Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
charlpl
Newcomer II
‎04-18-2019 03:19 AM
‎04-18-2019 03:19 AM

ISMS management and reporting toolkit

To all security officers and managers out there. Would there be any interest in an ISMS Management and reporting toolkit, which could assist in the following:

 

Planning, management and reporting of:
◦Strategic initiatives (NIST & ISO27001 and customization to suit your needs)
◦Tactical initiatives (Prioritize and track high focus action items)
◦Project initiatives (Track and manage InfoSec related projects)
◦Audit findings
◦Incident tracking to RCA completion
◦Security posture improvement program, utilizing MITRE attack framework to be used in red/blue team exercise
◦Governance framework tracking policy, standards, process, architecture artefacts and review cycles with RACI model
◦Tracking and reporting on key operational InfoSec areas, covering anti-malware management, patch management, security configuration management, encryption, account management & vulnerability management
◦Drill-down reporting and Roll-up reporting from technical view up to risk management view

Reply
0 Kudos
5 Replies
emb021
Advocate I
‎04-18-2019 09:52 AM
‎04-18-2019 09:52 AM

I think such toolkits exist already.

 

There are the various GRC tools.  Various of the companies pushing for ISO27001/ISMS certification offer various toolsets either free or fee.  There is Apptega, which works with various frameworks, etc.

 

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Reply
0 Kudos
charlpl
Newcomer II
‎04-18-2019 10:10 AM
‎04-18-2019 10:10 AM

Hi. Thanks for response. However this tool also provides fine grained security controls and testing in red/blue team scenario using very specific attack vectors as guidelines by MITRE.  The tool also does very fine grained management of infosec tasks across all areas of ops, strategy, audit, projects and attack vectors.

Sent from Yahoo Mail on Android
Reply
0 Kudos
Wayne_Evans
Newcomer III
‎04-18-2019 10:17 AM
‎04-18-2019 10:17 AM

How does it compare with tools like?
https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/

 

 

Kind Regards,

 

Wayne

Reply
0 Kudos
charlpl
Newcomer II
‎04-18-2019 11:00 AM
‎04-18-2019 11:00 AM

Hi

 
Ciscat pro only does secure configuration auditing against CIS. This tool would essentially ingest that information and spit out trend reporting on CIS compliance for example. Other information would also be ingested such antimalware, patch management, account management etc. That is just from an operational reporting point of view. Other reports would provide technical data which could roll up to risk reporting to cover areas such as strategy(iso27001 or NIST). Infosec project management and reporting, audit tracking, red/blue team planning for all attack vectors, based on all the above a tactical plan can be formulated to address all high risk priority items. The management, task tracking and reporting will al be done within this tool
Reply
0 Kudos
charlpl
Newcomer II
‎04-23-2019 06:47 AM
‎04-23-2019 06:47 AM

Hi All

I have attached a sample report from the "ISMS Management & Reporting Toolkit". This is still in a fairly rough state, but this should provide you with an overview in terms of capability and reporting output.
Please provide feedback and let me know if this is something you would be interested in using in your environment.

 

Sample ISMS Report


Regards

Reply
0 Kudos