Caliber GRC Select is a web-based suite of applications to improve specific GRC processes. GRC Select is not a general GRC platform. We selected the highest value GRC scenarios to focus our services and provide to our customers. GRC Select currently contains seven applications.
- Risk Communicator: Risk Communicator focuses on saving you time, visually communicate, and improving the effectiveness of your risk and budget prioritization process.
- Compliance Communicator: Compliance Communicator is used to assess current controls against a control standard, including the ability to map multiple standards to a common control set.
- Metrics Manager: Metrics Manager enables you to define, manage, and communicate your security metrics to demonstrate progress over time.
- Service Manager: Service Manager enables you to define the set of services your security team provides the business and track how your team's work efforts are distributed.
- Vuln Tracker: Vuln Tracker compares the age of scanner-based vulnerabilities to your patch timeframes, enabling governance over your vulnerability management process.
Our higher priced subscriptions also include the following:
- Test Manager: Test Manager streamlines the workflow Caliber Security pen testers use when assessing applications. Test Manager is also available to customers with internal pen test teams.
- Performance Dashboard: Performance Dashboard provides a holistic view across Test Manager, tracking test case progress, aging findings, and categorizing findings by vulnerability type and asset.
Each application has its own help page with application-specific help topics.
Our goal is complete customer satisfaction. If you have any questions about the GRC Select Suite or encounter any issues, please contact us at firstname.lastname@example.org or call during West coast business hours: 206-979-0292.
You can also visit our open forum to submit questions and discuss GRC Select applications.
The GRC Select Suite is a Web application designed for modern browsers. No plugins or extensions such as Flash or Silverlight are required. The software is tested for compatibility with Internet Explorer 10.0 and newer and the current versions of Firefox, Safari, Chrome and Opera. Please let us know if you have any problems using the application with your browser.
For reading downloaded reports, we support Microsoft Word 2003, 2007, and 2010. Unfortunately OpenOffice does not fully support vector graphics, so this word processor is unsupported. Please let us know if you have any problems downloading or reading reports.
- Full screen: Want to see more content in the GRC Select Suite? Press F11 in Firefox or IE
- Zoom: Prefer larger or smaller fonts? Press Ctrl +/- in Firefox or IE
- Toolbars: Want to see even more content? Remove browser menus and the status bar.
- Back Button: Avoid using the browser's back, forward, and reload buttons until you are done using the GRC Select Suite and are ready to do something else with the browser window.
- Sign Out: Remember to explicitly sign out when finished. This will inform others that you are done making changes to shared content.
All bulk data used by the four applications is encrypted, both when in transit and when at rest on the server. In transit, data is encrypted using SSL with strong bulk ciphers and keys of at least 128 bits. At rest, data is encrypted using 256-bit AES. In particular, each user group has its own master encryption key, and this master key is not stored in plaintext on the server.
Instead, a copy of the master key is encrypted using a key derived (via PKCS5 PBKDF2) from each user's username and password. Then when the user logs in, the server may decrypt the group key and create a separate encrypted copy of the group key just for the user's session. This session key is encrypted/decrypted using the user's session token.
Therefore it is not possible to decrypt the group key (or any assessment data) without a valid username and password or an active session token. Neither of these are stored on the server, as they must be supplied by the user. Additionally, if credentials from one user group are compromised, these credentials may not be used to decrypt data belonging to any other group.
To help mitigate the risk of data loss, we keep multiple backups of assessment data. These backups are guaranteed to cover each hourly period for the past 5 hours, and depending on site activity, we may have older data as well. If you have an emergency situation in which you accidentally delete an important assessment or accidentally save a large number of unwanted changes, it may be possible for us to recover the lost data. These backups are fully encrypted just like the main database, so they do not expose your data to any additional risk of disclosure.
In addition, we keep an encrypted copy of the master key for each group of users, and using this key we can reset your password if you cannot reset it any other way. Note that any member of your group with the user administrator role can reset your password through the portal page. The private key used to encrypt these group keys is never stored on any piece of hardware not under the direct physical control of Caliber, so it cannot be accessed by third parties such as the hosting provider.
GRC Select Portal
The Caliber GRC Select Suite is your portal to manage users and access Suite applications. To access an application, click on the application image or title. Note the navigation link at the top of the page. Once you enter an application, use the navigation link at the top of the page to return to the GRC Select Suite portal page.
Note: User management requires the "User Admin" role. Otherwise, functionality is limited to changing your own password.
Note: If the word "locked" will appear in red in the table for users whose accounts are locked because of excessive authentication failures. To unlock a locked account, set a new password for it.
- Add User
To add a new user, click the New button. The GRC Select Suite requires unique user names. We recommend using email addresses. Click in the "Email" field to complete the user's login name for the GRC Select Suite. Input a password for the user. Enter your own current password in the Your Password field. Click the "Save User" button.
- Delete User
To delete a user, click in the Manage Users table to select a user name. Then click the "Delete" button. After acknowledging the warning prompt, the user will be permanently deleted.
- Change Password
To change a password, click in the Manage Users table to select a user name. Type a new password in the Password and Verify fields at the bottom of the page. Then enter your own current password in the Your Password field. Click Save.
Technically it is not required for the email address to be valid, it need only be unique. However, if we need to send an announcement to all users (planned maintenance, etc.), we cannot reach you if you don't provide a working email address. Nonetheless, there may be situations which call for creating an account not tied directly to a real email address.
For example you might want to create a duplicate account for yourself so you can have multiple sessions open at the same time. In that case, create an account using a name based on your existing account (email@example.com) so other users in your group understand whose account it is. Then specify your real email address in the "Alternate Email" field. You can also use the "Alternate Email" field to specify the address where codes will be sent if Device Authorization is enabled.
The GRC Select Suite offers role definitions to manage access to each application. These roles may be configured using the checkboxes in the Manage Users table. Only users with the User Administrator role can grant or revoke access privileges, add or delete user accounts, and change user passwords. The rest of the roles grant access to specific applications in the suite.
Using the buttons, you can request that the application generate an Emergency Password for your account. You can also clear any existing Emergency Password if desired. By design, you cannot choose this password and it only stays valid until it is used to reset the regular password. If you request an Emergency Password, one will be generated randomly and shown in an alert box. There is no way for either you or Caliber to view this password once the alert box is closed.
The Emergency Password can be used if you forget your standard password or your account is locked when the consecutive password failure limit has been reached. Treat your Emergency Password as you would other confidential information, for example, printed in a secure, locked enclosure or stored electronically and encrypted.
Access to the portal applications is controlled according to the portal roles scheme. Each application has its own section in this help manual, as well as context-specific help links built into its user interface.
Portal Access log
The portal shows an access log under the Audit tab. The server keeps a log of each time a user loads, saves, or deletes a document in any of the applications in the suite. The logs entries are kept for 90 days. If you require an export of the log data, please let us know.
Depending on the roles assigned to your account, you may not see all the log entries which have been recorded. You are shown log entries only for those applications to which you have access.
Configuring Password Policy
You can adjust the password complexity rules to match those of your organization. You can specify a minimum password length, and minimum number of various types of characters. You can also set a maximum password age and a limit for the number of consecutive login failures for a given user account.
Note Passwords are allowed to contain any Unicode character.
Note The highest allowable limit for the number of consecutive password failures is 10.
Configuring Network Access Restrictions
You can limit the network(s) from which your users may access the Caliber Suite of applications. With restrictions in place, users will be unable to log in to the applications or access data, even if they have valid credentials, if their IP address (as seen by the Web server) is outside the allowed range. Due to proxies, NAT, and other network features, it is likely that a user's IP address as seen by the Web server is different from their computer's IP address on the local network.
Before using the Network Address Restrictions feature, please be sure you know what is the correct range of Internet-visible IP addresses to use. One way to double check is to look at the IP fields in the Data Access Log (which is on the right-hand side of the User Manager tab). Those IP addresses are the IP addresses observed by the Web server when users have accessed application data.
The format of the network list is simple. Enter ranges of IP addresses, each on a separate line. A range can either be a single IP address (e.g. 126.96.36.199), in which that single address will be used as one of the permitted IP addresses, or a beginning and ending address, separated by a single hyphen (e.g. 188.8.131.52 - 184.108.40.206), in which case the entire range, including the beginning and ending address, will be permitted.
The access control logic denies all access, except for addresses specifically permitted. The only exception is when the access list is totally empty. In that case, access limits are turned off, and users with valid credentials may access the applications from any address.
Configuring Device Authorization
Device Authorization requires all users to check their email to receive an authorization code when they log in. After they log in successfully using a code, a persistent cookie is set that allows the user to log in with just their regular credentials. This cookie expires after 90 days.
Enabling Device Authorization provides an additional factor in the authentication process, mitigating weaknesses in pure password-based authentication schemes. For example some users will use the same password for multiple purposes, and some users will write their passwords down on a sticky note and put the note somewhere in plain view. Some users will create passwords that can be guessed in just a few guesses, or they may be tricked into giving their password to someone else.
The Device Authorization process provides protection against attacks which exploit these weaknesses because the code sent in email is random and difficult to guess, it expires after 10 minutes and can only be used once, and once it is used a new random string is set as the persistent cookie without the user ever seeing it.
Generally the user's email address is used as their username, and the code will be sent to that address. If for any reason the user wants codes to be sent to a different address, an alternate email address can be specified on the User Manager tab.
Configuring Session Timeout
The server will enforce limits on session length as specified in the menus. In the case of idle timeout, please note that not all activity generates requests to the server, so your session may time out if you do not save your work as least as often as the idle timeout interval.
The Software Subscription tab shows information about payment methods and your current subscription.
