Modulo Risk Manager

Tool Identity Card

General information
Basic information to identify the product

Tool name : Modulo Risk Manager
Vendor name : Modulo Security
Country of origin : Brazil

Level of reference of the tool
Details about the coverage or the « originators » of the solution

Coverage : World-wide
Supported by organization, club,... (e.g. as sponsor) : N/A

Brief description of the product
Give a brief description of the product containing general information, overview of functions…

• Modulo Risk Manager™ software helps organizations streamline and automate processes required for in-depth risk assessment and compliance projects by collecting and centralizing data relating to technology assets, such as software and equipment, as well as non-technology assets such as people, processes and physical facilities within an organization to assess risk and ensure compliance. The software also allows the quick and comprehensive generation of reports resulting from the data collected. Modulo Risk Manager features knowledge bases that assist organizations in assessing and achieving compliance with SOX, PCI, ISO 27001, HIPAA, COBIT, ITIL, FISAP, FISMA, NIST 800-53a, FIPS 199, A 130 and DOD 8500.2 and can be customized to assess for compliance with additional standards.
  
  Modulo Risk Manager automates the IT risk assessment process and produces multiple compliance reports from the same data, reducing “audit silos”. It can be learned quickly, will run on a laptop or server and is agent-free.
  
  Modulo Risk Manager makes the calculation of risk scores easy because it contains knowledge of IT assets, best practices for the various standards and contains workable default risk component values for every asset and control, estimated by the Modulo Security Lab. This same knowledge base simplifies the process of human interviews with prepared questionnaires. Time is saved by encapsulating these interviews with a viewer that can be emailed to the persons to be surveyed, or answer via the Web. After completion, the answers are mapped to the best practice controls for any standard and saved automatically into the secure audit repository.

Supported functionality
Specify the functionality this tool provides.

R.A. Method phases supported

• Risk identification : Modulo Risk Manager reads settings and automatically returns the results directly to the repository. Modulo Risk Manager’s engine will interpret the collected results and, identify whether the control is implemented or not. For technology platforms; e.g. machines, operating systems, applications, routers, etc; answers to approximately 70% of the questions can be collected automatically. Modulo has assembled a library of more than 190 of the most frequently encountered technologies, containing 4000 automatic collectors.There is a library of controls and related questionnaires in the Product for people with various titles and duties, and also checklists for processes; such as measuring application quality, backup procedures, etc. They can be completed by security staff, or sent to the remote end-user for control self-assessments, if desired and appropriate. The recipients can be instructed to fill them out online, via web-interview, or off-line using the Analyzer
• Risk analysis : Risk is gauged on three criteria, Likelihood or Probability (P), Consequence or Severity (S), and business Relevance (R).A subjective relative weight ranging from 1-5 is assigned to each asset, corresponding to very low, low, medium, high and very high. In practice, the values for probability and severity have already been estimated by the Security Lab from industry sources. Modulo Risk Manager therefore contains “workable” default values for all asset type and control combinations, which can of course be overridden during the analysis by the user where desired.The Relevance score becomes the “glue” that relates technology assets to business components. Relevance is specified from the top down and “inherited” downward through the audit tree, so it only needs to be estimated at the business or application level, once. The value can be overridden or adjusted at any level if needed, though. Then, the product of probability and severity is computed, and then “weighted” by the relevance. It will range from 1 to 125 (i.e. 1x1x1 to 5x5x5).Management and audit groups reach consensus on reasonable value for relevance, which does not require much time and can be changed.
• Risk Evaluation: Yes

Other phases

• Asset Inventory & Evaluation: Within business units, assets to be assessed are named.These may belong to any of the four audit categories:Environment, perhaps requiring visual inspection • People, perhaps requiring interviews or investigations • Processes, requiring checklists or self-assessments • Technologies, perhaps requiring data collection They form the third level of the tree. For convenience, these can be imported directly from Active Directory™, if one is present, gathering hundreds or thousands of assets and owner information automatically. Alternatively you can import Excel™ or XML files from scanners or configuration-management tools

R.M. Method phases supported

• Risk assessment: The method employed is defined in ISO Guide 73. Modulo Risk Manager encourages a top-down structured approach to assessment by first facilitating the capture of business unit names falling within the audit scope, then the names of applications supporting them and then the import of asset descriptions
• Risk treatment : The numerical risk values enable security management to prioritize its risk reduction efforts and measure improvement, often for the first time. Mitigation tasks are listed in descending order of risk-reduction potential and contain explanations of the score and how to gather the information to repair it.
• Risk acceptance : Modulo Risk Manager has the Evaluation and Event Manager (Issue Tracking System) modules to track and manage controls (and their risk) to be implemented after an evaluation is done. These modules are responsible for managing the remediation actions to be performed in different assets, assisting in bringing risk down to the defined acceptable level. In the Evaluation Module, the user may choose to "accept" or "treat" the controls (and their risk), grouped or not, by creating activities. The user can prioritize the activities, appoint them to teams and send them to the Event Manager, where the issue will be treated and its evolution will be tracked. The next development for the Event Manager is the ability to report back to Risk Manager.In addition, data can be exported in XML or spreadsheet format in order to be imported to other tools, allowing clients to manage the task from a different application if needed so.Gap identification is achieved by creating a "target" analysis (with the metrics one intends to achieve), closing it and creating a follow-up copy (which will contain all assets, analyses and metrics from the "target" analysis). This follow-up copy will, then, be answered using the current available data collected from the real environment. With those two sets of data, it is possible to estimate precisely the existing gap
• Risk communication : Risk communication is made through the 28 reports showing different perspectives of risk.

