Michel Godet Management Consulting
Menu:
Information Assurance All-in-One
The All-in-One toolset provides a framework for gathering risk and compliance intelligence, and turning this into recommendations for management action.
Product sheet (pdf, 67kb)
Building blocks
At the heart of All-in-One is a library of building blocks, each of which represents a different aspect of risk.
Most organizations tend to manage in a sliced fashion, focused on meeting the requirements of individual regulations as they emerge. This approach carries significant risk of duplication of efforts and makes it extremely difficult for senior executives to invest in People, Technology and Processes. Senior executives must look for areas of commonality, conflicts and potential synergy rather than throwing out previous work where controls and policies can be mapped and recycled for applicability to the new mandates.
Building blocks capture the common characteristics and synergy between different directives and regulations (and the differences), and allows businesses to recycle the controls and policies developed for one regulation to meet new mandates. By applying this approach the costs of all your risk and compliance initiatives are dramatically reduced. For example, If a company is ISO 27001 certified, it is likely that many of the policies, practices and controls that PCI DSS requires are already implemented.
Building blocks gather metrics on the business' performance and compliance, and measure the maturity level of the organization, to understand the evolution and implementation of policies, procedures and controls. |
Templates
Building blocks are arranged into templates that represent coherent sets of risk management requirements.
Building blocks allow the templates to be rapidly customized to the specific needs of the organization, or to meet new regulatory requirements. |
Different templates are available for different uses, such as:
- The Agreed Upon Procedures (AUP) of the Shared Assessments Organization.
- PCI 1.2
- Protection profiles based on NIST SP800-53 revision 3, with mappings to CobiT and ISO 27002.
Assessments
All-in-One provides easy-to-use on-line forms to capture risk management information. Different types of assessment (such as assessments of different service providers) can be grouped to reflect the structures in use by the organization. These structures capture the relationships between entities, processes, activities and supporting IT assets (Governance and services). Each IT Asset is associated with a relevant template. For example, Governance with a template called TPA_AUP_Governance.
Analysis
The assessments are fed into an automated analysis and reporting engine which provides high level management measures and drill-down into the detail. The analysis uses an advanced rule-based expert system to recommend management actions to improve the security and risk posture of the organization.
Key capabilities include:
- Consolidation that shows what really matters to the organization, with priorities and drill-down to the detail. A single report shows both the big picture and the detail.
- Rule-based analysis using an expert system to identify issues and risk, make recommendations, and set priorities.
- Reports which provide a view of the data specific to different
regulations and standards, including:
- AUP Agreed Upon Procedures
- PCI DSS 1.2 of Payment Card Industry
- Defense in Depth (protect-detect-respond-sustain dimensions, and people-technology-process dimensions)
- SANS – 20 Critical Controls for Effective Cyber Defense (Priority 1, 2)
- Data Loss/Leakage Protection
- Protecting the confidentiality of Personally identifiable information (PII)
- COSO Internal Control Framework
- CobiT Control Objectives for Information and related Technology
- ISO 27002 information security standard
All data can be exported to Microsoft Excel or XML formats.
All-in-One is powered by Metrici Advisor.
Further information
Read about All-in-One and supporting services.
Product sheet (pdf, 67kb)