Welcome to Caliber Risk Communicator, a Web application to help IT Security managers streamline the process of defining appropriately scoped risks and defending a risk-based budget. Risk Communicator is focused on saving you time and improving the effectiveness of your budgeting process. Risk Communicator is not meant to justify your existing "business as usual" headcount, operating, and capital expenditures. Rather, our focus is developing a consistent, defendable process to justify new spending on projects which manage risk for your business.
All data in Risk Communicator is stored as a collection of "assessments", which can be thought of as separate documents. An assessment is a collection of risks and projects which describe your security priorities at a moment in time. The overall goal of the application is to enable you to efficiently prioritize these risks and justify spending on these projects, and the application is divided into the following tabs which correspond to steps in the workflow:
- Home: Manage your assessments
- Risk Builder: Define the risks that are driving your IT security projects
- Risk Map: Determine which risks are most important to your business
- Project Builder: Define projects and enter the cost/benefit information for each project
- Project Map: Prioritize projects based on business value
- Budget: Evaluate which projects are right for your business, given budget constraints
- Report: View a graphical summary of the results and download graphics and text as a Word document or export assessment data as a spreadsheet (CSV). Choose multiple assessments and generate a trend plot of risk scores.
- Project Tracker: Track the status of funded projects.
- Risk Tracker: Show updated risk score and status after treatment actions.
The tabs may be visited in any order. Since each step in the workflow builds on the previous step, it is a good idea to proceed in order at first, and then go back as needed to make changes. Changes made on one tab affect the others, so that if you rename a risk, for example, its name is updated everywhere it appears.
Additionally, the application remembers your selections, so that if you select a project on one tab and then switch tabs, the project will stay selected. For example, if you are looking at the Budget tab and realize the cost information for a certain project needs to be adjusted, you can select the project by clicking on its row in the table or on its bullet or label in the map, and then switch to the Project Builder tab to edit the cost information.
The application does not automatically save your changes, so you may make experimental changes to an existing assessment without the risk of losing anything. If you decide not to keep your changes, you can reopen the assessment, which will abandon your changes. When working on a new assessment, it is a good idea to save your work regularly, perhaps when visiting each new tab. The save button is featured prominently in the upper-right corner of the screen. The current assessment's title and a status indicator are next to the save button.
The status indicator is a short piece of text which tells you what state the assessment is in. The state can be one of the following:
- New: You just logged in, or you just created a new assessment
- Loading: You have chosen an assessment, and the data is being loaded from the server
- Loaded: Loading has completed and you may edit the assessment or print a report
- Upgraded: Loading has completed, but the application has made some adjustments to the assessment data so that it is compatible with the latest version of the application. You may edit the assessment as usual, and you will need to save it before printing a report.
- Saving: You have clicked the Save button, and data is being sent to the server.
- Saved: The assessment was saved successfully.
- Error: The previous load/save/delete operation failed.
- Unsaved Changes: You have made changes which have not been saved. If you close your browser, navigate to a different page, or open a different assessment, you will lose these changes.
Risk Communicator has a few underlying philosophies that are important to note:
- Risk Based Investments: all projects should be mapped to one or more risks being addressed for the business. There are exceptions. For example, if a project is simply focused on efficiency gains it may not address any risks.
- You Know Best: Risk Communicator simply enables you to communicate your message consistently in a defendable manner. By design, you can adjust how important each risk and project is to your business.
If you would like more tutorial information, continue reading the help sections for each tab. These sections explain how to perform common tasks and give advice on scoring both risks and projects.
The Home Tab manages your assessments.
Creating a New Assessment
If you have just logged in, you are already working on a new assessment. You can edit the title and make some notes describing the assessment by editing the labeled fields in the "Open Assessment" widget. After adding some risks and projects, be sure to save the assessment.
If you were working on a different assessment and you would like to create a new assessment, be sure to save the other assessment first. Then you can create a new assessment by clicking the New button above the assessment table.
Opening an Existing Assessment
To open an existing assessment, select an assessment by clicking on a row in the Manage Assessments table and then click the Open button. Depending on your network connection, loading an assessment may take a few seconds.
When opening an assessment, make a note of who else may be using the assessment by checking the "In Use By" column of the table. If you are simply viewing the assessment or printing a report, it is safe to open an assessment which is being used by someone else. However, if you intend to make changes, you should coordinate with other users so you do not overwrite anyone else's changes with your own. You can also save a copy of the assessment after opening it so that your changes are saved separately.
Note: for reference, the title of the assessment you have open appears in the upper right hand corner by the save button
Deleting an Assessment
Deleting an assessment is generally permanent (there are some limited recovery options), so you should think carefully before deleting an assessment. Instead of deleting it, consider archiving it or tagging it instead.
If you decide that deleting an assessment is really what you want to do, select an assessment in the table and click the delete button. It is not a good idea to delete an assessment that is in use by another user unless you are completely sure the other user does not intend to save their copy. Future versions of the application may completely disallow deleting an assessment which is in use.
Marking an Assessment Final
After you have finished an assessment and saved your changes, you may want to mark the assessment so that no further changes can be made. To do this, click the checkbox in the "Final" column of the assessment table. Once an assessment is marked "Final", the assessment may be opened, but no changes may be saved. The "Final" mark may not be cleared once set, but the assessment may be deleted. If you want to make changes to a Final assessment, open it, save a copy, and save your changes to that copy.
Archiving an Assessment
If you want to hide an assessment from the assessment table without deleting it, click the checkbox in the "Archived" column for that assessment. This column may not be visible. If it is not visible, click the "Show Archived" checkbox on top of the assessment table. Once an assessment is marked as "Archived", it will not be displayed in the assessment table or trending menu if the "Show Archived" checkbox is unchecked.
Using Filter Tags
The "archive" flag provides a simple way of hiding assessments without deleting them. If you need more flexibility than this flag provides, you can use custom tags to organize your assessments. Each assessment may be assigned one or more tags separated by spaces by editing the Filter Tags field below the assessment title.
For example, if you have both "draft" assessments for use only within the security team for purposes of discussion and "public" assessments for use in reporting to regulators and executives, you can tag each assessment as either "draft" or "public." Then you can select either of these terms as a filter in the assessment table and then filter the table so that only assessments with the given tag are shown.
Refreshing the Assessment Table
If you want to update the assessment table, perhaps to check if someone still has an assessment open, click the Refresh button at the top of the table. Note that for certain kinds of operations (including loading, saving, and deleting assessments), the table is refreshed automatically.
Editing Assessment Properties
After opening an assessment, you can edit its title, tags, and notes in the "Open Assessment" area on the right-hand side of the interface. The Filter Tags field is described elsewhere. The notes field is for any notes you would like to keep about the assessment. For example, you might want to keep a log of changes if you are collaborating with other people. Or you might want to describe the purpose of the assessment to distinguish it from other, similar assessments.
Note: To edit the notes field, unlock the editor area using the Unlock Editor button. When the editor area is unlocked, you can edit text using the keyboard and you can also paste formatted content from other sources. The application will attempt to preserve the formatting as well as possible. At this time pasting hyperlinks is supported, but pasting images or other types of graphics is not supported.
Note: Hyperlinks in the notes field are not usable while the editor area is unlocked. To use links, lock the editor using the Lock Editor button.
Saving a New Copy of an Existing Assessment
At any time while working, you can save a new copy of your assessment. This saves your data as a new assessment instead of overwriting the old version. You save a copy using the 'Save as New' button in the upper-right corner of the tab. Before saving a copy, it is a good idea to change the assessment name and make a note in the notes field regarding the purpose of the new copy.
Viewing the Assessment Log
The assessment log tracks activity in the assessment such as adding, deleting, and renaming risks and projects. The log is read-only, and does not contain log entries for changes made before the log table feature was available. If you wish to keep track of other important changes not tracked in the log table, you may use the assessment notes field.
To justify new security projects, it is necessary to first define the risks which create the need for the projects. Whether you use a Governance, Risk, and Compliance (GRC) software suite or simply collect risk data manually, you need to organize all of the risk/vulnerability data into a form suitable for use with Risk Communicator. For example, instead of defining a risk item for each unpatched server, it is far more useful to define one general risk item for all unpatched servers. Then you can add a note to the risk item explaining how many unpatched servers there are, and how serious the underlying vulnerabilities are.
Navigating the Risk Tree
Risks in the "Risks in Assessment" area are organized in a tree. Risks are grouped by Risk Category, which is one of the editable fields in the Risk Panel. To move a risk to a different category, select the risk and change the category using the Risk Category menu.
Risks which have not been assigned a category are listed under the "Default" category.
Risk categories can be expanded and collapsed by clicking the "+" or "-" icon to the left of the category title.
Creating a Custom Risk
- Click the New button in the "Risks in Assessment" area.
- Fill out the risk properties in the Risk Panel.
- Repeat to add additional risks
Tip: Select a concise risk title to conserve space in the Risk Map.
Tip: Use the Caliber Repository assessment as a guide to help define the right level of detail for each risk. Choosing too tactical or overly broad risks reduces the effectiveness of your justification for resources.
Importing a Risk
To kick-start the process of defining risks, Risk Communicator provides a repository to help you input and define risks at an appropriate level of detail. The repository is an assessment called Caliber Repository, and you can import risks from it using the Risk / Project Importer. You can use the importer to import risks from the repository, or from any of your other assessments.
If you choose to utilize the repository, be sure to add specific evidence in the Likelihood and Impact descriptions. These descriptions will be your storyboard to discuss real-world evidence to further articulate and defend the need to address the risk during the budgeting process.
Editing an Existing Risk
- Locate the appropriate row in the Risk Status Table
- Click the risk title to open the Risk Panel.
- Edit the risk properties in the Risk Panel.