Other phases

• N/A

Other functionality

• Compliance Module with standards and regulations :The MetaFramework™ allows the user to produce a score and set of reports for any of the contained standards. So, if you complete a SOX audit, you can then request a HIPAA score/report, a PCI report, or a NIST scoring for your government division.This will enable your IT security staff to gather and store evidence, using a risk management approach, in preparation for compliance with all the various audits you are subject to during the year.
• Live Up-date: feature to download the latest controls, standards and automatic collectors. Modulo's Security Research Lab updates this approximately every two weeks.
• Business Continuity Plan: BCP Module integrated in Risk Manager Solution.
• WEB Interview: For remote usage.
• Geo-referenced risk: Risk map with Google Earth.
• PDA use: Use of PDA to remote interview.

Information processed

• Security Governance graphic view
• Scorecard with risk index and compliance risk
• Risk Analysis report
• Detailed Risk Report
• Compliance Analysis Report
• Spreadsheet generation

Lifecycle
Date of the first edition, date and number of actual version

Date of first release : August 2003 (commercial version)
Date and identification of the last version : 5.0 version – August 10th /2007

Useful links
Link for further information

Official web site : http://www.modulo.com
user group web site : N/A
Relevant web site : http://www.modulo.com/latama (spanish), http://www.modulo.com.br (portugal)

Languages
List the available languages that the tool supports

Languages available : English and Portuguese

Pricing and licensing models
Specify the price for the product (as provided by the company on December 2005)

• Price : On request. License packages for small, medium, large, enterprise wide business. Depending on the size of assets (servers, databases, routers, desktops, notebooks, people (web interview), and compliances modules used.
• Maintenance : On request

Sectors with free availability or discounted price : On request

Trial before purchase
Details regarding the evaluation period of the tool

CD or download available : Yes
Identification required : yes
Trial period : 30 days

Tool architecture
Specify the technologies used in this tool

• Database : Store evidences and knowledge bases. MS SQL Server, MSDE.
• Web server : Interface. MS IIS.
• Application Server : N/A
• Client : Interface

Page top

Scope

Target public
Defines the most appropriate type of communities for this tool

• Government, agencies
• Large scale companies
• SMEs
• Commercial CIEs
• Non commercial CIEs

Specific sector : N/A

Spread
Information concerning the spread of this tool

General information : Over 4000 projects/engagements using Risk Manager
Used inside EU countries : Portugal, Austria, Germany, Italy
Used outside EU countries : United States, Brazil, Chile, Argentina, México, Uruguai, Switzerland

Level of detail
Specify the target kind of people for this tool based on its functionality

Management : Users must be registered. According to their role (Security Officer, Manager or Analyst), a user can have different privileges and will access different functionalities of the system.

• Security Officer. This type of user has the most powerful set of privileges within the system. A security officer can register other users (including Security Officers) and change their passwords. They are also responsible both for setting up the system, determining the Password Policy for instance, and for administering it by, among other tasks, periodically checking the audit trails. For small Organizations, the Security Officer may perform all activities relating to the system. In bigger Organizations, the Security Officer may delegate some tasks to certain individuals, as long as they have been previously registered as a Manager-type user.
• Managers. Perimeter Manager - A Perimeter Manager has, for his/her perimeter, the same privileges of a Security Officer, except for those related to System Administration and only within specified Perimeters of the Organization (subdivision of the Functional Structure tree). Organization Manager – A Manager can also be responsible for the whole organization, so he will have rights over all of the perimeters that belong to it. He can also access the Compliance and BCP modules if they are enabled.
• Analyst. Analysts are responsible for obtaining the relevant information related to the Analyses of Asset Components (existing controls and Risk estimation) and feeding them into the system. Their only right is to access the Questionnaires for which they are responsible using the Questionnaire module. Note: The Users with lower privileges than the Security Officer (Managers and Analysts) only have access to the Menus of the functionalities that they are allowed to access.

Operational : Operations are carried out according to the previously established roles.
Technical : Any registered user can log on to Risk Manager as long as they can have access (connectivity) to the system hosting it.

Compliance to IT Standards
List the national or international standard this tool is compliant with

• ISO 27001, PCI-DSS, ITIL /ISO 20000, COBIT 4.1, BS 25999, Sarbanes-Oxley, HIPAA, FISMA, FIPS 199, FISAP, NIST 800-53a, DOD 8500.2, A130

Tool helps towards a certification
Specify whether the tool helps the company toward a certification according to a standard

• ISO 27001, PCI DSS, Sarbanex-Oxley, HIPAA, FISMA

Training
Information about possible training courses for this tool

Course : Risk Manager Operations / Risk Manager Advanced
Duration : 2 days / 3 days
Skills : IT and Security
Expenses : On request

Page top

Users viewpoint

Skills needed
Specify the skills needed to use and maintain the solution

• To install : General IT
• To use : Security, Risk Assessment
• To maintain : Security, Risk Assessment

Tool Support
Specify the kind of support the company provides for this product

Support : On-site, phone, e-mail, Skype and chat

Organization processes integration
Describe user roles this tool supports

Supported Roles

• N/A

Intergration in Organization activities

• N/A

Interoperability with other tools
Specify available interfaces or other ways of integration with other tools

• MBSA (Microsoft Baseline Security Analyzer), Google Earth, MS VISIO, MS Active Directory Export to MS Word, MS Excel, HTML and XML format.

Sector adapted knowledge databases supported
Name and describe the sector adapted databases that this tool provides

• Customized : Customers can create their own knowledgebase to manage specific policies.

Flexibility of tool's database
Can the database be customized and adapted to client requirements?

• N/A