Security Vision NG SGRC, or New Horizons of process Automation

Security Vision Company develops the SGRC direction for automation and management of information security processes, ensuring compliance and management of compliance with various RMD, risk management and threat modeling, business continuity management and other strategic security processes. All the solutions described in the current review are based and built on a single automation platform using No-code designers, which allows you to present not only Security Vision developments, but also solutions created by our technology partners, for example, operational risk management modules or automated counterparty verification.

The GRC product development direction is based on modern requirements of domestic and international standards in the field of information security, for example:

- ISO 27005:2022 Information security, cybersecurity and privacy protection — Guidance on managing information security risks;

- NIST Cybersecurity Framework (CSF) 2.0 – Cybersecurity concept for managing and mitigating cybersecurity risks;

- ISO 22301, GOST R ISO 22301 – Business continuity management systems. General requirements;

- GOST R ISO/IEC 27005 Information security, cybersecurity and privacy protection. Guidelines for Information Security Risk Management. Requirements and guidelines.

NG SGRC offers analytics a universal assessment platform and allows you to analyze information both independently and with the involvement of experts using personalized surveys. For example, you can collect data on potential damage from business units and the likelihood of threats from technical specialists. The assessment can be performed either manually (by filling out forms) or automatically, taking into account existing security measures and data from past assessments.

INFORMATION SECURITY MANAGEMENT (GOVERNANCE)

Security Vision Governance allows you to take a comprehensive approach to information security management and consistently build information security processes in an organization.

When starting to develop information security in an organization, it is necessary to form a mission and vision for information security, create a list of key roles and assign employees to them. The product includes a framework based on the principle of the RASCI role matrix, with the ability to adjust it taking into account the specifics of a particular organization and the explicit designation of roles that have not been assigned.

Thus, with the help of Security Vision NG SGRC, the organizational context of the organization is formed, which consists in defining the scope of information security, as well as stakeholders, which come in two types:

- Internal (various departments, decision makers);
- External (regulators in the field of information security, partners, shareholders).

The requirements of each of the stakeholders, as well as their priority, are subsequently taken into account to assess information security risks.

The cybersecurity strategy is the main document defining the direction of information security development in an organization. At this level, the framework that the organization plans to adhere to is selected. The product offers two main frameworks to choose from - NIST CSF 2.0 and ISO 27001. At the same time, it is possible to create your own framework or combine it with existing ones.

The main risk management elements are also defined, which will be used in the future in assessing and processing information security risks.:

- Business risks
- Risk management process
- Risk management methodology
- Risk appetite and risk tolerance

Based on the selected framework, an analysis of the current and target state of information security in the organization is carried out, on the basis of which a strategic plan for further actions is formed. The strategic plan can be flexibly divided into stages depending on the time frame, and at each stage tasks are created for a specific performer. It is convenient to track the progress of tasks and projects on the summary dashboard.

The list of information security processes is automatically generated after selecting the framework. The Security Vision SGRC provides typical processes with a description of their stages or necessary actions. Also, private information security policies are linked to most processes, which regulate these processes, as well as define procedures for performing necessary actions within specific processes.

For most policies, including the basic information security policy, the product provides templates that will help you quickly generate final documents.

To maintain the current state of information security, a flexible approach has been developed in which it is possible to configure notification intervals for the need to review, update or improve the main entities, each of which has the roles of the employees involved configured.

RMD COMPLIANCE MANAGEMENT

Security Vision Compliance Management offers tools for verifying compliance with standards and best practices, covering both the organization as a whole and individual business assets, divisions, business processes or other infrastructure elements. The system provides flexibility in the choice of assessment methodology, providing the opportunity to use standards from a package of expertise or apply their own methods.

Thanks to the platform, the assessment process becomes automated, which significantly reduces the number of routine operations and allows for more efficient collection and processing of information, combining all the necessary data in one window for easy access and analysis.