Tip: Many fields in the Risk Panel provide a selection menu containing the values you have used for that field in other risks in the assessment. Some menus also contain some default values as well. Addtionally, each menu contains a special item which, when selected, will allow you to type a new value not in the menu. For example, the Risk Category menu has an item called <Add Risk Category>.
Using the Risk Status Table
The Risk Status Table is similar to the Risk Table on the next tab. You can sort columns by clicking the column headings. If you are doing a structured assessment based on a security standard such as ISO 27001 or PCI, you can use the table to view and change which risks are "Active," or "Mitigated," i.e. which control areas are sufficent or deficient.
In order to facilitate standard-based assessments, the Risk Notes (which define each part of the standard) and Control Notes (which allow you to explain why the standard is or is not met) are editable directly in the Risk Status Table. So you can quickly move through each part of the standard, reviewing the requirement and listing applicable controls.
The Ticket button creates a new ticket associated with the control item. The ticket fields may be edited, and they are saved automatically. Using the Ticket feature requires user permission for that specific feature. Tickets may be viewed on the Tickets tab of the Performance Dashboard application.
Using the Risk Panel
The Risk Panel is like a mini-window on the page which may be moved by dragging its title bar, and it may be closed by clicking the X in the upper right corner. It always shows information about the currently-selected risk, and it will stay open if you switch between tabs in the main interface.
The Risk Panel is organized into several tabs, according to the various stages of working with a risk.
- Start: Define the basic properties of the risk, and develop a narrative explaining the scenario.
- Likelihood: Record evidence regarding the likelihood of an event.
- Impact: Record evidence regarding the impact of an event.
The Risk Panel Start Tab
The key elements of this tab are the large notes field at the top and the collection of selectors at the bottom. Main purpose of the selectors is to gather the necessary information for building a complete narrative of what the risk involves. A secondary purpose is to support filtering.
As you make selections, a summary is generated and appended at the bottom of the large notes field. You can use this summary as a starting point for writing a more compelling risk story at the top of the notes field. Note that the auto-generated summary text will be refreshed each time you make a selection, so there is no need to edit it manually. If you want to modify the generated text in a way that isn't possible using the selectors, make a copy of the part you want to use and put it at the top of the notes field. The generated text will still be shown, but your custom text will be shown first.
At the bottom right side of the overlay is a large multi-select field for selecting a set of security controls that apply to the selected risk. Hold the "Ctrl" key to make multiple selections with the mouse. You can use this field to document existing mitigations in a structured fashion. Before using it, you need to configure the list of controls, which you can do using the interface presented when you click the "Configure" button.
The Risk Panel Likelihood Tab
Similar to the Start tab, the key elements of this tab are the large notes field at the top and the selectors at the bottom. Additionally, this tab contains a text field containing an overall likelihood score, a selector for choosing that score, and a customization button that opens a separate panel for customizing the text which is shown in the selection menus on the Likelihood Tab.
As you make selections, two things happen. First, your selections are used to generate a summary of the likelihood side of the risk analysis, and that summary is appended to the bottom of the large notes field. As on the Start tab, you can use the generated summary as a starting point to write a few sentences describing the evidence you have regarding the likelihood of an event. Second, your selections are used to adjust the likelihood score according to a heuristic.
Essentially, the heuristic works by adding together averages obtained from the Agent/Vulnerability selections and the Controls selections. However, the computations are only a convenient way to provide an initial estimate as to what likelihood score is appropriate. Ultimately the likelihood score should be assigned according to the definitions of each score level for likelihood, which you may customize as needed. The score should be chosen according to which level best matches the evidence.
When you manually choose a likelihood score, either by editing the text field, making a selection in the menu below the text field, or moving the risk on the heat map, your choice overrides the computations performed by the heuristic. All of your selections are left unchanged, because they represent the evidence you have obtained. If you then change one of your selections, the heuristic will recompute the likelihood score, which you are free to override again as needed.
The Risk Panel Impact Tab
The Impact tab is similar to the Likelihood tab, described above. There are several differences to note, however.
First, the lower right section of the tab allows you to enter quantitative information about the risk impact. There is a special plot on the Risk Map tab to plot this information, if you choose to collect it.
Monetary estimates provide the most value in conducting cost-benefit analysis. However, be sure you document sufficient evidence to back up your monetary claim. If your evidence is weak or the impact is difficult to quantify, we suggest seeking input from the asset owner. They are in the best position to articulate the cost given your description of what assets could be affected and how.
Second, the heuristic which computes an estimate for the impact score works differently from the heuristic which computes the likelihood score. Here, the maximum Direct/Strategic cost is computed, and then if the Corrective Capability selector is used, the score is capped at the level associated with that selection. The rationale for this design is that generally only one type of cost is of concern for a given risk.
But as with the likelihood score, the impact score may be overridden by editing the score directly, making a selection in the score selector, or moving the risk on the heat map. Ultimately the score should be based on the evidence and the definitions of the score levels, not the computations being done by the software.
Editing the Master Control Tag List
The Master Control Tag List is the list of controls you can choose from in the Risk and Control Tags Overly. The same list is used for all assessments, so you only need to configure it once. To add a new item, type a brief title in the text field at the top and click the Add button. To delete an item, click the Delete button in its row.
If you make a mistake and want to edit one of the entries, copy the text, delete the item, and then paste the text into the text field. Make the necessary changes, and then add the new item. The list is kept in alphabetical order automatically. Numerical prefixes are sorted in numerical order.
Note You must save your changes to the list using the save button in the overlay. Clicking the main save button saves just the open assessment, and will not save your changes to the Master Control Tag List, which is stored separately from the assessment.
The goal of prioritizing risks is to build a consistent, defendable, and simple way to articulate how negative events may happen and how likely they are, enabling the best business decision to either accept or mitigate specific risks.
Once risks are added to the active assessment, you may modify the risk score of each risk in order to prioritize the risks. Each risk score is comprised of two primary elements:
- Likelihood: How likely is the event?
- Impact: If there is a negative impact, how bad will it be?
You may prioritize risks in three different ways:
- Top-down Risk Plot: simply click and drag risks across the Interactive Heat Map. This adjusts the Likelihood and Impact directly.
- Detailed Analysis: for new or contentious risks, document your risk score using the Risk Panel to fully explain why a score was selected. This view facilitates debate among security professionals and enables consistent documentation of the results, allowing you to build consensus.
- Quantified Impact Plot: when you have sufficient evidence on the monetary impacts of risks, use the Quantified Impact Plot to prioritize risks with monetary ranges over the relative likelihood scale. Impact data may be entered in the Impact tab of the Risk Panel.
Using the Risk Table
You can use the risk table to select a risk for editing in the Risk Editor area. To select a risk, click its row in the table. You can also sort the table by many of its columns. Click the column header to sort by that column. Click it again to reverse the direction of the sort.
The risk table and map may be filtered to show only risks which match certain criteria. Use the selectors in the overlay to configure the filter. Selecting multiple fields using the checkboxes is equivalent to a logical "and", you can select multiple values from the value list using the "Ctrl" or "⌘" key, and doing so is equivalent to a logical "or". Selecting the Filter Out checkbox for a field is equivalent to a logical "not."
For example, if you select the Risk Category and Risk Status fields, and select the "Application" category and "Active" and "Mitigated" statuses, this will show risks which match the logical predicate "Risk Category == Active and (Risk Status == Active or Risk Status == Mitigated)." If you select "Filter Out" for Risk Status, the predicate changes to "Risk Category == Application and not (Risk Status == Active or Risk Status == Mitigated)."
Note When a risk does not match the filter conditions, it is not shown in any of the tabs from the risk map tab onwards.
Using the Risk Plot
The risk plot is interactive, and you can adjust the position of risks by dragging the circles. You can also reposition the labels if they overlap. When you click on a risk, it becomes the currently-selected risk just as when you click a row in the risk table. As a convenience, the selected risk has a larger circle than the others on the risk plot.
The zoom buttons zoom the map from the upper-right corner, so that zooming in progressively focuses the map on the high-risk region of the map.
The risk plot shows the impact and likelihood associated with each risk. To switch to one of the other types of plots, use the plot selector in the upper-right corner of the plot area.
Using the Status Plot
The Status Plot is similar to the Risk Plot, described above. The difference is that the risk items are color-coded according to their status, and the legend shows which status corresponds to which color.
Configuring Status Labels and Colors
If you are using custom status labels for risks, it is convenient to be able to assign colors to them to make the status map better at communicating its message. The "Customize" button above the Status Plot opens a panel which allows you to specify the fill color and outline color for up to 7 status labels. You may also customize the color of the "Other" status, which is used when a risk does not have one of the 7 configured status types. After finishing your configurations, click the "Save" button inside the panel.
Note: If you accidentally make customizations you don't want to save, save the assessment you have open and reload the page. The color settings will be reset to the last saved version.
Note: You can reset the color settings to the defaults by clicking the Reset button at the top of the panel. After resetting, make whatever customizations you need, if any, and click the "Save" button inside the panel.
Using the Quantified Impact Plot
The quantified impact plot enables risk prioritization by viewing the monetary impact of risks and their relative likelihood. When sufficient evidence is available to quantify the impact of specific risks, this view can be a powerful tool to improve risk mitigation decisions.
The quantified impact plot is only partially interactive. It supports moving risk title labels and dragging risks across the relative likelihood scale. To modify the monetary impact ranges, use the Impact tab of the Risk Panel.
Entering Likelihood Notes
Briefly describe how the vulnerability allows the threat to be realized; include as little or as much detail as required to clearly articulate the specific attack path and techniques required to exploit the vulnerability. Include additional details about actual cases of the vulnerability being exploited as needed to justify the rating. The description should be sufficient for another security professional to clearly understand the nature and details of the vulnerability.
