Security Vision Security Governance, Risk Management and Compliance (Security Vision SGRC и auto-SGRC)

Security Vision SGRC is a software product for automating the construction of an integrated information security management system (ISMS) in an organization with digitized data that allows you to make management decisions quickly, based on objective data consolidated from many systems. The package includes Cyber ​ ​ Risk System, a software product for automating cybersecurity risk management processes. The software product automates such processes as risk management, audit management, compliance management (STO BR IBBS, PCI-DSS, ISO 27xx, FZ-152, etc.), document and information security standards management and vulnerability management.

Security Vision a-SGRC (auto-SGRC) is a technology for robotizing SGRC systems. Security Vision a-SGRC allows you to automate/robotic the functions of SGRC systems, previously performed mainly in manual mode.

Results of use (according to the developer's approval)

• 100% up-to-date picture of the state of compliance of the system with cybersecurity requirements.
• up to 70% - raising awareness when making cybersecurity decisions in the company's strategic initiatives
• Up to 60% faster cybersecurity risk assessment
• Up to 70% - Automation of cybersecurity compliance assessment
• up to 80% - increase the collaboration effect and reduce duplicate requirements through information exchange and enrichment of related cybersecurity systems
• up to 90% - automatic cybersecurity risk processing (when used in conjunction with Security Vision IRP)

2024: Security Vision SGRC 2.0

On November 1, 2024, Security Vision announced the release of the next version of the product for process automation and compliance assurance - SGRC 2.0 Designers, low code/no code, automation of any processes and building a resource and service model with a quantitative risk assessment and compliance model - now this and much more is achievable with the Security Vision SGRC 2.0 product.

𝓲

Security Vision

According to the company, the main features of Security Vision SGRC 2.0 include:

Asset and Inventory Management

The core of Security Vision SGRC 2.0 is a resource and service model that allows you to recreate the information structure of the enterprise in detail and covers all levels of the organization, from fundamental business processes to technical assets, providing a holistic view of the company's activities. Analysis can be carried out both for the entire organization and for individual information systems both at a high level for collections of objects, and in detail for a specific workplace, printer or phone.

The resource and service model allows you to describe all the necessary objects, from fundamental entities that operate the business to technical assets, which are the necessary resources for the sale of business assets.

Risk Management cyber security

The Risk Management module in Security Vision SGRC 2.0 covers the entire life cycle of the risk management process, starting with the stage of defining the environment and describing the business and IT infrastructure components. Subsequent stages of risk analysis and assessment support qualitative and quantitative assessment methods. The service allows you to the analyst to conduct the assessment completely yourself or collect data from experts using questionnaires using the approach of the compliance control module. The Risk Management module includes guides from the Security Risk Data Bank information FSTEC and allows you to implement threat modeling and risk implementation scenarios based on a ready-made and interconnected data set.

NMD Compliance Management

The Compliance Management module in Security Vision SGRC 2.0 offers tools to verify compliance with standards and practices, covering both the organization as a whole and individual business assets, divisions, business processes, or other infrastructure elements. The system provides flexibility in the choice of evaluation methodology, allowing you to use standards from the examination package or use your own methods.

Thanks to the platform, the evaluation process becomes automated, which optimizes the number of routine operations and allows you to more efficiently collect and process information, combining all the necessary data in one window for convenient access and analysis. Auditing can include conducting information security audits, penetration testing, security policy analysis, and access control procedures, and offers the user the most used standards, frameworks, and practices.

FZ-187 About Security Compliance Management critical information infrastructure RUSSIAN FEDERATION

CUES The Security Vision SGRC 2.0 module is a solution designed to fulfill the requirements of the FZ-187 "On the Security of the Critical Information Infrastructure of the Russian Federation" and other related regulatory documents. The process of requirement execution control using the CII module consists of the following stages:

• The module includes additional assets, such as information systems and critical business processes, for subsequent classification as critical information infrastructure (OCI) objects and risk assessment.
• Next, the procedure for classifying information systems as critical information infrastructure objects is carried out. To do this, special forms and tasks are created to eliminate inconsistencies and refine the data.
• For information systems classified as OCII, potential threats are simulated in order to assess their vulnerability and develop protection measures.
• The final creates a visual representation of potential threats, allowing you to assess the degree of risk and develop effective protection measures. This report can be saved for future use.

Business Continuity Management

Security Vision Business Continuity Management, part of Security Vision SGRC 2.0, is a solution to automate the continuity process and restore operations after emergencies. The product is at the intersection of technologies: it affects both information security processes, operating on the consequences of the implementation of threats associated with the failure of information systems, equipment, the loss of key suppliers, personnel or premises, and IT processes, analyzing the information model of the enterprise, servicing resources, asset performance metrics and recovery procedures.

