Difference between revisions of "ABOUT CETBIX ISMS"

From Cetbix Documentation
Jump to navigation Jump to search
(Created page with " ==The basics== <!--T:1--> ===What are the differences between Cetbix ISMS, Cetbix ISMS-R, Cetbix ISMS-F and Cetbix ISMS-ICS?=== <!--T:2--> <!--T:3--> All the listed product...")
 
 
(2 intermediate revisions by the same user not shown)
Line 6: Line 6:
 
<!--T:3-->
 
<!--T:3-->
 
All the listed products are built on the Cetbix ISMS. This means, one has to use the Cetbix ISMS to be able to activate those other modules.
 
All the listed products are built on the Cetbix ISMS. This means, one has to use the Cetbix ISMS to be able to activate those other modules.
 +
 +
==How Cetbix ISMS differentiate itself== <!--T:2-->
 +
*Comes with both qualitative and quantitative Risk Analysis (SLE, ARO, ALE, Cost Benefit, IRR, and many more).
 +
*General available as a cloud solution and on-premises.
 +
*Manage your projects and incidents on one platform.
 +
*One tool for all entities, branches, and locations - Get all security posture of all entities on one platform.
 +
*Cetbix ISMS coordinates all your security efforts both electronically, physically, coherently, cost-effectively, consistency, and enables organizations to prove to potential customers that they take the security of their data seriously.
 +
*Cetbix ISMS is portable and simple when compared to other ISMS tools, which come with different distinct features. For example, various ISMS do not make a distinction between controls that apply to a particular organization and those which are not, while the others prescribe a risk assessment that has to be performed to identify each control whether it is required to decrease the risks and if it is, to what extent it should be applied.
 +
*Cetbix ISMS considers usability and uses a single standard that makes it simple and portable for practical use.
 +
*Documentation is underrated in the context of Cetbix because most organizations implementing other ISMS tools invest more time writing documents than they expected.
 +
*Digital documents ready for ISO27001 certification
 +
*NIS/NIST compliant & many more
 +
*Cetbix ISMS enhances information sources, capacities, decision strategies, staff, and organization attitudes toward security-related issues and helps to close the gap between technology and humans in the context of information security management.
 +
*Cetbix ISMS avoids the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations.
 +
*Cetbix ISMS provides a methodology that focuses on the issue of how to sustain and enhance organization cybersecurity through a dynamic process that involves: awareness of the situation, integration control, and gaps closing.
 +
*Cetbix ISMS contributes to a more reliable, good practice of information security measures that help to educate leaders and secure the participation of employees in the context of information security management.
 +
*Cetbix ISMS enhances collaboration between different groups of employees by enabling them to work jointly towards the mitigation of cybercrimes.
 +
*Cetbix ISMS also focuses on the design, identification, and mitigation of potential factors causing an overall hindrance to security-related policy compliance within an organization. Every potential factor that generates any hindrance is a cause of variation that Cetbix ISMS addresses, unlike the other ISMS tools where standards are designed for certain focus.
 +
*In the event that an organization is having an inaccurate idea of their business domain security issues, the Cetbix ISMS will be the right approach.
 +
*Cetbix ISMS could be seen as a "Preventive System". It prevents your organization from cyber attacks in advance and enables your organization CISO, CIO, CSO or cybercrime security manager to develop audit trails of proof in the context of information systems before making decisions.
 +
*Cetbix ISMS provides organizations with more prominence attributes, such as, how employees react to policies, collaboration, communication, and commitment.
 +
*Cetbix ISMS has a cost reductions mechanism that prevents unforeseen circumstances in the context of cybercrime mitigation.
 +
*Cetbix ISMS prevents you from GDPR penalties.
 +
 +
==Managing risks successfully with the Cetbix ISMS== <!--T:2-->
 +
Cetbix ISMS provides a methodology that focuses on the issue of how to sustain and enhance organization cybersecurity through a dynamic process that involves: awareness of the situation, integration control, and gaps closing. One dashboard for multi branches, locations, and entities.
 +
 +
In addition to other risk issues, Cetbix ISMS looks into the following:
 +
 +
*Identification of risks, description of type, causes, and effects
 +
 +
*Project Management
 +
 +
*Incident Management
 +
 +
*Analysis of the identified risks with regard to their probability of occurrence and possible effects
 +
 +
*Breaks several risk incidents to a comprehensive constructs
 +
 +
*A risk assessment by comparison with risk acceptance criteria to be defined in advance
 +
 +
*Risk management and risk control through measures
 +
 +
*Integration with the Internal Control System (ICS)
 +
 +
*Risk categorization and risk aggregation (incl. client capability)
 +
 +
*Risk monitoring with reminder notifications and workflows
 +
 +