In the text area, briefly describe the impact to the business if the vulnerability is exploited. Add specific examples of information assets and any evidence of past risks inside or outside your business. A good practice is to also include the volume of assets at risk, i.e. whether the risk affects 1 customer record or 1 million records.
Calculating the Risk Score
The risk score is automatically calculated by multiplying the Impact Rating (values from 0-10) by the Likelihood Rating (values from 0-10), resulting in all risk scenarios having a score between 0 and 100. The magnitude of the risk score corresponds to the colors shown on the risk map. Risks in the green region are considered low risks, risks in the orange region are considered medium risks, and risks in the red region are considered high risks.
Note: Even though you cannot change the size of the colored regions on the risk map, you still may take into account your organization's risk tolerance. For example, if the default Impact and Likelihood ratings assigned to a risk in the repository place the risk in the orange region, but the consensus among your team is that in fact for your organization the risk is low, simply move the risk to where it belongs on the map. Then, document your reasoning in the notes fields.
The Project Builder Tab is used to define work efforts, projects, headcount, or other resources requested in the budgeting process. For each project, cost estimates are collected, one or more risks are assigned, and future estimated risk reduction is entered.
Note: The Project Coverage Table displays which Risks have associated Projects. Use this table to align risks and projects. This table is read-only.
Creating a New Project
- Click the New button in the "Projects in Assessment" area
- Enter a Project Title
- Enter notes to describe the Project e.g. scope, ownership, and project value
- Enter cost estimates for Capital or Operating Expenses by editing the cells in the table
Importing a Project
In addition to defining new projects from scratch, you can also import projects from other assessments. There are some important considerations to keep in mind when importing projects; see the Risk / Project Importer help for more information.
Editing Project Details
Use the Project Panel to input details about each project. To declare that the project addresses a given risk, select the risk from the menu near the "Risks Addressed" label, and then click the "add" button.
Navigating the Project Tree
Projects in the "Projects in Assessment" area are organized in a tree according to category, similarly to how risks are organized on the Risk Builder tab. See that section of the manual for more information.
Deleting or Cloning a Project
You may delete or clone (copy) any defined project. Cloning copies all attributes of a project, including its title, risk reductions, cost information, etc.
- Click on a project shown in the Projects in Assessment list
- Click on the Delete or Clone button
- For cloned projects, modify the Project Title, costs, and risk reduction estimates as needed
Viewing Project Coverage
While building your portfolio of projects, it may be useful to check how your current set of projects covers your current set of risks. The "Project Coverage" table shows which projects address each risk. You can sort the table by risk title or risk score by clicking the column header. The links in the "Mitigated By" column select the given project as the current project, just like the links in the "Projects in Assessment" area. Hence they may be used as an alternative means to navigate your set of projects.
Once individual projects have estimated costs and risk reduction values, the next step is to prioritize projects relative to one another. The Project Map enables projects to be prioritized by a Business Value score. In addition to the current risk scores associated with a project, the Business Value score may depend on non-security attributes of the project. The Business Value score represents your unique situation, and as appropriate, you may choose to include in the score IT's capability to deliver the project or other additional business value attributes.
Using the Project Table
The project table is analogous to the risk table. You can sort the table by title, value, or cost by clicking the column header, and you can select a project for editing by clicking on its row. The Risks column identifies which risks each project addresses.
You can filter projects in a similar fashion to the way that risks are filtered. As with risks, projects that are hidden by the filter are not shown on any of the application tabs on or after the Project Map tab. Note the "Risk Assigned Only" option is also available. This option hides projects which are not associated with any of the risks currently being shown according to the risk filter settings. In other words, it ensures that only projects relevant to currently-selected risks are shown.
Editing Project Details
The Project Map tab repeats the project notes information for convenience. You can edit it here or on the Project Builder tab. The details of the project value model are contained in an overlay. To view it, click the Model button. The overlay may be moved and closed just like the other overlays.
Computing the Business Value Score
The Total Business Value score is calculated as the average of the Highest Risk, IT capability, and Additional Value scores associated to the project. Before editing any of the parameters of the model, select a project to be edited using the project table or project map.
The Highest Risk parameter is computed as the highest risk score of those addressed by the project. Since this value is computed, you cannot edit it. However, you can have the project value model ignore its value by unchecking the checkbox below the label. Then the project value will be computed only in terms of IT Capability and Additional Value.
The IT Capability parameter is useful to address any political or technical advantages or disadvantages associated with the project, as pertains to the IT organization. You can either leave this parameter "N/A", in which case it will not be used in the model, or select a value using the menu. You can document evidence or other notes regarding your selection by using the text area.
The Additonal Value parameter is useful to address general advantages or disadvantages associated with the project. You may edit this parameter the same way as IT Capability.
Note: You can customize the labels and text that are used in the parameters of the model.
Using the Project Map
You may click and move the project labels on the Project Map to improve visibility. The project circles are not draggable, however. To change the value of a project, use the project model overlay. Note the color of the circles reflects the highest risk associated with the project.
The Budget tab provides value by quickly facilitating decisions which projects to include in the budget and their affect to the allocated budget total. This exercise also clearly shows which projects will not be funded. Communicating the risk level of unbudgeted projects and articulating their impact to the business often inspires reshuffling of projects and adjustments in budget amounts.
Entering a Budget Amount
- To begin, enter the amount of your expected budget for security projects.
- Click on the Total Budget text box and enter your value in dollars.
Note: The Unused Budget text box is used to show the remaining balance of your budget as you add projects. This is a read-only field. If you fund more projects than you can afford, the amount shown is negative.
Note: The tables on the Budget tab respect the filter configured on the Project Map tab. In the Budget area, the state of the filter is shown next to the total amount of filtered projects only. The "Unused Budget" field always shows the total budget less the cost of all funded projects, irrespective of the filter state.
Now that you have prioritized risk drivers, defined projects, and prioritized the value of projects, it is time to determine which will survive the budgeting process.
- In the Funded and Unfunded Project tables, Click on the Fund/Defund button to place the project in or out of budget.
- You can sort the Project tables by Project Title, Business Value, Risk Score, or Year 1 Cost.
Using the Project Map
The Project Map is similar to the map on the previous tab, with one key difference. Here, the color of the icon indicates its funding status. For funded projects, the icon color is blue. For unfunded projects, the icon color reflects the highest risk associated with the project. Use the icon color as a guide to articulate the impact of not funding the project.
The Report Tab enables you to export graphics and information for use in other presentation formats or analysis.
Choosing a Summary Type
The selector in the Select Summary Type area controls which table and plot are shown in the main part of the report tab. More information about each option is listed below. For certain choices, additional selectors may appear in the Select Summary Type area to allow for additional configuration. The Print button downloads the selected table and plot in a format intended for use with Microsoft Word. See the main report section for more information about this format.
The Risk Coverage Table is similar to the coverage table on the Project Builder tab. The table here respects the settings configured in the risk filter, so the table may not always show all risks in the assessment. The table always shows all projects which address a given risk however, irrespective of the project filter. If a project isn't funded, its Year 1 Cost is displayed as "-". The cost amounts are given in thousands of dollars.
The Risk Coverage Map is similar to the Risk Map, except for the color of the circles. Here, a circle is blue if the risk is addressed by a project and that project is funded, irrespective of the project filter. Otherwise, it is white. This plot is useful to show how well the budget allocation addresses the current set of risks.
The Grouped Risk Plot shows risks grouped according to the attribute selected in the menu below the Group By label. To represent each group, the risk with the highest risk score is chosen. The map is only partially interactive. It only supports zooming and moving of labels. When a label is moved, the label position of the corresponding "highest risk" is also updated.
Note: The table and plot only show risks which match the risk filter.
The Control Maturity Plot shows the relationship between control maturity and risk score. Control maturity is computed as the average of the control-related parameters on the likelihood and impact side of the risk model. The map is only partially interactive. It only supports moving of labels.
Note: The table and plot only show risks which match the risk filter.
Risk Bar Plot
The Risk Summary Plot counts how many of each type of risk there are in the assessment. Each bar is divided into 3 regions according to risk scores. If there are more risk types than will fit on the plot, the plot is divided into several pages. To cycle through the pages, use the "Previous" and "Next" buttons.
Note: The table and plot only show risks which match the risk filter.
Project Bar Plot
The Project Summary plot is similar to the Risk Summary Plot, except that it counts the number of projects in each category. Only funded projects are counted.
Note: The table and plot only show projects which match the project filter.
Downloading a Report
The report document includes key graphics, tables, and text contained in the assessment in a format compatible with Microsoft Word 2003 and later. Common uses of the graphics include pasting the graphics from Microsoft Word into presentation applications such as Microsoft Power Point.
Note: The zoom state and filter state of graphics in the report will match what you see in the application. Please configure these appropriately before downloading a report.
Tip: Exported graphics are made of individual drawing objects. You can modify fonts, resize, and move text and other objects within the plots. Reformatting is sometimes useful before pasting into presentation applications. The report document uses document styles for text elements, which makes restyling easier. For example, if you wish to change font properties for the risk labels on the risk plot, you don't have to change them one at a time. You can simply edit the "Plot Label" style, and then all labels will be updated automatically.
Tip: To paste a graphic, click on the blue perimeter surrounding the entire graphic. You can then paste as an image or a drawing object by using Paste Special.
Export to Comma Separated Values Format
Exporting to CSV includes all the information in the assessment. This enables you to create custom reports or lists. Common uses of the CSV export are to view and modify data in Microsoft Excel or other spreadsheet applications. There are two kinds of exports, and both respect the currently-enabled risk and project filters to allow selective export.
- Summary: A summary of the key properties of the risks and the funded projects which address them.
