The Control Policy Group

Many small to medium-sized enterprises (SME) have  risk and privacy compliance issues similar to big companies without the big budgets.

Control Policy Group’s  free risk and compliance automation tool provides an SME with an extremely cost-effective way of collecting data, analyzing risk, meeting compliance requirements and providing effective internal security to the business.

The Control Policy risk and compliance automation tool provides 4 key benefits for an SME (besides being free…):

1. It’s quantitative: enables business decision makers to define the dollar value of assets, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
2. It’s Robust: preserve the integrity of data you collect during the risk assessment; Excel is the wrong tool for maintaining large, complex, multi-dimensional data models such as we use during a risk assessment.
3. It’s Versatile: enable a business to reuse existing knowledge in new business situations and perform what-if analysis on control scenarios without jeopardizing the integrity of the data.
4. It’s Effective: recommends the right security controls and the most effective order of implementation - saving you money.

The risk and compliance automation tool is implemented as a  plugin  ISO27001 library for PTA Professional. This PTA ISO 27001 library is a full implementation of the ISO 27001 standard and is provided free of charge to any ISO consultant or business wishing to certify to the standard. The user-friendly PTA Professional application  for Windows is available as a free download at the PTA Technologies web site. The Control Policy Risk and Compliance Automation tool is provided free of charge to end users and security and compliance  consultants and is licensed under the Creative Commons Attribution License by the Control Policy Group.

Compliance is a minimum but not sufficient requirement for risk management.

What security controls should a firm implement after a risk assessment? All, none, some?

We all know that a business can be compliant with a standard such as PCI DSS 1.1 and still suffer from a data security breach.

There are always many more available security products and services controls than threats. Many businesses find themselves coping with a long and confusing shopping list of controls specified by  standards like PCI DSS and ISO27001. You can implement all the controls in the standard (if you have deep pockets), you can do nothing (ignore the risk assessment) or you can try and get the biggest bang for your dollar by implementing the right security controls and the lowest cost.

It is well known that implementing additional controls does not necessarily reduce risk.

For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.

The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

Using the risk and compliance automation tool to get  the right security at the right price

By using the ISO27001 framework with PTA,  the business terms can construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can implement security controls consistent with its budget instead of an expensive all-or-nothing checklist of controls.

ISO27001 specifies that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). The  ISO27001 automation tool provides a systematic, and quantitative approach to risk assessment and adds value with an optimized risk mitigation program. Doing a risk audit process is faster, easier, more robust and lot more fun than with an Excel spreadsheet.

An ISO 27001 risk assessment with Control Policy involves a two-stage process:

• Stage 1 is a “first cut” review of the existence and completeness of key documentation for Security Policy and Information Security Management System (ISMS). This is done by cycling through the threat model, tagging top-level vulnerabilities with a status and storing appropriate documentation in the model, while linking to the appropriate entity.
• Stage 2 is a detailed, in-depth audit that tests existence and effectiveness of control policies as well as their supporting documentation. Controls that already exist would be marked as “Already Implemented” in PTA Professional Edition countermeasures detail screen. Controls needing work would be tagged with an action-required status (see the tagging option of the PTA tool).

Step by Step with the ISO27001 automation tool

First download and install  the PTA Professional Edition free risk assessment software on a Windows XP PC. Then download the PTA ISO27001 library.

• Step 0 - Fire up the program
• Step 1 - Load the ISO27001.2.thl library into your own threat model or just open the ISO27001.2.thm data model in its entirety
• Step 2 - Create assets with valuations
• Step 3 - Enter the costs of countermeasures; the PTA ISO 27001 library that we provide is agnostic; we understand that each organization has their own estimates of how much a control policy should cost.
• Step 4 - Run the Optimized Countermeasures report. You have just built a cost-justified plan of controls compliant with ISO 27001.
• Step 5 - Refine the model. Don’t stop here; return to the model periodically and test the effectiveness of your risk mitigation program. For a structured methodology of continuous security assessment see the excellent article on the Software Associates Web site titled “Practical software security assessment”

The power of the PTA ISO27001 library is demonstrated by a simple risk assessment with assets and threats that was built in just a few minutes - available online Download now