Smart Information Security Management System (SISMS)
Tool Identity Card
Basic information to identify the product
Tool name : Smart Information Security Management System (SISMS)
Vendor name : CYMSOFT BILISIM TEKNOLOJILERI
Country of origin : Turkey
Level of reference of the tool
Details about the coverage or the « originators » of the solution
Coverage : World-wide (sector oriented)
Supported by organization, club,... (e.g. as sponsor) : Technical research support is provided by TUBITAK (Turkish Scientific and Technical Researches Institution)
Brief description of the product
Give a brief description of the product containing general information, overview of functionsâ€¦
SISMS is a full scope information security management system software package which uses an expert system in general for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security management. It provides to apply the international standard ISO 27001 (2005) in organizations easily. The system checks the organization's network including all the hardware assets and operational information of the assets (type, operating systems, specifications, activity and efficiency, utility etc.). System determinates the open or filtered TCP and UDP ports and the versions of the services running on open ports. Additionally it provides the network map of the organization. It's the critical success factor of the SISMS controlling the user access, system and network accesses. Basically the system has three main functions such as network monitoring as mentioned above, text based applications for establishing the other modules for defining the requirements and actions to be taken according to ISO 27002 (2005) and smart applications to determine present security state of the organization. The SISMS modules are listed below;
Inventory manager (including asset evaluation): All the information assets of the organization on network are automatically determined, classified according to the categorization and registered by this the module.
Resource manager: The hardware assets on network are traced and monitored by this module. Reports including detailed information about active devices.
Vulnerability manager: This module helps the information security expert in determining the vulnerabilities and matching these with all the information assets of the organization.
Current security state determiner: This module determines the current security state of the organization according to the standard controls defined in ISO 27001. In this module each control is converted to an easily understandable question.
Risk manager: The purpose of this module is to evaluate the risks for each information asset according to vulnerabilities and threats. The risk evaluation is performed by using five different methods included in ISO 27001 and ISO 27005.
Protector: This module provides to determine if the required protections are applied for information assets' risk values are decreased to an acceptable level.
Reporter: All the mandatory documens for ISMS are produced by this module as templates or documents in MS Office formats.
ISMS process viewer: This module views the whole system and compliance with ISO 27001 in all phases. The module also provides senior management to view the system security.
Specify the functionality this tool provides.
R.A. Method activities supported
Risk identification : For an efficient risk identification, the text base application modules in SISMS collects all input data such as identification of assets, threats, existing controls, vulnerabilities for the risk estimation activity.
Risk analysis : After the risks are identified, Risk Manager module uses five different qualitative and one quantitative estimation methodologies.
Risk evaluation : Risk Manager module compares the level of risk against risk evaluation criteria and risk acceptance criteria automatically.
Asset inventory & evaluation - Inventory Manager module has the ability to collect all the information about the assets at a suitable level on network automatically. Other assets also can be added to the inventory manually. Than the evaluation process takes place.
R.M. Method phases supported
Risk assessment: Risk Manager Module processes risk analysis and risk evaluation activities iteratively in SISMS.
Risk treatment : In SISMS, a list of risks prioritized according to risk evaluation criteria is given and related controls are merged to reduce, retain, avoid or transfer the risks.
Risk acceptance : Risk Manager Module collects the appropriate data for residual risk assessment and helps the acceptance decision of management.
Risk Communication : The information about the risks can easily be shared between the authorized users of SISMS for risk management purposes.
Determination of the security state of the Organization : First of all the SISMS applies a test to the user to determine the initial security state of the organization. The result of the test is evaluated by a smart application running under clips which are improved particularly in situations with numbers of facts/instances created according to the rules defined in ISO 27002 standards to meet the security requirements.
Documentation : Any types of document can be uploaded or downloaded in SISMS to fulfill the documentation requirements.
SISMS information : SISMS information is consist of the asset information of organization and ISO 27001 requirements, controls, rules, processes and procedures.
Date of the first edition, date and number of actual version
Date of first release : R1 March 2011
Date and identification of the last version : R1 March 2011
Link for further information
Official web site : http://www.cymsoft.com
User group web site : N/A
Relevant web site : N/A
List the available languages that the tool supports
Languages available : English,Turkish
Pricing and licensing models
Specify the price for the product (as provided by the company on March 2012)
- Maintenance: N/A
Sectors with free availability or discounted price : N/A
Trial before purchase
Details regarding the evaluation period of the tool
CD or download available : Yes
Identification required : Yes
Trial period : 30 days
Specify the technologies used in this tool
Database: MS SQL Server 2008 R2 is used for the purposes listed below;
2.Tables used for content management,
3.Database for user authentication and authorization.
SISMS tables are consist of tables related with information security, CLIPS expert system tables and tables for network management. Content management tables are used for web pages. Tables for user authentication and authorization are used to manage user authentication management with ASP.NET.
Web server: MS IIS
Application Server: MS Server 2008 is used for web based application.
Client: Any client
Defines the most appropriate type of communities for this tool
Large scale companies
Non Commercial CIEs
Specific sector : N/A
Information concerning the spread of this tool
General information : World-wide in many different organizations
Used inside EU countries : Yes
Used outside EU countries : Yes
Level of detail
Specify the target kind of people for this tool based on its functionality
Management : Management part of SISMS consists of;Project Management, Vulnerability Management, Rule Management and Control Management sections. These modules collects data to constitute a directive for the operational processes of the tool.
Operational : Risk, Resource, Inventory, Documentation Managers and Security State Determination module are the operational part of the SISMS. At this stage a smart application consist of CLIPS expert system is used to determine the present security state of the organization. Here, both the requirements of the organization according to the controls included in ISO 27001 and the rules that should be applied to fulfil those requirements according to ISO 27002 are defined automatically.
Technical : Technically Security State Determination module determinates the open or filtered TCP and UDP ports and the versions of the services running on open ports. Additionally it provides the network map of the organization. It's the critical success factor of the SISMS controlling the user access, system and network accesses.
Compliance to IT Standards
List the national or international standard this tool is compliant with
Tool helps towards a certification
Specify whether the tool helps the company toward a certification according to a standard
ISO 27001 (2005) Information Technology-Security techniques-Information security management systems-Requirements - The general purpose of the tool is to provide ISO 27001 certification to the organization by establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security management.
Information about possible training courses for this tool
- Course : SISMS Usage
Duration : 5 days
Skills : IT personnel are preferred
Expenses : Webinar (No expenses)
Specify the skills needed to use and maintain the solution
To install : Tool will be deployed by the manufacturer
To use : Preferably IT personnel after 5 days training
To maintain : Tool can be maintained only by the manufacturer due to the feedback from end-users
Specify the kind of support the company provides for this product
Support : The manufacturer provides on-site support
Organization processes integration
Describe user roles this tool supports
Intergration in Organization activities
Interoperability with other tools
Specify available interfaces or other ways of integration with other tools
Monitoring system to identify and resolve IT infrastructure problems before they affect critical business processe : Nagios
Network exploration and security auditing : Nmap
Sector adapted knowledge databases supported
Name and describe the sector adapted databases that this tool provides
Flexibility of tool's database
Can the database be customized and adapted to client requirements?