- Full: All risk and project properites.
Note: Currently there is no way to upload data from a CSV file back into Risk Communicator. Please let us know if you need such a feature.
The Risk Tracker tab provides an interface for recording information about risk treatment decisions and their resulting effects upon the risk score and risk status.
The table shows the risk score and status for each risk, before and after treatment. The Before score and status are the same as used in the prior tabs in the interface, and the After score and status are set by moving risks on the Treatment Plot, and selecting and Updated Status in the Treatment Details area, respectively. The Trend column shows the difference in risk score.
The Reset button resets all the After scores to be equal to the Before scores, and it sets the Updated Status equal to the original status.
Note: The table only shows risks which match the risk filter for the assessment you have open.
The Treatment Details area contains fields for editing the Updated Status, which is a separate field from the original Risk Status, and Treatment Notes, which is a field for describing what was done to treat the risk, or if it was accepted, what the rationale was. Finally, the Risk Owner field is for indicating the business owner of the risk. As a convenience, the Risk Notes field, which appears elsewhere in Risk Communicator, may also be edited here.
Note: If it is decided that a risk should be accepted without treatment, perhaps because the cost associated with treatment is higher than the expected risk, it is highly recommended to document who made the final risk acceptance decision. That person should be someone on the business side rather than someone on the security team. Set Updated Status to "Accepted" using the selector. Then enter the name of the risk owner in the Risk Owner field, using the Add Risk Owner selection as necessary. Finally, document the rationale for that decision in the Treatment Notes field.
The Treatment Plot is an interactive plot for communicating the updated state of risks after treatment. Each risk may be moved on the map to communicate that it has been mitigated, or exacerbated by certain circumstances, etc. The rationale for the updated score may be recorded in the Treatment Notes field in the Treatment Details area.
Note: The plot only shows risks which match the risk filter for the assessment you have open.
The Project Tracker tab shows an interface for tracking the completion status of projects. It is shown after the report tab because work associated with tracking project takes place after work associated with risk prioritization.
The Project Table shows the projects in the open assessment, together with some buttons for configuring a project filter. As with tables elsewhere in the application, the columns are sortable by clicking the column headers.
The Project Details area contains inputs for setting project status, including the start and end date of the project. Note that the "% Complete" value should be integers between 0 and 100, so that a project which is 50% complete should be assigned the value "50."
Project Status Plot
The Project Status Plot shows the project status and completion information graphically. There is a gray vertical line showing today's date, and each progress line shows additional information about its begin and end dates when you hover over it using the mouse. The labels identifying which project is associated with each progress bar are adjustable. Move them by clicking and dragging with the mouse.
Customizing the Risk and Project Models
In addition to selecting the value of parameters from the menus in the risk model and project model overlays, you may also customize the titles and descriptions found in each selection menu for each parameter. Customizing the menus with data more applicable to your situation may improve the consistency of assessments developed by different members of your security team.
There are "Customize" buttons for Risk Impact, Risk Likelihood, and Project Value, and these buttons open a panel containing a selector, a reset button, a save button, and a table. Use the selector to choose which parameter you want to customize, and make any necessary changes in the table below, which shows the title and description to be used with the various values of the parameter. When you are finished making changes, click the "Save" button. If you want to reset the titles and descriptions for the selectd parameter, click the "Reset" button, make any necessary edits, then click the "Save" button.
Note: The customization panel only shows parameters associated with the part of the interface which opened the panel. That is, when you open the panel from the Likelihood tab on the Risk Panel, only parameters associated with Likelihood are shown.
Note: The parameter titles and descriptions are global settings which affect all assessments, even assessments which have already been saved. Therefore if you modify the parameter metadata and then reopen an old assessment which was developed using an older version of the parameter metadata, the titles and descriptions shown in the risk and project models for each parameter value may not reflect the intent of the original assessment.
Note: At this time, only one version of the parameter metadata is kept. Once changes are saved, they are permanent. Please carefully consider each change you make, consulting with other members of the security team as necessary.
Using the Risk / Project Importer
You can import a risk or project from another assessment in Risk Communicator using the Risk / Project Importer panel.
- Select the source assessment using the menu in the upper right corner of the panel.
- Click the Load button to load the assessment data.
- Click the column headers on the table to sort the rows as needed for navigation.
- Click the add button next to the item you wish to add to the current assessment
Note: When you import a project, the risks associated with the project are automatically imported if there is no existing risk in the assessment with the appropriate title. However, when you import a risk, associated projects are not imported. So if you want to import both risks and projects, import the projects first, and then import additional risks as necessary.
Tip: You can move the panel by clicking and dragging the panel header, and you can resize it by clicking and dragging the lower right corner of the panel.
Tip: If you want to create a custom repository initially containing all the risks from the Caliber repository, you don't have to load it and then manually add each risk using the Risk Importer. You can just open the Caliber repository directly on the Home tab, and then save a copy. The same technique works if you already have an assessment that has almost all the risks you want in your custom repository. Open that assessment, then save a copy as your new custom repository. Repositories are really just assessments, so anything you can do with an assessment, you can do with a repository.
Metrics Manager Introduction
Welcome to the Caliber Metric Manager application, part of the GRC Select Suite. Metrics Manager is a Web application to help IT Security managers define, manage, and report their progress using security metrics.
The Caliber Metric Manager application enables you to define metrics, enter data, and report the results. Metrics Manager consists of a simple workflow across four primary tabs.
- Home: Create and manage bundles of metrics.
- Design Tab: Create and manage individual metrics.
- Data Tab: Enter metric values and set targets.
- Report Tab: View individual metrics and the Master Security Index to communicate the overall trend of your metric program.
- Series Tab: Compare performance of metric series, which may represent lines of business or geographic regions.
The Home tab in Metrics Manager is similar to the Home tab in Risk Communicator. The concept of 'bundles' allows you to manage distinct collections of metrics separately.
The Design Tab is used to define the metrics you will monitor over time. Metrics Manager allows you to create any kind of metric. While the topic of metric selection is out of scope for this help file, we encourage you to select metrics that have relevant business outcomes or can be easily mapped to business impact areas.
There is a 3-level hierarchy of objects to be edited. The top level consists of Groups, which are collections of metrics. You may use any organizational scheme to define metric Groups. A Group consists of one or more Metrics. Metrics have properties such as Units which determine what is being measured. Each Metric contains one or more Series, and it is the Series which contain the actual data. For example, you may have just one Series for a metric, or you may have Series called Region A and Region B to track the Metric across two geographical regions.
Metrics in Bundle Navigation Tree
The Metrics in Bundle area provides a navigation tree for selecting which Group, Metric, and Series is to be edited in the editor area at the bottom of the interface. It also provides a button for opening the panel used to import metrics from other metric bundles.
Importing metrics from another bundle works similarly to importing risks in Risk Communicator.
Note: The ISO 27001 references are for informational purposes only and do not reflect an endorsement or affiliation with the official standard.
The table provides a convenient summary of the groups, metrics, and series in the bundle. Note that most of the columns in the table are sortable, and they may be sorted by clicking the column header. The selector at the upper right determines whether Groups, Metrics, or Series are shown in the table. When the Group Table option is chosen, all Groups are shown, together with their weights. The weights are used together with the group status data to compute the Master Security Index (MSI).
When the Metric Table option is chosen, all Metrics in the currently-selected Group are shown in the table. The weights at the Metric level are used together with the Metric status data to compute the status of each Group.
When the Series Table option is chosen, all Series in the currently-selected Metric are shown in the table. The weights at the series level are used together with the Series status data to compute the status of each Metric.
Selecting a row in the table by clicking makes that item the currently-selected item for editing in the appropriate editor interface below.
Note The Status column in the Metric Table indicates whether the metric has been marked "disabled" in the Open Metric area. Disabling a metric excludes it from reporting, including the status calculations.
Open Metric Editor
Once a Group, Metric, or Series is selected, the fields in the respective editor area may be modified. Groups and Series just have titles and weights. The weights are used in rollup calculations, as explained in the above section. For Metrics, the Units field content is displayed as the y-axis label on the Data and Report plots. The Inverted Axis checkbox determines whether the metric should increase over time. If it is checked, the Y axis on the data plot is inverted, so that smaller values are shown at the top of the plot. Additionally, smaller values are considered better, so a metric will be considered on track if it is at or below the target value.
Disabling a metric or group by clicking the "Disabled" checkbox retains all the data associated with a metric. However the metric is omitted from the Report tab, including rollup computations. This feature is useful when drafting or refining metric data independent from official reporting.
The Red Threshold setting determines the threshold between the "Warning" (yellow) and "Underperforming" (red) status classifications. The setting affects the color of the circles on the plots and the size of the corresponding regions on the status plot. The thresholds at the group and MSI levels are computed as weighted averages of the thresholds at the level below.
The large notes box is for recording notes about the metric, including instructions on how data is to be collected, or other information not captured elsewhere.
Each editor area has a New and Delete button, and the Metrics editor has an additional Clone button. When a Group is deleted, all its Metrics are deleted as well. When a Metric is deleted, all data associated with the Metric and all its data series are lost. When a Metric is cloned, a new Metric is created which is identical to the original, including its data series. The new Metric is independent of the original however, and changes to the new Metric will not affect the original.
The Auto button in the Series area automatically creates a full set of series for the selected metric. The entire metric bundle is analyzed, and any series name used for any metric is added to the set.
The Data tab is used to enter metric values, set targets, and capture notes. The Metric plot is divided into months, the smallest time unit a metric may be measured by. To record metrics at a frequency greater than one month, simply leave month blanks where no data is available. Metrics Manager will list the period as "No Data."
