Security Vision Compliance Management

Main article: Definition of Business Intelligence

2024

Compliance Service Release

On May 20, 2024, Security Vision announced the release of the Compliance service on the Security Vision 5 platform, provided by subscription from the cloud.

Security Vision

According to the company, the service provides the ability to automate assessment processes for compliance with requirements or conduct self-assessment in any areas of the company's activities without installing a solution in the infrastructure. It is suitable for testing projects that require optimization of implementation speed and with less infrastructure and labor costs due to the absence of the need to deploy and configure the platform.

The service provides tools for checking compliance with the requirements of the standards of both the organization as a whole and its individual elements, such as the information system, business process, premises and other business assets of the enterprise. The system provides flexibility in selecting an evaluation method based on either the standard from the examination package or its own evaluation method.

The expertise package is updated by Security Vision methodologies on a regular basis, removing the burden of change control and standards and guidance documents from the Customer. Below are the most significant opportunities.

Maintaining a register of requirements standards

The product contains the most used standards, frameworks and various practices, such as FSTEC Orders No. 17, 21, 31, GOST 57580, ISO 27001, NIST and others. In addition, you can create your own standards by compiling them from existing requirements (other standards) or by creating your own. You can generate standards from the system interface or import them from a file. You can specify your own rating scale and any number of answer options for each requirement.

Assets and protections

The system allows you to load the resource and service model of the enterprise, including products, business processes, information systems, etc., detailing to technical elements such as servers, premises and equipment. Downloadable assets can be associated with protection measures, which will automatically obtain an upper-level assessment of compliance throughout the company.

Conformity assessment

The assessment process can be carried out both manually (filling out questionnaires) and in an automated format: measures to protect specific information systems are taken into account, as well as the results of previous assessments.

The evaluation process can be carried out both for the enterprise as a whole and for specific systems in particular, with a visual representation of the progress of work.

Flexible model of data sheets

One of the main mechanisms for clarifying and collecting information during the assessment process is automated generation of questionnaires. Questionnaires can be delegated to different departments and different performers (depending on the subject of assessment), their status and progress of filling are monitored. In this case, the auditor will see the degree of compliance of the evaluation object with the requirements of the standard in real time.

As a result, the service itself will compile all the received data in a single scorecard of the assessment process and prepare a template for an action plan to bring the assessment object into compliance with the requirements of the standard.

Target Action Plans

The evaluation process allows you to identify outstanding requirements (which are applicable to the information system being analyzed), separate them into a separate document, and create an action plan for their implementation. The system allows you to automatically generate tasks for the implementation of compliance with the necessary requirements and monitor their implementation in external systems.

Compliance Degree Visualization Analytical Engine

One important part of the product is the visualization module, which allows you to analyze all components of the evaluation process on the fly at different stages and in several views. Thus, control over the audit becomes transparent and convenient.

All functionality supports the delimitation of access rights both according to the role model and according to the organizational scheme of the Client's subsidiaries and parent branches. The cloud service allows you to distribute the load (including on the operation of the product), allowing you to launch compliance assessment procedures at a lower cost and faster speed.

Cybersecurity is a mandatory factor in the work of a company of any scale. The Security Vision product, which covers the needs of the SGRC/GRC direction from the cloud, is now available to everyone at affordable prices. I think this is really important, since the SMB segment is experiencing both security needs and financial constraints. commented Ruslan Rakhmetov, CEO of Security Vision

Анонс Security Vision Compliance Management

On March 5, 2024, Security Vision announced the release of the Compliance Management product on the Security Vision 5 platform .

securityvision.ru

According to the company, the product "Compliance Management" is a professional solution for conducting assessment processes. The capabilities of the product include not only compliance checks, but also the prompt assessment of a group of employees in any area of ​ ​ interest of the company (for example, in the context of completing awareness-raising tasks).

Security Vision Compliance Management implements standards verification tools for both the organization as a whole and its individual elements, such as information systems, business processes, premises, and other enterprise assets. The system provides flexibility in selecting an evaluation method based on either standards from the examination package or its own evaluation method. Using the platform's capabilities, the evaluation process can be automated. This reduces the number of routine operations, allowing more efficient collection and processing of information in a single window.

