I’m a huge fan of open source tools – there are some ridiculously clever people out there willing to give their time and expertise on these excellent products/ideas. So, I started looking for an open source risk management tool for some work stuff that I’m interested in. Let’s get the context in play first.
Risk management is a key part of cybersecurity or information security and understanding an organisation’s risk is really critical – in fact mandatory to get good infosec controls in play. The ISO 31000 standard goes through how to assess, document and manage risk and this is a starting point for understanding how to then go on to implement a standard like ISO27001, NIST or CIS.
The standard you choose for information security is up to you (or to your governing body). In the case of previous businesses I’ve worked at, most often it’s been ISO27001 Information Security Management Systems or the diabolical Right Fit For Risk. The NIST cybersecurity framework (https://www.nist.gov/cyberframework) is spoken of often, but it is a US centric standard and so is the Centre for Internet Security (https://www.cisecurity.org/) controls to a certain degree (CIS is a US based organisation). Regardless of this, both the NIST and CIS control sets when implemented will provide guidance on security actions you may wish to take.
I have to remind you, gentle reader, that compliance does not equal security. Seriously – just because you’ve got all the controls documented, mature and written does not mean you have a secure network. One still needs to do the work in maintaining a good secure posture, keeping everything backed up *and* up to date, train your staff, sacrifice a goat and pray. That’s not exactly tongue in cheek – we are fighting a defensive battle here so we need to make sure we have defence in depth. Hope is not a strategy.
OK, so with that in mind, I’m keen to find a way to manage risks, manage the control set and have projects underway to improve our security stature. You can do this with Word/Excel/SharePoint, or with Jira and Confluence, or we can use a suite of applications to do it. Enter SimpleRisk (https://www.simplerisk.com/). I reviewed online several options and I’ve seen demonstrations of several other applications, and I’ve settled on giving SimpleRisk a try. There’s a free option that’s got most of the capabilities enabled by default (and some nice paid options too) and this is what we’ll be having a look at.
Getting a trial up and running has so far proven easy. I spun up a virtual machine on my lab running Ubuntu Server 22.04. Once it was patched and fully up to date, I ran the installation script from here: https://www.simplerisk.com/download/scripted and it went ahead and installed itself! After a few minutes, I was presented with a screen like this:
Once you log in, if you register your instance then you get access to the Security Controls Framework (SCF) and from here there are 254 different frameworks you can enable. It looks like this:
I’ve added the Essential 8 (ML1, ML2 and ML3) and the 2022 version of ISO 27001. The Governance tab looks like this now:
And the Controls sub tab looks like this:
If you can see the “Controls (1184)” at the bottom there – this is by far more controls than are in the Essential 8 or ISO 27001 (2022). The SCF has controls from all different frameworks and you can untick in the central “Control Framework” the SCF to bring the control number down to a more reasonable number. With the SCF unticked, there are 107 controls left over.
The Risk Management tab looks like this:
It’s from here we can start adding risks, which I’ll begin doing. Stay tuned for the next few posts related to this as I work up a trial to test this system. From the videos I’ve watched it looks straightforward which will be a nice change from the normal ways one has to manage these standards.
Angus' Blog 