Navigate the Metric Plot
To navigate within the displayed timeframe, move your mouse across the plot and click to select a period. Note the date value in the "Selected Period" fields below the plot. To navigate beyond the displayed timeframe, click on the "Back" or "Forward" buttons. When you select a period, the data below the plot is updated to reflect the selection.
Each month may or may not have any measured data. If it has data, the value is plotted with a filled circle. If there is no data, only an outline is shown. In both cases, the color of the circle indicates whether the value is considered "On Track," "Warning," or "Underperforming," as indicated in the legend below the plot.
Upload Series Data
The upload panel is a convenient way to enter new data after metrics and series are configured. The upload panel accepts a CSV file having the following format. In the first row, the first cell must have the word "Metric" in it, and nothing else. The subsequent columns must each contain the title of a data series defined for some metric.
In rows 2 and after, the first column must contain the title of an existing metric. Then the subsequent columns may contain a number containing the measured value for the corresponding series. If a number is present, the metric must have a series defined with the corresponding title from the column header. If the cell is blank, the series need not be defined for that metric, and the cell is ignored. For each cell which contains data, the corresponding data point in the data set is updated for the currently-selected time period.
Expected Progress Line
Note the green line connecting target values, this is the expected progress line. By calculating the linear progress between targets, Metrics Manager enables you to set expectations and report on progress. If your estimates for progress are not perfectly linear, set additional targets to communicate expected values for specific time periods.
Set a Metric Value
To enter a metric value, select the desired period on the plot. Click the Set button below the Value field to indicate there is data available for the selected period. Enter the measured value in the field. To remove a set value, click the Clear button.
Set a Target
A target represents expected progress at a given point in time. Expected progress between targets is computed via linear interpolation. To set a target, click the desired period in the Metric Plot, then click the Set button under the Target field and edit the value. To remove a target, select the desired period and click the "Clear Target" button.
You may document notes per period as needed. These notes are independent from the metric description field in the Design tab. It may be useful to explain a metric value or clarify unique circumstances as needed.
The Report tab communicates the progress of Groups, Metrics, Series, and the Master Security Index. The Report tab contains status tables for Groups, Metrics and Series, and a graphical plot.
The Master Security Index is a rollup of the group status data to communicate the overall trend of security in a single view. The Master Security Index is calculated by averaging each group's status, which in turn is computed by averaging each metric's status, which in turn is computed by averaging the data series. The averages are weighted according to the weights specified on the Design tab.
Group/Metric/Series Status Tables
The Group and Metric tables display summary information for the current month. The Metric table displays a list of metrics in the currently-selected Group.
The Status column displays the current % distance from the expected value. Differences greater than or equal to zero show a green icon, indicating the measured values are at 100% or more of the expected value. By default, differences between zero and -10% of the expected value display a yellow icon, and less than -10% are red. This setting is controlled by the "Red Threshold" field in the metric editor.
The Trend column represents the trend in actual vs. expected progress from the previous time period. For example, if the current metric is closer to the expected value than the previous time period, the Trend status displays a green up arrow, indicating a positive trend. A blue line is displayed for no change and a red arrow is displayed for a decrease.
The Status plot displays the percent difference from the expected progress for the selected scope. To switch scopes, select a row in one of the tables. To switch to the Data Plot, use the selector at the upper right of the plot.
Metric Data Plot
The Metric Data plot displays the measured values and targets of the selected Metric or Series. To switch scopes, select a row in one of the tables. To switch to the Status Plot, use the selector at the upper right of the plot.
The Series tab compares the performance of lines of business or regions. Data for these organizational units are taken from the data series for each metric. The Series tab shows status information for the last period in the currently-selected data window, which will be the current month unless the window has been moved on the Data tab.
Group Comparison Table
For each roll-up group and each series, the table shows the weighted average performance for the applicable metrics. The table shows the computed status numerically as well as graphically as a colored ball. The computation scheme is the same as is used in the Group Status Table on the Report tab. It is possible that the some metrics lack series that are present for other metrics, and so there may be cases in which data is unavailable for a particular cell. In those cases the status is shown as a question mark.
Clicking a row in this table makes that roll-up group the currently-selected group both on this tab and elsewhere in the interface. In particular, it controls which group's metrics are shown in the Metric Comparison Table.
Metric Comparison Table
The Metric Comparison Table is similar to the Group Comparison table, except the scope is an individual metric. The metrics belonging to the currently-selected roll-up group are shown. Clicking a cell in the table makes that metric and series the currently-selected metric and series, so that the historical data for the series may be viewed by switching to the Report tab.
Service Manager Introduction
Welcome to the Caliber Service Manager application, part of the GRC Select Suite. Service Manager enables IT Security managers to define service catalogs, manage team capacity, spending, and maturity. Additional functionality will be added in 2012.
Using this tab, you may create, delete, and open catalogs, similar to the Home tab in Risk Communicator.
Using this tab, you may populate your security team. The team data is used on the Capacity tab to track how team resources are allocated.
Using this tab, you may add processes to the catalog from the process repository or create new processes. Groups may be added, deleted, and renamed as needed. To select a group or process for editing, click the associated link in the navigator component on the left side of the tab. The Service Catalog is also used to manage team capacity and maturity.
Using this tab, you may assign team members to processes and view plots showing the distribution of work efforts. This tab uses the information entered on the Team tab.
The Maturity tab is used to assign actual and target maturity levels across your Service Catalog. Measuring maturity levels enables management to highlight areas where maturity is optimal and areas that require additional investment. The maturity values may complement the investments prioritized in an assessment using Risk Communicator. Use the notes sections to document your maturity score. Be sure to include specific evidence to justify the score and include specific steps needed to reach the target level.
The Overall Score is the average of the People, Process, and Technology Scores. Maturity scores are whole integers from one to five. You may define your own criteria for measuring maturity or use the following table to assess your actual process maturity and set the desired target.
|Ad Hoc||Roles, responsibilities, and services are not defined. Capacity is not managed. Skills and training needs are not defined.||Control or asset owner recognizes issues exist and need to be addressed. No standardized processes or policies in place, however ad hoc approaches are applied on a case-by-case basis. The overall approach to management is informal and disorganized.||No standardized tools are in place, ad hoc solutions are applied without planning. The overall approach to automation is informal with reliance on manual administration. Existing tools are not used or underutilized.|
|Repeatable||Roles and services are not defined but well understood. Capacity is managed but reactively. Skills are identified for critical areas. Training is reactive as needs arise.||Processes are executed consistently by different people undertaking the same task. No formal training or communication of standard procedures. High degree of reliance on individuals and errors are likely. Some metrics may exist.||Tools are not consistently standardized. Tools are underutilized or rely on key individuals. Long-term planning does not occur.|
|Defined||Roles and services are defined and communicated consistently. Capacity is adjusted regularly. Skills are documented with training plans.||Processes are standardized, documented, and communicated. Processes are followed, however deviations may not be detected. Procedures are not sophisticated but enable consistent practice. Metrics are defined for many critical processes.||Tools are standardized, documented, and utilized. Technical controls are consistent, however deviations may not be detected. Some long-term planning occurs.|
|Managed||Roles and service catalogs are formalized and promoted. Capacity is measured and proactively managed. Skill requirements updated regularly, subject matter experts are identified and cross-trained.||Processes are monitored and measured for compliance with procedures and standards. Action is taken where processes appear ineffective. Processes are frequently improved. Metrics are published internally and externally.||Tools are fully utilized and frequently improved. Technical controls are consistently applied and mature. Automation is used in a limited capacity. Planned architecture exists for most critical areas.|
|Optimized||Individuals and teams are empowered to make decisions. Management is transparent, measured, and improved regularly. Skill requirements are proactively managed and improved at the individual and group levels. Training involves inside and outside subject matter expertise.||Processes are refined to a level of good practice, based on the results of continuous improvement and maturity modeling with peer organizations. The IT group is used in an integrated way to automate workflow and improve quality.||Tools are refined to a level of good practice, based on the results of continuous improvement and architecture reviews with peer organizations. The IT group automates workflow, providing tools to improve quality. Enterprise architecture is proactively managed.|
The Compact View plots show capacity and maturity data plotted using a radial/spider plot. Use the selector to switch plotting views.
The Vuln Tracker application analyzes and reports on vulnerability scan data. The main function is to define time-to-fix SLAs for corporate asset groups and identify instances in which the SLAs are not met. The SLAs can be defined according to the severity level of the underlying vulnerability, so that very serious vulnerabilities are expected to be fixed quickly, and fixing less serious issues can be postponed.
At this time the application accepts XML scan output generated by the Nessus, Qualys, Nexpose, and OpenVAS scanners. Nexpose scans must be in the Nexpose XML 2.0 format. Support for other scanners will be added according to demand.
The overall workflow of the application is organized into tabs, each of which is designed for showing data at a specific level of detail. When the application is opened, data is loaded automatically, during which time the first tab will show no data and the status message "Loading" will appear at the upper-right of the page.
The Vulnerability List overlay panel may be opened from various places in the interface to show detailed information about a collection of vulnerabilities.
The table may be sorted by IP, DNS, vulnerability title, severity, or publication date by clicking the column headers. The vuln titles may be clicked to view more information about that vulnerability.
The contents of the table may be exported to a CSV file using the Export button. The entire data set is exported even though the table only shows one page of data at a time.
The Vulnerability Details panel is opened by clicking a vulnerability title. The amount of information available depends on the scan vendor. If the information is insufficient for your purposes, please contact firstname.lastname@example.org.
The highest level of organization in the application is the Region. A Region is an organizationally independent set of infrastructure. Different regions may have servers with the same IP address. Scans may only target a single region.
