Browse Prior Art Database

Security Risk Governance System "iMorpheus" Disclosure Number: IPCOM000209854D
Publication Date: 2011-Aug-17
Document File: 6 page(s) / 95K

Publishing Venue

The Prior Art Database


Disclosed is a method and a software to provide a framework for an enterprise´s Security and Risk Management System operations as a Governance System that measures the capacity for self management and evaluates in real time the state of risk of organization's assets and infrastructure, based in a 'Separation of Duties' core and modular integrated repositories of control points and evidences in order to assure compliance with international security standards.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 32% of the total text.

Page 01 of 6

Security Risk Governance System "iMorpheus"

Organizations spend a lot of effort to keep their IT infrastructure secure. There are no solid tools and integral solutions that enable organizations to have an effective administration of IT security. The main problems identified regarding Security Management are:

• Information, documentation and evidences from security operations are dispersed across the organizations; then, are difficult to collect for audit or self assessment purposes.

• Tools and kits offered through the Internet are only questionnaires to perform risk assessments, gap analysis, and templates to guide an "ISO27001" implementation.

• There are no manual or automated mechanisms to guarantee 'Separation of Duties' (SOD) for security administration operations.

• Policies, procedures and controls are not homogeneous across accounts and organizations, including outsourcing vendors.

• Scheduling, tracking activities and generation of reports or statistics from security administration operations are collected manually and hard to maintain updated.

'Security Risk Governance System' model architecture

The main objective of the proposed method is to guide organizations, even from the beginning, in a transforming process from traditional security administration to an innovative Security and Risk Governance model, with an integrated system that includes all subject matters that international standards must cover to assure proper Risk Management (Figure 1).

Figure 1: Security Risk Governance System (SRGS)


Page 02 of 6

(This page contains 00 pictures or other non-text object)

In 'Security Risk Governance System' (SRGS), the scope per module can be customized to every organization according to their particular characteristics, necessities, and prioritization of business objectives. Modules and their descriptions follow:

• Core:
- Define adequately the responsibilities associated for each role or user to

  reduce risks of fraud or misuse (SOD)
- Provide directions for Security Committees or any other security entity
- Define the security levels and scope according to a cultural maturity model

  into the organization and for all customer involved
- Ensure to accomplish security items in contracts, local/global regulations

or customers requirements

• Evidences: Identify and schedule security activities and keep orderly the evidences

• Policies/Process: Establish a common language of "security" between organization, customers and suppliers, plus a risk structure trough definition of procedures and security technical specifications

• Issue Management: Determine and report corrective actions of any incident, related to the "Core" definitions or any other 'Security Risk Governance System' (SRGS) module, from identification, follow-up until its closing time (solution)

• Audit/Report:
- Provide, at any time, security status according to a granted maturity level
- Report the quantity and quality measurements required in each mat...