|
 |
|
|
|
itrust consulting published a set of tools for risk assessment and management, audit reporting, key performance indicator monitoring, and policy and procedure management specific to cloud services to implement and assess the security requirements and risks for cloud infrastructures and services on GitHub and all publication are also added to the list of publications.
CS-GRAM, short for “Cloud Services-Governance, Risk management, Audit, and Monitoring”, a toolset providing cloud security governance features such as policies, risk assessment models, audit templates, and KPI, is a sub-project of the CyFORT project, which in turn stands for "Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience".
ARIANA (on GitHub), short for “Assistance for Reporting on Information system Audits with Normative Assessment”, is designed as an add-on to Microsoft Word and Excel applications and provides a simple and reliable process for creating policies, creating or updating audit reports, managing Excel and Word-based records of processing activities compliant with GDPR, and providing additional Word and Excel utilities useful to consultants in their day-to-day work, published on itrust consulting website.
OpenARIANA (on GitHub), has been developed to address the repetitive task of creating policies, particularly Information Security Management System (ISMS) policies, published on itrust consulting website.
DRAW (on GitHub), is used to graphically represent assets and their corresponding dependencies as well as to synchronize with TRICK Service, published on itrust consulting website.
Trick2MonarcApi (on GitHub), a Java API for MONARC, which allows risk information from other sophisticated risk management tools such as TRICK Service to be imported by facilitating changes to the MONARC JSON data file, published on itrust consulting website.
The suite of tools for computer-aided design and development was recently published by itrust Abstractions Lab on GitHub.
C5-DEC, short for "Common Criteria for Cybersecurity, Cryptography, Clouds – Design, Evaluation and Certification", is a sub-project of the CyFORT project, which in turn stands for "Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience".
As part of the research project CyFORT1, today itrust consulting published OpenARIANA2, developed as a successor of the in-house built ARIANA software, a Microsoft Word Add-in supporting the user, among other things, in generating policies and audit reports.
OpenARIANA was developed to address the repetitive task of creating policies, particularly Information Security policies. These documents often consist of standardized text that needs to be tailored and extended to individual customers' requirements. By integrating closely with Microsoft Word, OpenARIANA streamlines the process of document creation and customization in professional settings. It offers a user-friendly interface that enhances productivity and reduces manual effort, making the adaptation of standardized policies to specific client needs both efficient and reliable.
The tool sequentially reads text from each row of an Excel table—constructed from a regulation or standard—and applies the style defined in the column headings. The tool can handle tags to create enumerations and bullets or some customized styles. The tool also allows replacing other tags by customer specific data, e.g. '#Organization' by the name of the organization creating the document.
itrust maintains a repository of ISMS standards like ISO 2700x in a structured format compatible with OpenARIANA. Users who wish to access these standards can contact us at openariana@itrust.lu. Please include proof of eligibility for the standard, such as a payment invoice. Upon verification, we will provide the structured standard free of charge.
As a CyFORT sub-project, CS-GRAM3 delivers a toolset comprising OpenARIANA, providing cloud security governance features such as policies, risk assessment models, audit templates, and KPI. It aims to incorporate the use of the Open Security Controls Assessment Language (OSCAL), developed by NIST. OSCAL is a standardized, data-centric framework for documenting and assessing security controls. This will bring us a step closer to achieving our goal of automating security assessment, auditing, and continuous monitoring. Finally, ISO content, typically expressed in natural language, will be converted into a machine-readable format, leveraging structured data to enable easier integration with existing tools.
____________
1 Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience.
2 Open Assistance for Reporting on Information system Audits with Normative Assessment.
3 Cloud Services-Governance, Risk management, Audit, and Monitoring.
|
We wish you a Peaceful Christmas and a Happy New Year 2024
Sending our wishes by email allows us to donate our end-of-year budget to welfare organizations:
|
|
|
Interview with Lëtzebuerger Gemengen, translation by itrust consulting.