The Manage Regions table is a display and navigation interface for data at the Region level. Clicking a row makes that row the currently-selected region for operations which require a region selection. The New and Delete buttons above the table create a new Region and delete the selected Region, respectively. The Report button produces a downloadable report document containing the table and age distribution plots for each region.
The Overdue column in the table counts the number of vulnerabilities which are overdue according to their severity-determined SLA. The SLA for each severity is defined on a per-asset-group basis on the Asset Groups tab. The On Time column counts the percent of vulnerabilities which were either closed on time or currently open but not yet overdue. The Total column shows the total number of open and closed vulnerabilties.
Note: closed vulnerabilities more than 180 days old are removed when new scan data is uploaded.
Age Distribution Plot
The Age Distribution Plot shows the age of each open vulnerability in the selected region. Ages of open vulnerabilities are computed from the first time a vulnerability was detected until the current time.
The Region Editor interface allows the user to edit the title and notes for the selected region. If remote sync is enabled, the region titles will be used to identify which scans are for which regions, so they should be changed carefully.
Asset Groups are level of organization within Regions. Each Asset Group has an owner who is responsible for technical work. Each Asset Group has its own SLA for each vulnerability severity, allowing for fine-grained control. Additionally, the severity levels may be re-titled or hidden completely using the "Customize" button in the Group Editor interface. Note these customization settings are global and apply to all Asset Groups, even though the SLAs themselves are defined on a per-asset-group basis.
Asset Groups Table
The table is a display and navigation component. Clicking a row selects that Asset Group. The Overdue column counts how many vulns are overdue according to the SLA. The Due Soon column counts how many are due within 14 days. The Open column counts the total number of open vulns. The Overdue, Due Soon, and Open columns contain links in each row. Clicking one of the links opens an overlay showing detailed information about those vulnerabilities.
The Report button produces a downloadable report showing the table and age distribution plots for each Asset Group.
Age Distribution Plot
The Age Distribution Plot shows the age of each open vulnerability in the selected group. Ages of open vulnerabilities are computed from the first time a vulnerability was detected until the current time.
The Group Editor interface is for editing the attributes of the selected host group. Each group may be assigned an owner in order to record who is responsible for it, and an SLA for each severity level. For purposes of measuring compliance to the SLA, the clock starts when a vulnerability is first found on a given host, and runs until the current time.
The large text field for defining the hosts which comprise the host group accepts a list of entries, one on each line. Each entry could be one of the two following types. All IP addresses are IPv4, as IPv6 is not supported at this time.
- IP Range: Two IP addresses, separated by spaces and a single "-" character. For example the line "10.0.0.1 - 10.0.0.10" indicates the range of addresses starting at the first IP address and ending at the second. The range is inclusive, so that the starting and ending addresses are included in the range. You can span an entire class A or class B network using this notation. For example the line "10.0.0.0 - 10.255.255.255" spans the entire "10." private network.
- Single Host: A single IP address. For convenience, a single address may appear on a line instead of defining a trivial range consisting of one address.
Note The lines in the host list field are validated to ensure that they are in the correct form, but they are not checked for overlap. It is possible to put the same host in two different groups, and the software will not display a warning if you do this. Overlapping host groups may interfere with reporting, so please define host groups as non-overlapping.
Customizing Severity Levels
You can use the editor overlay to customize the label associated with each severity level, and you can also choose to hide certain severity levels that you don't want to use. When a severity level is hidden, the interface will hide all vulnerabilities with that severity level. No vulnerability data will be deleted, and you can show the hidden vulnerabilities again by re-checking the relevant box.
Note The settings apply to all Asset Groups in all Regions.
Note for OpenVAS The OpenVAS scanner uses severity ratings in the range 0.0 - 10.0. These ratings are mapped into the range 1-5 as indicated below.
|OpenVAS severity||Vuln Tracker Severity|
|0.0 - 0.0||1|
|0.1 - 3.9||2|
|4.0 - 6.9||3|
|7.0 - 8.9||4|
|9.0 - 10.0||5|
The Hosts tab is for identifying particular servers/workstations in need of special attention.
The table is a display and navigation component. Clicking a row selects that host for display in the plot. The Open column counts the total number of open vulnerabilities. The entries in the Open column are clickable, and when clicked open an overlay panel showing detailed information about those vulnerabilities.
The Severity Plot shows a summary of the severity of vulnerabilities on the selected host. Note that severities may be hidden using the Customize button on the lower right of the Asset Groups tab.
The Vulns tab is for identifying particular vulnerability types in need of special attention.
The table is a display and navigation component. Clicking a row selects that vuln for display in the plot. The Hosts column counts the total number of hosts which have that particular vulnerability. The entries in the Hosts column are clickable, and when clicked open an overlay panel showing detailed information about which hosts have that vulnerability. Clicking the vulnerability title shows more information about the vulnerability, including CVEs. For some scan vendors, fewer details are available. Please contact email@example.com if the details are insufficient for your needs.
Age Distribution Plot
Age Distribution Plot shows the age distribution of all instances of the given vulnerability.
The scans tab is where the collection of scans may be viewed, and new scans may be uploaded. Limited editing of scans is supported as well, including editing scan notes.
The Upload Scan interface is for choosing a scan file and uploading it. The Browse button opens a file selection window, and the Upload button uploads it. The upload may take 30 seconds or so, depending on available network bandwidth and the scan size. The scan must must be uploaded inside a zip archive, but you can put multiple scan files in the same zip archive.
On Microsoft Windows, zip archives are called "compressed folders." You can easily create a zip archive by selecting one or more scan files with the mouse and selecting "Send To" from the menu opened by right mouse button. One of the options in the "Send To" menu should be "Compressed Folder." If you are having trouble creating a zip archive, please contact firstname.lastname@example.org. Should the software shipped with your operating system prove insufficient, there are open-source programs to create zip archives available on all computing platforms.
At present the maximum allowable upload size is 100MB. Note that this is the size of the zip archive, not the size of the scan files themselves. Scans generally compress well, often to a tenth of their original size. If this limit is too restrictive, please let us know at email@example.com. The limit is meant mostly to prevent abuse, and we will raise it if it is blocking legitimate uploads.
Note Scans must be uploaded in chronological order according to the date the scan was run, with the earliest scan first. If you have several scans to upload, upload them all in the same ZIP archive and the software will automatically process them in the correct order.
The software also supports pulling scan data directly from scanning infrastructure. This feature requires configuration by Caliber. For more information, please contact firstname.lastname@example.org. After it is configured, clicking the Sync button begins the sync process.
The Upload Progress panel shows a summary of the scan results for each scan processed. Scans skipped because they have already been processed are marked "skip."
The Active Scans interface is for viewing and selecting scans. You can select a scan by clicking its row. The New column counts the number of open vulnerabilities which were newly discovered during that scan. Vulnerabilities which were found in previous scans are not counted. The entries in the New column are clickable links which open an overlay with detailed information about the vulnerabilities.
Note During an upload, old scans are deleted if they have no open vulnerabilities remaining and are at least 180 days old. Vulnerabilities are deleted after they have been closed for 180 days and no longer count toward the statistics on the Regions tab.
The Severity Plot shows a summary of the severity of open vulnerabilities newly discovered in the selected scan. Note that vulnerabilities of certain severities may be hidden using the Customize button on the lower right of the Asset Groups tab.
The Scan Details interface is for editing attributes of the selected scan.
The Notes field is for capturing information about the scan that you might want to refer to later. For example, if the scan was done after a major initiative to ensure that Adobe software is up-to-date, you may want to make a note of that in the scan notes. Some summary statistics are stored when you upload a scan, and they are shown next to the notes. Those statistics are a snapshot of the scan taken at the time the scan was uploaded, and do not reflect changes that happened after that time.
The Compliance Communicator application provides a simple way to respond to the technical requirements of multiple compliance standards in a single pass. The software groups together related line items from various standards so that a single affirmation or piece of evidence may be applied to all of them at once. In this way, effort and time spent on the compliance process is reduced, and the results of a quick work effort may be used to produce reports which address multiple compliance standards.
Data for the application is contained in surveys. A survey is a collection of responses (with any evidence supplied) to the grouped control questions from the chosen standard(s).
The user interface is divide into 3 tabs
- Home -- Contains the interface for creating new surveys, opening existing surveys, and uploading custom control standards.
- Survey -- Contains the interface for responding to the control questions and attaching evidence.
- Report -- Contains the interface for viewing a summary of the survey results and reporting against the chosen standard(s) individually.
The table in the Manage Surveys area is a list of all surveys you have created, together with any example surveys (called "Templates") created by Caliber. The list may be filtered using the Show Templates and Show Archived checkboxes, or the filter selector and buttons, which filter by the tags you have used for each survey.
The table may be sorted by Title or Final status by clicking the column header above the desired column. The Final status indicates that the survey is completed and may no longer be edited. This indicator may not be cleared once set. However, the survey may be opened, and a copy may be saved (as explained in the Editing Survey Properites section), and then that copy may be edited.
To create a new survey, click the New button above the table. To open or delete an existing survey, click the survey's row in the table and then click the Open or Delete button. To refresh the table, perhaps because you think the collection of surveys has been changed by another user since you loaded the page, click the Refresh button.
Editing Survey Properties
The Open Survey area shows an interface for editing the survey title and filter tags. Formatted content from other sources may be pasted into the Notes area, after the editor pane is unlocked using the button. At the moment only textual formatting will be preserved (font sizes, bold, etc.), and images will be stripped out.
The Assets selection box shows a list of information security assets, which may be managed using the Manage Assets link. Assets may be selected by mouse click, and multiple assets may be selected by holding the Ctrl key. The selected assets are associated with the survey, so that the survey results are shown for the asset on the Compliance tab of the Performance Dashboard.