Key Product Capabilities

Maintaining a register of requirements standards

The product contains the most commonly used standards and frameworks for March 2024, such as FSTEC Orders No. 17, 21, 31, GOST 57580, iso 27001, NIST and others. In addition to this, the user can form corporate standards by adding their own requirements or re-using requirements from existing standards. Grouping of requirements by domains has been introduced to facilitate analysis, while it is possible to customize the general view of the document both visually and functionally. The standard can be uploaded to the system from a file, and exported to a file if necessary for ease of working with requirements.

The user is not limited by the limit and functionality in terms of the establishment in the system of standards and surveys of any configuration, while the knowledge base of boxed standards is constantly maintained and supplemented as part of a regular update.

The standard has a status model that provides the procedure for updating and transferring outdated documents to the archive.

A rating scale is set up for the requirements and answer options are established, while it is possible to flexibly add answers and their weights for each specific question or requirement, which allows you to apply an individual methodology for calculating the result for any number of answer options.

Assets and protections

The system allows you to load the resource and service model of the enterprise, including products, business processes and information systems, detailing them into technical elements, such as servers, premises and equipment. Downloadable assets can be associated with security measures to automatically obtain a company-wide compliance assessment.

The product provides a knowledge base of protection measures (NOS FSTEC), as well as the ability to create user measures. Measures have a status model that allows you to clearly assess the current and planned compliance with the requirements of specific assets. The functionality of applications for the introduction of user measures with tracking the progress of their implementation has been implemented.

Conformity assessment

The evaluation process can be carried out both manually (filling out questionnaires) and in an automated format: measures to protect specific assets are taken into account, as well as the results of previous assessments.

The evaluation process can be carried out both for the enterprise as a whole and for specific systems, in particular, with a visual representation of the progress of work.

The assessment can be carried out both completely online and partially offline (compilation of questionnaires, assessment methods, formation of standards, collection stage information), which is useful for working with remote locations.

Flexible model of data sheets

One of the main mechanisms for clarifying and collecting information during the assessment process is automated generation of questionnaires. Questionnaires can be delegated to different departments and different performers (you can send a questionnaire for one object to different employees for a more complete picture), their status and progress of filling are monitored. In this case, the auditor will see the degree of compliance of the evaluation object with the expected level in real time. The questionnaire has a lifecycle that provides for checking its completion by the auditor and sending it for revision if necessary. There is an automatic mechanism for validation and consolidation of data into a single integral assessment of the object's compliance with the requirements.

The process of filling out the questionnaire can be customized for the personal assessment methodology (adding approval steps, collecting and receiving data, etc.).

The product implements notifications to notify users of all significant changes in the system (receiving a questionnaire for filling out, tasks for execution). You can configure scheduled notifications. Notifications are received both internal and external (e-mail, Telegrams). It is possible to create user notifications with http services, mail services, files, databases.

As a result of the operation of the module, the system itself will summarize all the received data in a single scorecard of the evaluation process and prepare a template of an action plan to bring the evaluation object in line with the expected result or requirements of the standard.

Target Action Plans

The evaluation process allows you to automatically identify outstanding requirements (which apply to the object being analyzed), separate them into a separate document, and generate a plan of measures to implement them. The system allows you to form tasks for the implementation of fixes and protection measures, monitor their implementation in external systems.

The mechanism of tasks for the implementation of protection measures provides the ability to track the fulfillment of deadlines for hiring and execution, reassign those responsible, accept/send tasks for revision. The life cycle of tasks can be customized.

When performing tasks for implementation of corrections and protection measures, all changes are automatically reflected on assets of the resource-service model and are subsequently taken into account during regular assessment.

Two-way integration with SD systems (JIRA, NAUMEN, OTRS) is implemented, which allows you to synchronize tasks in modules and in an external system. It is possible to create integration with any necessary external system.

Compliance Degree Visualization Analytical Engine

One of the important parts of Security Vision Compliance Management is a module visualization that allows you to consolidate the received information and perform an analysis of all components of the assessment process. Several predefined are provided in the product, dashboards including an interactive map that shows an integral compliance assessment for each of the distributed organizations. The functionality BI of analytics in dashboards allows you to implement various visualization options in the necessary sections (by organizations, evaluation objects, standards). Dashboards and widgets support drill down functionality for detailed analysis of displayed data.

Report Library

Express reports are available from resource service model objects, standards, evaluation processes and questionnaires, as well as pre-configured general reports on various data slices. The product provides the ability to customize reports: built-in platform mechanisms allow you to create custom reports in no-code mode and configure automatic generation of reports on a schedule. Reports can be sent through various channels, including email, file balls, Telegram and others.