Compliance assessment can include information security audits, penetration testing, analysis of security policies and access control procedures, and offers the user the most commonly used standards, frameworks, and best practices, for example:

- FSTEC Orders 17, 21, 31, 239
- GOST 57580
- Regulation of the Bank of Russia No. 716-P
- Federal Law No. 187
- Federal Law No. 152
- Federal Law No. 63-FZ
- PCI DSS 4.0
- NIST Cybersecurity Framework 2.0
- CIS (Critical Security Controls).

Users are given the opportunity to create their own standards or conduct a self-assessment procedure, combining requirements from existing ones or developing their own, which provides flexibility and adaptation to the specific needs of the organization.

The process of assessing the compliance of information systems and organizations includes an analysis of the current state and verification of compliance with established data security standards with a full cycle of task management.

A key element of the assessment process is the automatic generation of questionnaires, which are distributed among various departments for filling out. The status is monitored automatically in real time, and the system collects and analyzes the data obtained, forming a unified picture of the condition of the assessment object and automatically generating an action plan to eliminate identified inconsistencies.

The system sends notifications on all transitions in the life cycle status of both assessment processes and questionnaires to the communication channels familiar to the organization: mail, Telegram, etc.

Based on the survey results, an action plan is formed, according to which the system automatically identifies nonconformities and generates tasks to eliminate them. The Action Plan tab allows you to track the progress of tasks and simulate the impact of implemented measures on the overall security level.

After the assessment procedure is created, surveys are formed and responsible persons are appointed. For ease of management, a list of submitted surveys is displayed on the process card. Each completed survey is reviewed and approved, and if necessary, the survey is returned for revision.

This integrated approach not only increases the level of protection of information systems, but also improves the manageability of the process of bringing them into line with the best practices and requirements of regulators, which is quite labor-intensive and difficult to manage in the absence of SGRC class systems.

CYBERSECURITY RISK MANAGEMENT

Security Vision Risk Management covers the entire lifecycle of the risk management process, starting from the stage of defining the environment and describing the business and IT infrastructure components.

The subsequent stages of risk analysis and assessment support qualitative and quantitative assessment methods. The service allows the analyst to make an assessment completely independently or collect data from experts using questionnaires using the approach of the compliance management module. At the risk processing stage, users can simulate various configurations of the implementation of security measures in order to select the optimal set of cost-effectiveness ratios, the assessment of information security threats is based on:

- according to the FSTEC methodology dated February 5, 2021
- qualitative assessment of cybersecurity risks
- quantitative assessment using the FAIR (Factor Analysis of Information Risk) methodology
- Monte Carlo risk modeling.

The Monte Carlo risk modeling functionality allows users to run multiple iterations of scenarios using random variables to account for possible changes and variations in the data. As a result, the user will be able to assess the potential amount of losses and risk exposure, and use the frequency and damage distribution parameters to track the minimum/average/maximum values for future use.

The assessment can be carried out either entirely online or partially offline due to the functionality of importing and exporting data to a file (compiling questionnaires, assessment methods, forming standards, and the information collection stage), which is useful for working with remote locations. All qualitative assessments are converted into a point system, within which the assessment results can be calculated taking into account the practices adopted in a particular organization (average, median, maximum, etc.). Due to this, qualitative and quantitative assessments are calculated using uniform formulas.

After all the data has been collected and the risk indicators have been calculated, the risk management functionality is used in the system, within which the user can simulate the effect of implementing certain protection measures and compare their cost with the degree of risk reduction during their implementation. Thus, in the system interface it is possible to select the most adequate set of measures for the ratio of "Price and efficiency".

From the same window, the user can create tasks for risk management. The mechanism of tasks for the implementation of protection measures provides an opportunity to monitor the deadlines for hiring and execution, reassign those responsible, accept/send tasks for revision. The lifecycle of tasks can be customized.

Thanks to the functionality of identifying key risk indicators (KIR), the service provides proactive risk management: the system continuously monitors the security status, automatically identifying potential threats and notifying responsible persons of the need to take action. The user can fine-tune exactly which risks a particular indicator is relevant for, as well as set filters for automatic risk sampling. This approach provides a more rapid and accurate response to potential threats, improving overall cybersecurity performance.