In a context of constantly evolving and increasingly sophisticated cyber threats, cybersecurity experts are not standing still, as demonstrated by the CyFORT project. Carlo Harpes and Arash Atashpendar, respectively Managing Director and Head of R&D/CTO at itrust consulting and itrust Abstractions Lab, explain why.
Can you briefly present the CyFORT project?
Carlo Harpes: CyFORT, short for "Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience", is a research project aimed at developing a series of open-source cybersecurity software tools with a focus on cloud computing. As free and open-source software, all CyFORT cybersecurity tools and their technical documentation will be made publicly available online. These permissive licenses allow anyone not only to study our tools, but also to adapt, modify and customize them to suit their needs, without being subject to what we call vendor lock-in.
Is there a specific tool already developed as part of this project?
Arash Atashpendar: Of the six CyFORT sub-projects, today we'll be focusing on the one that's at the most advanced stage of development, namely C5-DEC, short for "Common Criteria for Cybersecurity, Cryptography, Clouds - Design, Evaluation and Certification".
C5-DEC aims at providing an impartial assessment of the security of IT systems and software in line with Common Criteria (CC), a set of internationally recognized standards (ISO/IEC 15408), as well as the complementary methodology ISO/IEC 18045, which deals with a common methodology for the evaluation of IT security (CEM). CC certification gives users the assurance that a product complies with the security guarantees it claims.
C5-DEC consists of two key elements: a software package and a knowledge base containing guides and a wiki of key CC concepts. These elements form a coherent set, covering tools for CC, secure software development and security assessment of cyber-physical systems.
How does C5-DEC improve the product development processes?
Arash Atashpendar: The CC and CEM standards, which are complex and the result of the efforts of multiple countries since 1980, contain extensive security requirements and are methodologically arduous. Certification processes, involving suppliers and laboratories, are often costly and time-consuming. C5-DEC makes these procedures more accessible and efficient, with a CC database, tools for evaluation reports, and checklists. It supports analysts and designers with comprehensive databases for safety design and evaluation.
Are there any other particular features of C5-DEC worth highlighting?
Arash Atashpendar: C5-DEC's secure software development module stores and interconnects specifications, source code and tests for complete traceability. The import/export functions and cryptographic operations make it possible to secure the creation and distribution of software.
C5-DEC integrates and relies on other open-source solutions such as doorstop-dev, asciimatics, OpenProject, GitLab, threagile and Threat Dragon for some of its functionalities such as requirements and artefact management, system design and testing, threat modelling and security risk assessment.
For which users is your solution aimed?
Carlo Harpes: Our target audience includes software designers and CC experts, with a current focus on coaching developers. We are currently looking for a few customers for training on C5-DEC. They would receive free coaching in exchange for written feedback on their use of our tool. Typically, I'm thinking of a number of concrete cases, such as the roll-out of Luxchat, or the mobile application for filing electronic complaints, or even the sending of an electronic sickness certificate to the CCSS and the employer by doctors, with the patient's consent.
Could you give us an example of a practical application?
Carlo Harpes: Imagine the supplier of a smart card wishing to have its product certified for IT security, either because of regulatory recommendations (GDPR, NISS) or simply to build trust among its users.
Designers using C5-DEC can filter CC requirements and focus on security requirements, as well as assurance activities related to cryptography, and use elements of the knowledge base.
Evaluation laboratories can in turn use the evaluation-oriented functionality. For example, it has already been used internally as part of a project for a public sector customer, as well as in research projects for the European Commission and the European Space Agency (ESA), or for the specification of a cryptographic tool.
What are the next developments for C5-DEC?
Arash Atashpendar: We will be updating C5-DEC based on feedback from users, but also on what we discover when using it in the field. We also plan to adapt its future development to the online tool Fit4CSA, recently published by ILNAS as part of the CORAL project. Finally, we want to better adapt our software to the specifics of the EU Cybersecurity Act or CSA (EU regulation 2019/881), for which C5-DEC already provides certain functionalities.
How and when will C5-DEC be released?
Arash Atashpendar: The alpha version of C5-DEC is scheduled for release on 1 December 2023 on the well-known GitHub platform via the following link: https://github.com/AbstractionsLab.