*Risk records for the documentation of all processes
 +
 +
*Predefined risk reports and the possibility to create your own reports (Report Designer)
 +
 +
*3D Risk management dashboard for data visualization
 +
 +
==Payment Card Industry Data Security Standard (PCI-DSS)== <!--T:2-->
 +
Cetbix ISMS helps organisations maintain the payment security required to store, process or transmit cardholder data.  PCI DSS defines the technical and operational requirements for organisations to ensure that payment security is maintained.
 +
The PCI DSS sets out the technical and operational requirements for organisations that accepts or processes payment transactions, software developers and vendors of applications and devices used in these transactions.
 +
 +
 +
Cetbix provides a comprehensive list of essential network security controls that meet the requirements of PCI DSS > 3.2.
 +
 +
*Inventory of authorised and unauthorised devices
 +
 +
*Continuous assessment and correction of weaknesses
 +
 +
*Maintenance, monitoring and analysis of audit logs
 +
 +
*Secure configurations for network devices
 +
 +
 +
==Systematically manage and improve information security based on ISO 27001== <!--T:2-->
 +
Cetbix ISMS is focused on cybercrime prevention but has a feature that enables you to operate in accordance with ISO/IEC 27001 or the  BSI-licensed. This feature is used by over 10,000 users in  Europe and worldwide.
 +
 +
Cetbix ISO27001:2022 additional feature enables organizations to:
 +
 +
*Control documents relevant to information security (specifications, verification)
 +
 +
*Management of information security risks e.g. according to ISO 27001 or ISO 27005
 +
 +
*Recording and tracking of information security measures
 +
 +
*Inventory and classification of the objects of protection (asset inventory) including inheritance of the need for protection
 +
 +
*Management of security incidents (Security Incident Management)
 +
 +
*Management of Exceptions to Security Targets (Exception Management)
 +
 +
*Preparation of the Statement of Applicability (SOA)
 +
 +
*Performing gap analyses and audits based on ISO 27001 and ISO 27002
 +
 +
*Evaluation of information security compliance
 +
 +
*Reporting and dashboard for Information Security
 +
 +
*Paperless Documents required by ISO 27001
 +
 +
==Asset Classification== <!--T:2-->
 +
The process of setting up a data inventory with Cetbix is quite simple.
 +
 +
*Repository: The name of the system that contains the information (include details such as description, owner, location, access)
 +
 +
*Type of data: This includes details such as description and whether or not it contains personal information.
 +
 +
*Personal Information ID: PI Description (include a description of the personal information, PI Reason, and PI Policy).
 +
 +
*Information Confidentiality Classification Scheme: Information are classified in terms of legal requirements. value, criticality, and sensitivity to unauthorized disclosure or modification.
 +
 +
*Handling of Assets: Procedures  drawn up for handling processing, storing and communicating information consistent with its classification.
 +
 +
*Sensitivity Level: Classifying data as to sensitivity to assure that proper security protection is in place appropriate with the given data set.
 +
 +
*Retention Period: Consistent with records management practices, ensuring the period in which data is to be retained, to assure that data's availability and integrity for that retention period.
 +
 +
*Data Utilization: Establishing appropriate procedures for how data is utilized. This includes access restrictions, proper handling, logging, and auditing.
 +
 +
*Data Back-up: Assessing how back-up copies of data and software are created.
 +
 +
*Management of Storage Media: Processes to ensure proper management of storage media, including restrictions of types of media, audit trails for movement of media, secure disposal of media no longer in use, and redundant storage.
 +
 +
*Electronic Data Transfers
 +
 +
*Disposal of Media
 +
 +
*Risk Register
 +
 +
*Confidentiality level
 +
 +
*Methodology of Risk level of acceptance (default of customized)
 +
 +
*Digital risk acceptance
 +
 +
*Manual risk acceptance
 +
 +
*Set Controls
 +
 +
*Match Assets
 +
 +
*Asset Mapping
 +
 +
*Quantitative Risk Assessment
 +
 +
*Qualitative Risk Assessment
 +
 +
*Single Asset evaluation
 +
 +
*Assign single or multiple assets
 +
 +
*Risk Register
 +
 +
==National Institute of Standards and Technology (NIST)== <!--T:2-->
 +
*Classify the data and information you need to protect
 +
*Development of a baseline for the minimum checks required to protect this information
 +
*Carry out risk assessments to refine your basic controls
 +
*Document your basic controls in a written security plan
 +
*Introducing security controls for your information systems
 +
*Monitor performance after implementation to measure the effectiveness of security controls
 +
*Determine the risk at authority level based on your assessment of the security controls
 +
*Authorise the information system for processing
 +
*Cyber Threat Intelligence Maturity Assessment
 +
*Continuous monitoring of your security controls
 +
*Cetbix ISMS helps organizationd to help federal agencies meet the requirements of the  Federal Information Security Management Act (FISMA).