The service includes reference books from the FSTEC Information Security Threat Database and allows you to implement threat modeling and risk scenarios based on a ready-made and interconnected data set. These reference books consist of the following elements:

- negative consequences
- types of violators
- threats
- components of the impact
- ways to implement threats
- protective measures.

BUSINESS CONTINUITY MANAGEMENT

Security Vision Business Continuity Management is a solution for automating the process of ensuring continuity and restoration of activities after the occurrence of emergencies. The product is located at the intersection of technologies: it affects both information security processes, dealing with the consequences of threats related to the failure of information systems, equipment, loss of key suppliers, personnel or premises, and IT processes, analyzing the information model of the enterprise, service resources, asset health metrics and recovery procedures.

The solution ensures the implementation of the process at all stages of its life cycle:

1) At the stage of "Business impact analysis and risk assessment", information about business processes and their dependence on various company resources is collected through a survey of resource owners. The purpose of this process is to determine the operational, legal, and financial consequences of failures and identify key metrics.

2) At the stage of "Business Continuity Plan", the product allows you to systematize plans for ensuring the continuity of specific business processes for specific types of emergencies.

3) At the stage of "Defining and implementing business continuity procedures", an integrated application system is used, in which it is possible to set and monitor the implementation of tasks to bring the infrastructure in accordance with approved continuity plans.

4) It is also possible to conduct regular testing of continuity plans to assess the achievement of key performance indicators.

Business Impact Analysis and Risk Assessment (BIA, Business Impact Analysis) provides an opportunity to form a process assessment area. At the same time, the objects for which the questionnaires will be created will be reflected in the graph of links. The relationship graph, in turn, is interactive and allows you to expand the relationships of objects to display their dependencies, as well as add objects to the evaluation area.

During the assessment, the analyst has extensive opportunities to manage surveys: adjust the deadlines for filling out, appoint new responsible persons, revoke outdated questionnaires and create new ones. This is especially useful when discovering new valuation objects that were not considered at the initial stage. You can create any number of additional questions with any number of answers in the directory system, and preset questions are configured depending on the relevant parameter values for a particular organization, for example:

- periods of interruption of activity;
- types of consequences;
- categories of consequences;
- strategies for actions in case of resource unavailability.

The interim results of completing the questionnaires are always available to the BCM analyst on a short and complete assessment process card in an easy-to-analyze form. Information about identified discrepancies in key metrics or changes to object properties is displayed in the form of tooltips on the corresponding questionnaires.

The result of this stage is an automated calculation of the values of key parameters, such as:

- the maximum allowable period of interruption of activity (MTPD);
- target recovery duration (RTO);
- target Recovery Point (RPO).

The Business Continuity Plan (BCP, Business Continuity Plan) is an entity that accumulates up-to-date information on the business processes of a given division in terms of criticality and key metrics and includes:

- specific troubleshooting steps;
- terms of plan activation and deactivation;
- roles and responsibilities, key contacts;
- description of methods and means of communication.

The Disaster Recovery Plan (DRP) contains a set of emergency scenarios and a list of actions for each of them. The actions are divided into three stages, which can be either sequential or parallel:

- immediate measures in case of emergency (evacuation of personnel, calling the fire brigade);
- measures to maintain the functioning of the unit (transfer to remote work, relocation to an alternative site);
- measures to restore the normal functioning of the unit (restoration of the IT infrastructure).

For each action, the person responsible for it and the maximum allowed time limit are indicated. Pre-defined criteria for returning to the normal functioning of the business are also indicated. Thus, when the continuity plan is activated, the action plan that is responsible for the emergency situation will be implemented.

Effective interaction of the participants in the process is ensured by a built-in communication matrix, which includes contacts and roles responsible for the execution of the plan, as well as external and internal emergency contacts of the organization, and a separate object "Test Plan" is responsible for maintaining the relevance of the continuity plan. Based on the results of the testing, a report on its success is compiled and attached, and if the stages that have not been tested are identified, a task is created to make adjustments to the appropriate continuity plan.

Testing is carried out on a regular basis, and the system automatically sends notifications to responsible persons about the need to conduct one or another test, depending on the set schedule and schedule.

