BTRWATCH INFORMATION SECURITY MANAGEMENT SYSTEM
BTRWatch enables you to formalize and visualize the efforts you put into your information security.
You would like to manage your information security risks and keep them under control. You probably performed risk assessments, created information security plans and you are trying to record and manage them using the office worksheet and word processor applications.
You are tired of:
- Consolidating the worksheets originating from different people,
- Relating information written on different documents (e.g. relating risk scenarios with asset list, internal audit findings with corrective actions, etc.),
- Reading the procedures to remember the methodologies used for you risk assessments, internal audits and corrective action management processes over and over again,
Or if you are starting from scratch, reviewed the ISO27001 standard, but:
- You are having difficulty in designing the processes to implement the standard’s requirements and needing help,
- You don’t have resources to procure a high quality consulting support,
- You have the resources to procure a consulting support, but have second thoughts on the outcome of that support,
- You will have your personnel trained, but concerned that you will not be able to spread that know-how through the organization and possibly loose the investment if the related personnel leaves the organization,
Proven methodology for the implementation and operation of an ISMS
- BTRWATCH is the embodiment of the methodology developed after countless number of ISMS implementation and operation projects delivered by BTRisk. With BTRWATCH you can implement an efficient and effective ISMS which is fully compliant with ISO27001 and addressing your real information security requirements at the same time.
- BTRWATCH facilitates the implementation of your information security management system. The predefined and easy to use processes builtin puts you on the right track without undue pain.
Predefined control questions;
- All of the controls listed in ISO27001 are converted into granular questions which can easily be answered with yes or no answers. That enables the risk analysts and internal auditors to assess the security needs and vulnerabilities without the trouble of interpreting information security specific jargon.
- The management system specific questions, which are needed to assure compliance with the ISO27001 and ISO31000 risk management standard, are built into the software. The ISMS questions are granular at a level that makes it obvious and clear what is the specific non-compliance to the standard.
Predefined asset categories;
- During a risk assessment the question of what is an information asset might be struggling and cause you to stray from what is important. A large set of information asset categories are built in to BTRWATCH. In addition to that relevant information security vulnerabilities and information asset categories are related to facilitate the risk assessment process.
Predefined information security threats;
- The traditional formula for risk measurement contains impact and likelihood factors. In information security domain, threat is one of the components that constitute the likelihood factor. An information security threat is defined as a malevolent agent in some scenarios, and as a negative circumstance in others. It might be blocking for an inexperienced risk analyst to come up with a relevant threat definition for certain risk scenarios. A large set of threat relevant to information security risk scenarios comes builtin with BTRWATCH. In addition to that, relevant threats that might target specific information security vulnerabilities are related to facilitate the risk assessment process.
Integrated information security processes;
- The 4 critical information security processes built into BTRWATCH; risk assessment, internal audit, incident and weakness management and corrective action management, are integrated and support each other.
- Integration of the risk assessment and incident management processes enables you to know the previous incidents affected the information asset which you consider in a specific risk scenario in the risk assessment process.
- Integration of the internal audit and corrective action processes enables you to include the closed corrective actions in your internal audit plan for the current period to test their effectiveness to achieve their objectives.
- In your internal audit plans you can take the risk assessment results into consideration.
- Since the corrective action management process is integrated into the other 3 ISMS processes you can avoid redundant work. For instance, a corrective action need identified in the risk assessment process might be relevant to an incident also. Likewise, the same corrective action can be related to an internal audit finding. You can map various originating reasons to the corrective actions and view the reasons for each corrective actions on the relevant record.
Integration with the manual processes;
BTRWATCH hosts most of the critical information security management processes, and guides the other manual or human dependent information security activities to the right direction.
- The outcomes of all of the processes managed in BTRWATCH (risk assessment, internal audit, incident and weakness management, corrective action management) provide input for the Management Review process.
- Policies and procedures are affected and changed in accordance with the corrective actions implemented on the IT infrastructure and operations. With an active and effective corrective action process the policies and procedures become more applicable and realistic.
- Penetration tests and security awareness trainings can benefit a lot from the results of an effective risk assessment process. They can focus on what is important to the organization using the risk assessment results and resources can be used more efficiently.
- If the incident management process is effectively implemented and real life incident data is recorded, penetration testing and security awareness trainings target risks and threats with highest probability.
The critical information security processes implemented using BTRWATCH do not only provide input for the manual processes, but also take input from them to provide full integration with the manual processes.
- The specific control questions which are required by the organizational policies and procedures, but are not included in the ISO27002 standard can be added to the builtin control questions in BTRWATCH. They can be included in the risk assessment and internal audit processes.
- The changes in the security architecture are reflected in the asset list to be included in the risk assessment process.
- The incidents identified during the security operations can be recorded in the incident and weakness management module and the required corrective actions can be triggered.
- The vulnerabilities identified in the penetration tests can be input as weakness records and the required corrective actions can be triggered.
- The security requirements and weaknesses identified as a result of the Management Review process can be recorded and they can be followed up with the corrective action process.
An enterprise application;
- You can create user roles with different authorizations on BTRWATCH as many as required. Information security roles defined as part of BTRisk’s ISMS methodology come predefined in the application. Because of the role management infrastructure you can seperate the management and analyst roles apart. The ISMS and internal audit management teams can delegate the risk assessment and internal audit field work while retaining the review and approval authorizations for them. With the multiuser design of the application a risk assessment or internal audit engagement can be simultaneously performed on different departments and/or regions of the organization.
- The risk assessment and internal audit managers can monitor the works of the assigned risk assessment analysts and internal auditors with dashboard graphics and lists. The works of the assigned analysts and auditors can be reviewed, approved or returned to the relevant staff to be revised. Internal auditors can upload the supporting documents and evidences to the application to facilitate the reviews of the internal audit managers.
- Every risk assessment and internal audit period data is saved and not overwritten. Consequently, results of the previous risk assessment and internal audit works can be viewed any time.
- In order to avoid redundancy the assets and the threats can be grouped into a single risk assessment scenario where applicable. This however, does not prevent generating reports based on a single asset or threat. Even if the relevant assets or threats are grouped with others in the risk scenarios, relevant scenarios can still be filtered for certain assets and threats.
- Risk assessments and internal audits are performed for certain periods. The risk assessments however do not have to be done from scratch for each period. The relevant risk scenarios from a previous risk assessment can be carried forward easily to avoid rework.
- In risk assessment carry forward operations the statuses of the corrective actions related to certain risk scenarios are taken into account. If the corrective action related to a risk scenario is completed before the next risk assessment, the threat and vulnerability values are updated with the carried risk scenario to reflect the current status of the scenario and the risk value.
- The questions used to identify the vulnerabilities are created in line with the ISO27002 standard. For each control objective there is a high level question, and a number of detailed control questions. During the implementation of the ISMS from ground up, only the high level questions can be answered for the risk assessment process. However, as the ISMS matures and the organization has resources to deal with the detailed issues, the detailed control questions can be used to create low level risk scenarios.
- During a typical risk assessment, a rich set of information about the existing control infrastructure, control deficiencies and the required corrective actions come out. That information in BTRWATCH is used for the preparation of the statement of applicability, which is a standard requirement. The security management team can use that information as a draft to prepare the final statement of applicability.
- Organizations can create custom control questions, asset categories, threats and risk definitions and create relations among them. With this feature organizations can leverage BTRWATCH as a risk assessment and management system tool for their custom needs.
- During a risk assessment engagement an analyst might leave the organization or might have other priorities emerged. In this case the control questions can be moved among the risk analists without loosing the existing work done. This way the work already done is not wasted and the assessment might continue where it was left.