680 likes | 2.08k Views
A brief introduction to eramba. cOcOn – International Cyber Security & Policing Conference September 2013, Trivandrum, India. . What this is all about?. Open-source tools for Security Governance. eramba , an open-source tool that (hopefully) simplifies Governance .
E N D
A brief introduction to eramba cOcOn – International Cyber Security & Policing Conference September 2013, Trivandrum, India.
What this is all about? Open-source tools for Security Governance • eramba, an open-source tool that (hopefully) simplifies Governance. • A little talk about the definition, benefits and challenges of Information Security Governance. • This is a useful chat for current and future Security and Compliance Managers, Leaders, Etc. • %110 based on enterprise level experiencesand necesities.
Information Security Governance A hugely general view on the matter. • Governance is mostly about making decisions. • Decisions need (among many other things) accurate, sufficient, applicable information. • Real life is not like that at all. • Lack of information ends up with shortcut decisions and answers: Assumptions, best guesses, etc. (basically problems)
Benchmark your Governance Typical Security Governance Q&A’s • Classical Security Governance questions: • How much does your Security program cost? Where can we make it more efficient? • How much risk are we mitigating? How much that costs? • Which are our core Security Controls? How well they work? How much they cost? • What controls are key to comply with PCI-DSS? Are they working fine? • How well are we for the next audit? Which compliance GAPS exist? • Wouldn’t be great to have factual information to reply all this?
Who is behind eramba A little bit of our astonishing success… • We have been working on eramba since May 2011 • One year Proof of Concept (multinational with more than 3k employees, 13+ branch offices and a lot of compliance noise) and ISO/IEC 27001 Certification. • Published on internet in April 2013. • We have users all around (~30 downloads/month). • We got sponsorship for conferences, better software development (btw, we need more sponsors!) and more POCs!
So, what is eramba? A hugely general view on the matter. • It helps Security Departments to • In a simple way, it collectsonly the needed data about your Security Program. • Relates this data and grows information(no additives! %100 organic!) • Visualize the information in a useful way. • Helps you making sound decisions • Simplifies reporting to your management. • WARNING: Your organization must adopt and understand Security Governance before you can really use eramba.
Mitigating Risk & Compliance How eramba helps you visualize your information Define Asset, Third Party and Business Risks You can define any compliance you want! Asset Risks Third Party Risks Business Risks PCI-DSS ISO 27001 ETC RISK COMPLIANCE Risk #1 Risk #2 Risk #n Risk #1 Risk #2 Risk #n Risk #n Risk #1 Risk #2 Risk #n Req #1 Req #2 Req #n Req #1 Req #2 Req #n Req #n Req #1 Req #2 Req #n • Mapping Controls to Risk & Compliance requirements allows you to see many things: • Efficacy, Efficiency, Cost per Risk, Cost per Compliance Item, Etc. For each control you know cost, resource utilization, what is mitigating (or not) and if it is working (or not). CONTROL CATALOGUE Control #2 Control #3 Control #4 Control #n Control #5 Control #1 Audit Status
Compliance Paperwork eramba & ISO/IEC 27001 Project Management 8.2 8.3 Third Parties Exception, Classification Mgt 4.2 Support Contracts 7.2 Third Parties TP Risk Mgt 6.2 4.2.2 6 Security Controls (Their Cost, effort, Owner, Documentation, Etc.) Compliance Requirements Regular Audits 4.2.3 14.1 BCM Regular Maintenance 4.2.1 Risk Asset Mgt Business Units 4.2.3 7.1 Security Incidents Third Parties 13 Liabilities Data Flow Analysis 5.2.1
Security Controls Information How eramba helps you visualize your information Project Management Third Parties Exception, Classification Mgt Support Contracts Third Parties TP Risk Mgt Security Controls (Their Cost, effort, Owner, Documentation, Etc.) Compliance Requirements Regular Audits BCM Regular Maintenance Risk Asset Mgt Business Units Security Incidents Third Parties Liabilities Data Flow Analysis • Which control works, which one not • Which one could be more efficient? • When are support contracts due to expiration?
Security Controls Information How eramba helps you visualize your information
Security Controls Information How eramba helps you visualize your information
Compliance Information How eramba helps you visualize your information Project Management Third Parties Exception, Classification Mgt Support Contracts Third Parties TP Risk Mgt Security Controls (Their Cost, effort, Owner, Documentation, Etc.) Compliance Requirements Regular Audits BCM Regular Maintenance Risk Asset Mgt` Business Units Security Incidents • How much a Third Party costs me? • How well compliance XZY is being addressed? • Which controls are critical for XZY? • Which controls have been failing? Third Parties Liabilities Data Flow Analysis
Compliance Information How eramba helps you visualize your information
Risk Information How eramba helps you visualize your information Project Management Third Parties Exception, Classification Mgt Support Contracts Third Parties TP Risk Mgt Security Controls (Their Cost, effort, Owner, Documentation, Etc.) Compliance Requirements Regular Audits BCM Regular Maintenance Risk Asset Mgt Business Units Security Incidents Third Parties • Which business gives me more Risk? • Give me a Risk Report! • Which risk costs me what? • Which risk I can afford not mitigating? Liabilities Data Flow Analysis
Risk Information How eramba helps you visualize your information
Risk Information How eramba helps you visualize your information
Risk Information How eramba helps you visualize your information • Incorporated calendar and warnings to keep you informed about: • Control Audits and Maintenance • Exceptions about to expire • Audits • Project Deadlines • Support Contracts expiring • Etc…
Project Information How eramba helps you visualize your information Project Management Third Parties Exception, Classification Mgt Support Contracts Third Parties TP Risk Mgt Security Controls (Their Cost, effort, Owner, Documentation, Etc.) Compliance Requirements Regular Audits BCM Regular Maintenance Risk Asset Mgt Business Units Security Incidents Third Parties Liabilities Data Flow Analysis • Which projects are on-going? • How much they cost? • How much efficiency they will bring?
Project Information How eramba helps you visualize your information
The best is yet to come Things we are working on! • Complete re-code and migration to Cake-PHP framework. • Better, far better, User Interface & Dashboards • New modules • Security Awareness Trainings • Out of the box Risk and Compliance reports • Improved uploads • Fully UTF-8 compliance • Multi-Language support