ASSET AND INVENTORY MANAGEMENT

The core of NG SGRC is the resource and service model, which allows you to recreate the information structure of an enterprise in detail and covers all levels of the organization, from fundamental business processes to technical assets, providing a holistic view of the company's activities. The analysis can be carried out for the entire organization, as well as for individual information systems, both at a high level for aggregates of objects, and in detail for a specific workplace, printer or phone.

This data model allows you to describe all the necessary objects, starting with the fundamental entities that the business operates with, and ending with technical assets that are the necessary resources for the implementation of business assets. The key business objects in the resource-service model are:

- business process;
- product;
- supplier;
- room;
- technological equipment.

Each object has its own set of attributes with the ability to edit and configure relationships with other objects in the organization. In general, objects are interconnected hierarchically according to the developed data model. Thus, the principle of dependence of one entity on another is taken into account (for example, a business process may completely depend on the functioning of a certain information system). Due to the presence of a visual representation in the form of a graph, it is possible to trace the relationships between objects to the required level of detail.

Users of the latest versions of on-premise Security Vision products aimed at automating incident and vulnerability management, business continuity management, and, of course, asset and inventory management receive a similar resource and service model.

There are two ways to create an asset model:

1) automatic loading via API from the asset and inventory management module located in the customer's infrastructure;

2) automated, by transferring files and then parsing.

THE ROLE MODEL

NG SGRC includes flexible access control, allowing you to adapt the evaluation process to any organization: the system supports the creation of roles with individual settings for access rights to data, reports and functionality. A user can combine multiple roles, extending their authority. The Role Designer makes it easy to customize the system to meet specific business requirements.

Analytics

The final important part of the service in the current review is provided by the analytical engine – the visual designer of widgets and dashboards, reports and objects.

The service offers an out-of-the-box set of different dashboards for interactive analytics on various data slices, for example:

Analytical, for deep analysis of historical data:
- selection of an arbitrary period for analysis;
- comparison of indicators for different periods;
- trend charts to identify the dynamics of changes;
- convolution of data across different cross-sections (for example, by process types, departments, regions);
- the number of evaluations conducted;
- dynamics of changes in compliance indicators.

Strategic, to assess the overall state of the management system and identify areas for improvement.
- setting custom thresholds.
- visualization of the achievements of strategic goals.
- comparison of indicators with planned values.
- identification of bottlenecks, risks, and critical assets;
- total percentage of compliance with requirements;
- effectiveness of corrective actions.

Operational, for monitoring the current status of assessment processes:
- Track the status of each assessment in real time;
- identification of delays and problematic processes;
- setting priorities for action;
- percentage of completed grades.

For geographically distributed organizations, analytics on the map will be useful.:
- display of geographical location of divisions;
- color coding to indicate the level of compliance;
- the ability to filter by various parameters (for example, rating type, region);
- the average compliance rate and the number of deviations by region.

SECURITY VISION SGRC FOR SMB

The company recently launched the Security Vision SGRC Basic solution, designed for medium and small businesses (SMEs). The product provides management of key information security processes based on a risk-based approach and allows you to bring information security processes to a higher level as quickly as possible. SGRC Basic is also available as a cloud service (SaaS).

Key Features of Security Vision SGRC for SMB:

• Quick start of work and elimination of resource costs for implementation and operation:

Security Vision SGRC Basic - all components are installed within one virtual or physical server (on one operating system), speeding up the implementation and support processes, which is important for small and medium-sized companies.

Security Vision SGRC Saas - all components are already deployed and ready for use, which allows businesses to focus on core tasks rather than hardware support and updates. This allows companies, especially SMEs, to avoid capital expenditures and transform them into operating expenses that are easier to predict and control.:

• Regular delivery of content updates from the Security Vision Expertise Center.
• Budget subscription price.

More detailed information about Security Vision SGRC Basic and Security Vision SGRC Saas is available in the sections https://www.securityvision.ru/products/sgrc-basic/ and https://www.securityvision.ru/products/sgrc-saas/, as well as from the official distributor of Security Vision for the Basic line – OCS Distribution.