Latest revision as of 13:25, 30 March 2024

The basics

What are the differences between Cetbix ISMS, Cetbix ISMS-R, Cetbix ISMS-F and Cetbix ISMS-ICS?

All the listed products are built on the Cetbix ISMS. This means, one has to use the Cetbix ISMS to be able to activate those other modules.

How Cetbix ISMS differentiate itself

  • Comes with both qualitative and quantitative Risk Analysis (SLE, ARO, ALE, Cost Benefit, IRR, and many more).
  • General available as a cloud solution and on-premises.
  • Manage your projects and incidents on one platform.
  • One tool for all entities, branches, and locations - Get all security posture of all entities on one platform.
  • Cetbix ISMS coordinates all your security efforts both electronically, physically, coherently, cost-effectively, consistency, and enables organizations to prove to potential customers that they take the security of their data seriously.
  • Cetbix ISMS is portable and simple when compared to other ISMS tools, which come with different distinct features. For example, various ISMS do not make a distinction between controls that apply to a particular organization and those which are not, while the others prescribe a risk assessment that has to be performed to identify each control whether it is required to decrease the risks and if it is, to what extent it should be applied.
  • Cetbix ISMS considers usability and uses a single standard that makes it simple and portable for practical use.
  • Documentation is underrated in the context of Cetbix because most organizations implementing other ISMS tools invest more time writing documents than they expected.
  • Digital documents ready for ISO27001 certification
  • NIS/NIST compliant & many more
  • Cetbix ISMS enhances information sources, capacities, decision strategies, staff, and organization attitudes toward security-related issues and helps to close the gap between technology and humans in the context of information security management.
  • Cetbix ISMS avoids the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations.
  • Cetbix ISMS provides a methodology that focuses on the issue of how to sustain and enhance organization cybersecurity through a dynamic process that involves: awareness of the situation, integration control, and gaps closing.
  • Cetbix ISMS contributes to a more reliable, good practice of information security measures that help to educate leaders and secure the participation of employees in the context of information security management.
  • Cetbix ISMS enhances collaboration between different groups of employees by enabling them to work jointly towards the mitigation of cybercrimes.
  • Cetbix ISMS also focuses on the design, identification, and mitigation of potential factors causing an overall hindrance to security-related policy compliance within an organization. Every potential factor that generates any hindrance is a cause of variation that Cetbix ISMS addresses, unlike the other ISMS tools where standards are designed for certain focus.
  • In the event that an organization is having an inaccurate idea of their business domain security issues, the Cetbix ISMS will be the right approach.
  • Cetbix ISMS could be seen as a "Preventive System". It prevents your organization from cyber attacks in advance and enables your organization CISO, CIO, CSO or cybercrime security manager to develop audit trails of proof in the context of information systems before making decisions.
  • Cetbix ISMS provides organizations with more prominence attributes, such as, how employees react to policies, collaboration, communication, and commitment.
  • Cetbix ISMS has a cost reductions mechanism that prevents unforeseen circumstances in the context of cybercrime mitigation.
  • Cetbix ISMS prevents you from GDPR penalties.

Managing risks successfully with the Cetbix ISMS

Cetbix ISMS provides a methodology that focuses on the issue of how to sustain and enhance organization cybersecurity through a dynamic process that involves: awareness of the situation, integration control, and gaps closing. One dashboard for multi branches, locations, and entities.

