The Information Security Management Solution

The dashboard provides at a glance, key management information about the status and performance of an information security management system. It combines important metrics about assets, risk assessments, security incidents and documentation status to provide system-wide visibility of an organisation’s information security health.

InfoSaaS is fully configurable so that it operates in accordance with an organisation’s specific information security needs. Amongst a number of user-defined system parameters are a range of acceptable risk metrics, default review periods for asset risk assessments and documentation, options for recording supporting evidence against security controls and workflow management for authorising security-related documentation.

Assets can be created (and subsequently assessed) using one of the generic templates provided within InfoSaaS, or using a customised asset template created by the user. The status of assets, including their type, ownership and the date of their last risk assessment can be clearly seen from the searchable Asset Dashboard.

The InfoSaaS methodology recognises that assets may rely upon other assets for their overall security: InfoSaaS users are encouraged to identify and record “parent” and “child” relationships. These can be seen within the asset dependencies chart, and provides a useful and timely messaging service advising upstream and downstream asset owners of notifications of expired risk assessments, security incidents etc.

Each asset is subject to a detailed risk assessment. This requires the asset owner to determine the probability of a range of vulnerabilities being exploited by applicable threats, and assesses the likely impact on the asset if they were actually exploited. They then progress to select and record the security controls which are in place to support their assessments, after which InfoSaaS calculates whether the risks are acceptable to the organisation.

The ISO27001 information security standard requires that the selection and use of security controls to protect assets is recorded in a “Statement of Applicability”. Traditionally this is an extensive and time consuming manual activity, InfoSaaS has been designed to prepare and update this key document automatically each time an individual risk assessment is completed.

Should an asset within InfoSaaS be identified as having been compromised in some way, or even a potential breach is suspected, it is important that this is recorded promptly, so that the appropriate asset owner(s) can investigate and take remedial action without delay, InfoSaaS includes an integrated security incident module which manages and tracks the progress of security incidents from initial reporting, through investigation and remedial actions to final closure.

Many activities within an information security management system are time dependent, so the InfoSaaS calendar keeps track of forthcoming and completed risk assessment activities, security incidents and document management tasks. Additionally, users can add their own “ISMS Events” which may include security training sessions, internal and external audit activities, management reviews etc, so that important activities are never overlooked.

InfoSaaS incorporates a document management module, which allows organisations to upload and manage their own documentation, or alternatively record hyperlinks to their documentation if hosted elsewhere. The system allows for various documentation approval workflows, and integration with the InfoSaaS calendar means that future document reviews are visible well in advance of the required review date.