I’m trying to find a way to link specific Assets to Policies, Procedures, Standards, Exceptions.
The only common field between the 2 sections are Asset Labels (excluding Exceptions), but we assign only one label per asset, and select one label per Policies, Procedures, Standards
Am I simply not seeing the way to properly link these items ?
Ways to improve :
Add Related Documents tab in the asset identification
We have not taken that approach (assets to controls and policies) on purpose from the begining.
The logic of eramba is that controls and policies only exist if there is a business need, in our terms: a risk, a compliance requirment or a data flow being described.
So if you want to know what controls and policies link to an asset, you can list risks that use those assets. For the compliance side we could link assets to compliance requirements to close that asociation too.
Hi,
the logic sounds solid; it’s a risk based approach. I’m thinking that sometimes controls are covering more than one risks, and apply to more (or all) than one assets. E.g. Antimalware policy is a pollicy, with Antimalware being a control to protect against malicious software. That applies to all assets and I would guess the way to see the gap is to see at exceptions (i.e., which assets do not have an antimalware control).
I understand that this is not possible?
My understanding from previous readings and some of the online trainings is that Eramba is not designed to be a replacement for an asset management tool. Basically, it should not be used to store information on all assets (ie: each individual laptop, desktop, server, etc.)
Perhaps another way to solve your problem is one that I’ve used Eramba for recently: My company has a policy that says we will have anti-virus on all computers. In Eramba, I created a control called Anti-Virus Software. From there, I created an audit, scheduled on a frequent basis (quarterly for us, could be different depending on your organization) to confirm:
All computers, servers, etc. have anti-virus software installed
Ensure that computers are being updated appropriately, which consists of:
Export a CSV of all computers in our inventory/asset management system
Export a CSV of all computers in our anti-virus software console
Compare the two. Any computers listed in our inventory that do not show up in our anti-virus are considered exceptions (and could cause the audit to fail).
Finally, review the last updated date of each computer in our anti-virus software. Ensure these dates make sense. Any computers that have not been updated within an acceptable threshold (defined by you/your organization) should be reviewed as possible exceptions/audit issues.
Hope that helps! Happy to talk more about if you’d like.
This is quite a topic… and i dont think there is a single “good” or “wrong” way to GRC, so i cant just tell that we designed eramba by implementing our way and whenever is possible, we adapt to others.
My feedback:
In general, i seem to take the same approach as Noah does
The link in between Control Catalogue / Policy Exceptions and Assets could work. It would respond the question of “what assets are part of this exception”.
The link in between Compliance Management / Compliance Analysis and Assets could work. It would respond the question of “what assets are subject to this and that compliance requirement”.
Good example, thank you for that. I (and im sure there are other ways) would:
1- Talk to the control owner (the person that run end-point systems for example) and agree what system are in the scope of malware. I would define them as “generic assets” under Asset Management / Asset Identification…for example: “Windows End-Point Systems”
2- Define what the malware control is and what governance will have (how is installed, how is monitored, how is going to be updated, how we will react to an alarm, how we’ll audit it, etc). I’ll then create one or more controls and policies under “Control Catalogue/*”
3- Create a Risk Mgt. / Asset risk Management , set as input the assets in #1 , set “mitigation” and controls / policies defined in #2. print a pdf of the risk, get sign off from the system guys.
If later on they want to excempt the antimalware end-point in some system for whatever reason, that would need a “Control Catalogue / Policy Exception” which would be tied to the policies defined in #2.
If any of you have attended our trainings, do we explain things well enough?
If I remember correctly, one of the statements made during the training that covered Security Services was try and avoid duplicating controls “services”. Since the only common field between Assets and Policies are Labels and that only one label can be applied to either asset or policy, i wanted to avoid creating multiple assets but with different labels.
Dealing with multiple compliance requirements, they all need ACCOUNT MANAGEMENT control, but the specifics (policy, standard, procedures) will be different depending on the asset. To address this, I’ve documented in the description (ex. Applies to: SOX tagged assets).
These statements below reflect what I was trying to request. A way to link assets to the other modules. Identify gaps.
Hi
the policy exception should be tied to something else than just the policy. Right now in the exception you cannot define an asset. I find that difficult to understand how we can get asset-based risk profile.
Here is a different example:
a. All applications are registered in the system for risk review. These are assets.
b. All high criticality applications need to be pentested yearly. This is a policy.
c. Penetration test is a control.
d. An application owners wants to postpone the pentest for 2 months, because of an iminent upgrade.
e. An exception has to be registered.
Assets → Compliance Analysis would let you know understand what assets are affected by every single compliance requirement.
Assets → Policy Exceptions would allow you to answer what asset is affected by that exception.
We can enable this queries on filters too. What about the status of exceptions, should they be expanded to assets ? is not easy to do it, but if we are aiming high lets try high
We debated the yellow links - but we are not ready for that change as it would not be compatible with the approach of eramba, where risks and compliance drive the work and assets , third parties or business process are behind.
any updates to the Asset to Controls documentation?
What is the proper (Eramba’s) way to document compliance gaps associated to a specific asset?
Let’s say I have Asset 1, Asset 2 and Asset 3 that are all subject to a compliance standard (ex.: ISO 27001). A proper link made in Compliance Analysis (Assets). Here is a use case :
Asset 1 has gaps in 6.1 requirement
Asset 2 has gaps in 7.2 requirement
Asset 3 has no gaps (which means that controls are OK)
What are your suggestions? Should it be identified as risks per asset? Policy exceptions? or something else?