In addition to other risk issues, Cetbix ISMS looks into the following:

  • Identification of risks, description of type, causes, and effects
  • Project Management
  • Incident Management
  • Analysis of the identified risks with regard to their probability of occurrence and possible effects
  • Breaks several risk incidents to a comprehensive constructs
  • A risk assessment by comparison with risk acceptance criteria to be defined in advance
  • Risk management and risk control through measures
  • Integration with the Internal Control System (ICS)
  • Risk categorization and risk aggregation (incl. client capability)
  • Risk monitoring with reminder notifications and workflows
  • Risk records for the documentation of all processes
  • Predefined risk reports and the possibility to create your own reports (Report Designer)
  • 3D Risk management dashboard for data visualization

Payment Card Industry Data Security Standard (PCI-DSS)

Cetbix ISMS helps organisations maintain the payment security required to store, process or transmit cardholder data. PCI DSS defines the technical and operational requirements for organisations to ensure that payment security is maintained. The PCI DSS sets out the technical and operational requirements for organisations that accepts or processes payment transactions, software developers and vendors of applications and devices used in these transactions.


Cetbix provides a comprehensive list of essential network security controls that meet the requirements of PCI DSS > 3.2.

  • Inventory of authorised and unauthorised devices
  • Continuous assessment and correction of weaknesses
  • Maintenance, monitoring and analysis of audit logs
  • Secure configurations for network devices


Systematically manage and improve information security based on ISO 27001

Cetbix ISMS is focused on cybercrime prevention but has a feature that enables you to operate in accordance with ISO/IEC 27001 or the BSI-licensed. This feature is used by over 10,000 users in Europe and worldwide.

Cetbix ISO27001:2022 additional feature enables organizations to:

  • Control documents relevant to information security (specifications, verification)
  • Management of information security risks e.g. according to ISO 27001 or ISO 27005
  • Recording and tracking of information security measures
  • Inventory and classification of the objects of protection (asset inventory) including inheritance of the need for protection
  • Management of security incidents (Security Incident Management)
  • Management of Exceptions to Security Targets (Exception Management)
  • Preparation of the Statement of Applicability (SOA)
  • Performing gap analyses and audits based on ISO 27001 and ISO 27002
  • Evaluation of information security compliance
  • Reporting and dashboard for Information Security
  • Paperless Documents required by ISO 27001

Asset Classification

The process of setting up a data inventory with Cetbix is quite simple.

  • Repository: The name of the system that contains the information (include details such as description, owner, location, access)
  • Type of data: This includes details such as description and whether or not it contains personal information.
  • Personal Information ID: PI Description (include a description of the personal information, PI Reason, and PI Policy).
  • Information Confidentiality Classification Scheme: Information are classified in terms of legal requirements. value, criticality, and sensitivity to unauthorized disclosure or modification.
  • Handling of Assets: Procedures drawn up for handling processing, storing and communicating information consistent with its classification.
  • Sensitivity Level: Classifying data as to sensitivity to assure that proper security protection is in place appropriate with the given data set.
  • Retention Period: Consistent with records management practices, ensuring the period in which data is to be retained, to assure that data's availability and integrity for that retention period.
  • Data Utilization: Establishing appropriate procedures for how data is utilized. This includes access restrictions, proper handling, logging, and auditing.
  • Data Back-up: Assessing how back-up copies of data and software are created.
  • Management of Storage Media: Processes to ensure proper management of storage media, including restrictions of types of media, audit trails for movement of media, secure disposal of media no longer in use, and redundant storage.
  • Electronic Data Transfers
  • Disposal of Media
  • Risk Register
  • Confidentiality level
  • Methodology of Risk level of acceptance (default of customized)
  • Digital risk acceptance
  • Manual risk acceptance
  • Set Controls
  • Match Assets
  • Asset Mapping
  • Quantitative Risk Assessment
  • Qualitative Risk Assessment
  • Single Asset evaluation
  • Assign single or multiple assets
  • Risk Register

National Institute of Standards and Technology (NIST)

  • Classify the data and information you need to protect
  • Development of a baseline for the minimum checks required to protect this information
  • Carry out risk assessments to refine your basic controls
  • Document your basic controls in a written security plan
  • Introducing security controls for your information systems
  • Monitor performance after implementation to measure the effectiveness of security controls
  • Determine the risk at authority level based on your assessment of the security controls
  • Authorise the information system for processing
  • Cyber Threat Intelligence Maturity Assessment
  • Continuous monitoring of your security controls
  • Cetbix ISMS helps organizationd to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA).