š Support availability audience K E F I E C G L S N K O Tel. Txt N R T S Z L. 2 Cobra ISO 17999 1 Countermeasures 2 Ear/Pilar Ebios ISO 13335 ISO 17799 ISO 15408 ISO 27001 ISO 13335 ISO 15408 ISO 17799 Ebios 3 2 13

Proteus Cramm 14 ISO 27001 BS 25999 SoGP PCI DSS SOX ISO 27001 Cramm 3 2 (CERT- support for obtaining certification; MOD- ability to make own modifications of the instrument 1- weak, 2-good, 3-excellent; ŠKOL- need for training of staff; EN- English language; FR- French language; IT- Italian language; ES- Spanish language; CZ- Czech language; G- government; L- large companies; S- small and medium-sized companies; N- noncommercial target groups; K- commercial target groups) 7. Conclusion Risk analysis of IS being a very intensive process for time and knowledge and is very prone to error analysis. During the analysis must take into account many aspects affecting the safety of IS. Due to the characteristics of the risk analysis process is understandable effort to speed up the process, clarify and improve using special software tools. Selection of the appropriate instrument is crucial to the future quality of the risk analysis. Tools to support risk analysis used to support the identification of strategic assets of company, creating a database of assets and classification surveys, which help in identifying possible the most common risks associated with business objectives; helps develop appropriate measures to minimize the threat; identify security incidents and help to resolve them; help deciding on security policy. References [1] ISO/IEC 13335-1:2004 Information technology Security techniques Management of information and communications technology security part1: Concepts and models for information and communications technology security management. [2] NAGYOVÁ, A., MARKULÍK, Š. Bezpečnosť z hľadiska informačnej ochrany, In: Spektrum, Vol. 7, No. 2, 2007, 9-10. [3] ORAVEC, M., KAŠKO, E. STN ISOIEC 27001 v kontexte právneho rámca SR, In: Bezpečnosť práce, č. 7, 2008, 3-7. [4] ROSENBERGER, Ľ. Význam procesu analýzy rizík v systéme manažérstva informačnej bezpečnosti (SMIB). In: Economics and Management E&M 2, MK ČR E 17538, 2010, 21-27. [5] SCHREIDER, T. Risk Assessment Tools. In: A Primer, september 2010, [vid. 16. február 2013]. Available from: <http://www.securityrevue.com/article/2007/08/manazerstvo-rizika-a-jeho-ulohyv-oblasti-bezpecnosti-technickych-zariadeni/> [6] STRNÁD, O. Systém riadenia informačnej bezpečnosti. Ostrava, Amos 2011, ISBN 978-80-904766-6-0. [7] ŠOLC, M. Informačná bezpečnosť v spoločnosti. Ekonomika Management Inovace č. 1, ročník III., 2011, 12-24. [8] ŠOLC, M., TOMČOVÁ, T. Prečo uvažovať o zavedení systému manažérstva informačnej bezpečnosti?. Bezpečnosť práce, č. 2, 2009, 28-33. [9] VIRČÍKOVÁ, E., ŠOLC, M. Integrované manažérske systémy. Košice, TU 2012, ISBN 978-80-553-0927-9.