The solution ensures the implementation of the process at all stages of its life cycle:

• In the "Business Impact Analysis and Risk Assessment" phase, information about business processes and their dependence on different company resources is collected through a survey of resource owners. The purpose of this process was to identify operational, legal and financial implications of failures and to identify key metrics.
• During the Business Continuity Plan phase, the product allows you to organize business continuity plans for specific types of emergencies.
• The "Define and Implement Business Continuity Procedures" phase uses a built-in request system that allows you to deliver and monitor infrastructure alignment tasks in accordance with approved continuity plans.
• It is also possible to conduct regular tests of continuity plans with an assessment of the achievement of key performance indicators.

Role model

SGRC 2.0 includes the ability to flexibly control access, allowing you to adapt the assessment process to any organization: the system supports the creation of roles with individual settings for access rights to data, reports and functionality. The user can combine several roles, expanding his powers. Role Builder allows you to customize the system to meet specific business requirements.

2023

Ability to simulate threats using all elements from the Threat Data Bank

Security Vision on September 5, 2024 announced the release of the updated Security Vision Risk Management (RM) product.

Security Vision RM is a comprehensive enterprise information security risk management system that provides opportunities for organizations of all sizes and industries. The product was developed taking into account the requirements of domestic and international standards in the field of information security risk management, such as ISO 27005:2022, GOST R ISO/IEC 27005, the FSTEC methodology, as well as the FAIR methodology.

Security Vision RM covers the entire life cycle of the risk management process, starting with the stage of defining the environment. Using a resource-service model, the system allows you to describe in detail the business and IT components of the infrastructure.

At the stage of risk identification, the product integrates the FSTEC methodology, providing the ability to simulate threats using all elements from the Threat Data Bank.

Subsequent stages of risk analysis and assessment support qualitative and quantitative assessment methods. The product gives the analyst the opportunity to conduct the assessment completely independently or collect data from experts using questionnaires. At the same time, for different experts, you can create different questionnaires depending on their competencies and areas of responsibility. So, from business units you can collect data on the potential damage from the implementation of certain threats, and from technical experts - get data on the likelihood of the implementation of a particular scenario in a certain infrastructure.

During the risk management phase, users can model different security implementation configurations to select the best set of cost-effectiveness ratios, and create and manage risk minimization tasks.

As part of risk monitoring and revision, the product includes the mechanism of Key Risk Indicators and the functionality of risk reassessment. The system automatically collects and aggregates data from various external sources, such as SOAR systems, vulnerability management, and asset management. As a result, the user receives a timely notification about exceeding the specified thresholds for all risks associated with the indicator.

SGRC Directional Module Update

Security Vision announced on April 13, 2023, an update to the Security Governance, Risk Management and Compliance (SGRC) discipline modules: the Information Security Risk Management Module, the Audit Management Module, and the Standards and Regulations Compliance Module.

These products allow you to organize risk assessment processes based on threat modeling, audits and verification for compliance with various standards, the list of which is based on internal and generally accepted (GOST, ISO/IEC) methods. During the system configuration process, individual actions can be automated, for this purpose external data sources and claim processing systems are connected to the platform using connectors, which, without restrictions, can be created directly within the graphical interface, without using programming languages ​ ​ and involving developer representatives.

The engines of all modules have been significantly improved:

• Increased number and depth of integrations with other systems. The built-in connector designer allows integration with any (even self-written) system using universal tools: API (HTTP requests); Database (SQL interaction with Postgres, Oracle, MS SQL databases, etc.); scripts (PowerShell, SSH); files in read/write mode (machine-readable files, including XML/JSON of any volume due to parallel processing of fragments); syslog;
• And proprietary protocols including: MS AD; MS Exchange; Kafka.
• Improved means of presenting large and complex data: enhanced visualization capabilities (widget in the timeline), added interactive observation tools, updated the built-in BI engine for creating widgets of any number for analysis and investigation.
• The integrity of the system and all data, regardless of content, has been strengthened: a single installer and platform provide any relationship between objects (controls, assets, risks and security measures), allow end-to-end analytics and provide communication with Security Vision technology modules (asset management, vulnerabilities, incidents, threat analysis and cyber intelligence) and data in them.
• Customization, including the formation of dashboards and templates of uploaded reports, is carried out in an already installed system and does not require the release of individual versions of the product, which ensures the speed of implementation, when the customer needs to change the logic of work to suit his own requirements and methods.

The logic of the cybersecurity risk management module includes:

• Maintain various object guides and databases. IT assets are developed and filled with content, their merging into information systems and objects of influence, lists of threats, methods of their implementation and applied protection measures, as well as the potential of violators.
• Updating the threat model, for example, the results of threat modeling according to the FSTEC method and the official website of the NOS. Threat modeling can be carried out according to any method specific to the industry or a particular customer, for this purpose, using built-in designers through UI, templates are created or current ones are modified.
• Initiate the risk assessment process. The risk manager, starting this process, determines the working group, includes experts, engineers for processing tasks, users for coordination and approval. Each user receives rights according to the role model.
• Fill-in of data sheets. For simplicity, the reference books formed in the first stage are used, connectors to external systems, files and databases are used, which contain useful information.
• Mathematical transformations. The methodology of qualitative risk assessment "out of the box" can be adapted already during implementation and operation. The use of mathematical formulas and the construction of processes in the form of block diagrams allow you to implement processes of any complexity, they can be cyclic and "branched" (have different options and algorithms depending on conditions).
• Risk processing, which includes maintaining individual tasks and prioritizing them for executors. Depending on the criticality of assets, discovered vulnerabilities, and other parameters, you can define assignment logic SLA for all tasks.

The cycling of the process and the redefinition of controls according to a given schedule allows you to maintain all metrics and tasks related to the assessment of cybersecurity risks.

Modules for audits and compliance with standards, depending on specific methods, requirements of GOST, ISO/IEC, contain separate predefined reference books, but generally include:

• Start workflows for individual audit procedures;
• Filling out the questionnaires with the involvement of the necessary participants in the process;
• Assessment of measures implementation;
• Creation of tasks for elimination of comments;
• Start-up of elimination processes and reporting with closing of audit.

Descriptions of objects (audits, procedures, IE characteristics) include dozens of parameters with the ability to create parameters, input fields, attachment of external files and certificates without restrictions.

The Information Security Audit of Critical Information Infrastructure Facilities (CII) is based on RF Government Decree No.  127 and FSTEC Orders No. 235, 236 and 239 and includes:

• Initialization of the categorization procedure for various IEs, determination of the parameters of significance of CII objects (OCII);
• Definition of category and protection measures with different parameters (description, technologies, implementations);
• Start the compliance assessment process in accordance with the requirements of the regulator specified above;
• Identification of non-conformities and development of a control plan with indication of terms and priority.

The implementation of activities and the transition to re-evaluation allow you to organize a cyclical process and keep the data up to date. It is also possible to maintain regulator requests and related tasks.

2020: Smart Security Creates SGRC-Class Robotization Technology

Intelligent Security Group has created a technology for robotizing SGRC-class systems - Security Vision a-SGRC (auto-SGRC). Security Vision a-SGRC allows you to automate/robotic the functions of SGRC systems, previously performed mainly in manual mode, including monitoring the implementation of internal and state regulatory requirements for information protection.

SGRC (Security Governance, Risk Management and Compliance) systems are designed to automate the construction of an integrated information security management system (ISMS). The three main tasks that they solve are information security management, ensuring a risk-oriented approach to information security and compliance with legislation.

Often SGRC systems involve a significant amount of manual work: filling out questionnaires, collecting and entering data, transferring information from one format to another (for example, when importing information from internal IT platforms into the SGRC system), filling out checklists for compliance with standards.

Security Vision a-SGRC technology represents virtually a new milestone in the automation/robotization of information security processes, especially in terms of risk calculation and compliance with legislative norms and internal standards. The technology allows you to automate/robotic information security management processes as much as possible, as well as add much-needed feedback, which automatically adjusts the configuration of IT assets and IPS.

The a-SGRC solution helps to implement real-time compliance control, ensuring the maximum degree of automation of the actions of information security departments, while allowing you to maintain the level of not only "paper," but also actual security by integrating with various IT systems and security tools for their prompt reconfiguration and control. The analytics and visualization functionality will help managers see the current state of compliance with legal requirements, and the audit interface will be useful during both internal and external audits.

2019

Linter DBMS compatibility

On July 8, 2019, Intelligent Security announced that, together with RELEX Group of Companies, they have successfully completed testing the compatibility of their own software products:

• Security Vision Cyber ​ ​ Risk System and DBMS LINTER BASTION and DBMS LINTER STANDARD;
• Security Vision Incident Response Platform DBMS LINTER BASTION and DBMS LINTER STANDARD;
• Security Vision Security Governance, Risk Management and Compliance and DBMS LINTER BASTION and DBMS LINTER STANDARD;
• Security Vision Security Operation Center and DBMS LINTER BASTION and DBMS LINTER STANDARD;
• Security Vision CII and DBMS LINTER BASTION and DBMS LINTER STANDARD.

Companies have confirmed the compatibility of software products with the release of relevant certificates. Intellectual Security Group and RELEX Group plan to further develop the technological partnership and ensure the compatibility of their software products in the interests of customers.

Software products from both manufacturers ON are included in. register of Russian software Ministry of Communications

Compatibility with Postgres Pro Standard 11/Enterprise 11 DBMS

On June 28, 2019, Security Vision announced that it had confirmed the compatibility of a number of its software products with Postgres Professional. They became technology partners and issued appropriate certificates of compatibility.

Companies have carried out work to test the compatibility of the following software:

• DBMS Postgres Pro Enterprise Security Vision Cyber Risk System и Standard 11/ 11;
• Security Vision Incident Response Platform и СУБД Postgres Pro Standard 11/ Enterprise 11;
• Security Vision Security Governance, Risk Management and Compliance и СУБД Postgres Pro Standard 11/ Enterprise 11;
• Security Vision Security Operation Center и СУБД Postgres Pro Standard 11/ Enterprise 11.

The companies continue to plan to ensure the compatibility of their software products in the interests of the Customers of both companies, as well as the development of domestic software.