Also note the Save as New button. This button saves the open survey as a separate copy. When this is done, the responses are copied but the attachments are not. This feature may be useful if you want to start your survey with the results of a prior survey already filled in, so you can make edits instead of redoing the whole thing. In that case you would open the prior survey, give it a new title, and then click the Save as New button. A new survey will be created and show up in the survey table to the left. You can then continue to make edits without affecting the prior survey in any way.
The Custom Standards panel contains an interface for uploading custom standards and deleting existing custom standards that you have already uploaded. Custom standards must be uploaded in CSV format, and the first row must contain the specific column headers described below, in the order they appear below. The rest of the rows should contain the data for the standard, with one section per row.
- Group -- Contains a name for the control question's group to be used in the interface. The group names are the top level of the navigation tree on the Survey tab.
- Control -- Contains a short name for the control question to be used in the interface. The control names are the second level of the navigation tree on the Survey tab.
- Section -- Contains a unique identifier for a section of the standard. This may be numeric, such as 1.2, or semi-numeric, such as A.1, or it may be in some other format. But it must be unique among other sections in the standard.
- Text -- Contains the text describing the control requirements for this section of the standard.
- Instructions -- Contains any additional instructions necessary for understanding how to validate that the requirements for the section are in place, or details about what kind of validation is required.
The Control Areas interface contains a tree for navigating through the control questions. The top level of the tree contains control groups that group together related control questions under high-level headings such as Administration, Network, Users, etc. The second level gives a short name for each control question and shows the response status for that question. Clicking on the + icon next to a group name expands that group, and clicking on a control question name makes that the currently-selected question in the Control Details area and Control Response area.
The Control Details area shows the text of each requirement for the control question. Note that text from multiple standards may be included, and there is a scroll bar at the right to allow scrolling through long content. Even though there may be multiple sections from multiple standards associated with the question, generally a single piece of evidence is sufficent to respond appropriately.
For example, if the question is about user passwords, there may be separate requirements related to password length, complexity, maximum age, etc. But it does not make sense to respond to those items individually. Instead, a single piece of evidence showing the password policy in place should be sufficent. If you are having trouble with your survey because control requirements have been grouped together too coarsely, please contact email@example.com and we will provide assistance.
The Control Response interface shows a list of responses you can choose from by clicking the adjacent circle. There is also a large text area for entering a rationale for your response, and some buttons for choosing and uploading evidence to attach to your response. Only one attachment per question is allowed, so if you need to upload multiple files, put them inside a file archive (such as a Windows compressed folder or Zip archive) and upload the file archive.
If the assessment requires other people to contribute responses and/or evidence, those people can be included in the assessment using the "Delegate This" button and menu. The menu shows a list of all users with sufficient access privileges to contribute to assessments. If a desired person does not have an account and you have User Administrator permissions, you can create an account for that person on the User Manager tab of the portal home page. Be sure to grant at least partial access to Compliance Communicator after creating the account.
After delegating a control item to another person, a separate text box and attachment area will be added to the interface. Once you have completed a first pass through the entire assessment, you can send an email to all delegates through the Delegation tab.
There is also a "Delegate All" button which delegates all control items in all control groups to the given user.
The Ticket button creates a new ticket associated with the control item. The ticket fields may be edited, and they are saved automatically. Using the Ticket feature requires user permission for that specific feature. Tickets may be viewed on the Tickets tab of the Performance Dashboard application.
The Delegation Table shows all control items delegated to specific users together with the status of the user's response. After the delegation strategy is initially created, all delegates may be emailed using the Mail All Delegates link above the table. The email contains a link to a special page containing only the delegated items for each contributor.
Additionally, the Delegation Table may be used to check the status of the delegated responses. If a contributor is late with required information, they may be emailed by clicking their user name in the table.
Response Summary Table
The Response Summary Table is a filterable table showing the response to each control question. The table may be sorted by any of its columns by clicking the desired column header. The checkboxes above the table filter the results, so that if for example you only want to see unanswered questions, you can uncheck all the boxes except "Unanswered."
Response Summary Chart
The Response Summary Chart counts how many questions received each type of response. It respects the filter selections above the summary table, so that if for example you filter out "In Place" questions from the table, those will not be counted in the chart.
The Standards Compliance area has a selector for choosing which standard to show. When a standard is selected, its sections are listed, and your response to each section is shown in bold below the section text. In particular, the control group and control question associated with that section of the standard is printed, together with the response you selected and any text you typed in the text box. Frequently the same control question covers several sections of the standard, so it will be listed each time it applies.
The Manage Assessments table is an interface for choosing which assessment to open, as well as performing other operations on assessments. To open an assessment, click its row in the table and then click the Open button.
Edit Assessment Properties
The Open Assessment interface shows properties associated with the currently-opened assessment. HTML may be pasted into the Notes area once unlocked. Pasted links will become clickable when the editor is re-locked.
The Asset Table interface is a navigation interface for assets. An asset may be selected by clicking a row in the table. If the asset is in scope for the current assessment, it will become the currently-selected asset and its title and other properties may be edited in the Asset Editor to the right. If it is not in scope, clicking the checkbox in its row will cause it to be marked as in scope and the assessment will be reloaded.
The properties of the currently-selected asset may be viewed in the Asset Details section. If you have the necessary permissions, these properties may be edited using the Asset Manager application. After editing the properties in Asset Manager, it is necessary to click the Refresh button above the Asset Table so that your changes are visible in Test Manager.
The Asset Components interface is for navigating the tree of assets and their pages. Assets may be expanded to list their components by clicking the '+' buttons. Each asset and component entry is decorated with a completion count showing the number of complete and total tests for that asset or component. Components may be selected by click, and that will change what is shown on the Test Editor area.
Create Component Panel
The Create Component panel provides a multi-select list for selecting collections of tests to apply to the new page. These collections are called "templates" in the interface. As an alternative to using templates, tests may be created manually in the Test Editor interface.
Manage Templates Panel
Templates may be edited or created using the Manage Templates panel. To create a new template, select the option <New Template> from the menu, and give the new template a title.
There are two ways to edit template data. The first way is to use the text box in the interface. The text box accepts data in pipe-separated (the "|" character) format. The pipe character may not appear anywhere in the data itself, and no form of character escaping is recognized.
The second way to enter data is via CSV upload using the button next to the Import Data label. The input file should be comma-separated, and cells containing commas should be wrapped in double-quotes. Double-quotes occurring in quoted cells must be escaped by preceding them with an additional double-quote. No other escaping conventions are recognized. The file should be encoded in UTF-8, with or without a BOM. The file should not contain column headers.
If the file contains pipe characters, the import will succeed, but subsequent edits using the pipe-separated editor in the interface will produce incorrect results. It is advised not to use pipe characters in templates, even if it is not expected the pipe-separated editor will ever be used.
With either upload method, the format of the content is the same. The column definitions are below.
- Test Group -- a string containing the name of the test group
- Test Name -- a string containing the name of the test
- Tags-- a string containing a list of name-value pairs for tags. Each name-value pair is joined with a colon, and the list items are joined with a comma, e.g. "name1:value1,name2:value2". Extra spaces should not be added.
The Test Editor area is for viewing and editing the list of tests for a given component. To delete a test, click the "X" button in the upper right of the editing area for the test. To add a new name/value tag, click the "+" button near the tags area. To delete a name/value tag, click the "-" button next to the tag.
The filter panel is an interface for filtering the set of tests shown in the test editor area. The filter also applies to the data set generated by the Download button.
Table of Findings
The Table of Findings is a navigation component for findings. A finding may be selected by clicking a row in the table, and its details will be shown in the Finding Editor.
Note: Findings which have been closed are not shown in the table. To reopen a finding which has been closed, select the finding using the table on the Report tab, which shows open and closed findings, then return to the Finding Editor and update the status.
Import Findings from Scan
The import panel presents an interface for importing findings from a scan output file. At present only the Burp scanner is supported. To import findings, choose a file using the file input, wait for parsing to finish, then review the results in the table. For each finding, choose an appropriate template using the menu in each row. A row may be excluded from the import by clicking the button in the Delete column. When finished editing, click the Done button at the top to finish the import.
Note: It is always necessary to review all imported findings to finish the writeup. The import process is intended to save some time, but it is not intended to be used without manual review.
Finding Import Data
The Scanner Data overlay shows information about the finding that may not easily fit in the table. All such data is included in the imported finding, and it will need to be reviewed and edited.
The Finding Editor is where a detailed writeup of a finding may be created. To ensure consistency, guidance is provided for making selections for each field.
Choosing a Finding Template
When creating a new finding, a menu is shown with some prewritten templates. The prewriten templates have risk scores assigned, attack and test group fields already filled out, and part of the writeup written. These templates may be useful when reporting common types of findings. It is still of course necessary to complete the writeup and ensure that the prewritten content is still true and applicable for the situation. To select one of the prewritten templates, click one of the items in the list with the mouse. To begin with a new finding without prewritten content, select New Finding, which is the first item in the menu.
Note that when a finding is created from the Tests tab, the test group will be determined by the test group of the test which generated the finding. If there are no prewritten templates which match that test group, the menu will not be shown, and the default template without prewritten content will be chosen automatically.
The finding should be short and named based on the attack type and the page, possibly including information about parameters involved if necessary for disambiguation. The title should be written using title case, and should use industry-standard terminology. For example, a finding could be titled 'XSS on page1' if there is only one such finding, or if there are multiple such findings, they could be called 'XSS Using param1 on page1', 'XSS Using param2 on page1,' etc.
The menu shows a list of in-scope assets for the assessment. Only one selection may be made. If the finding affects more than one asset, then a new asset should be created to encompass general issues affecting multiple assets, and then the finding may be associated with that asset.
The status field is a clickable link which opens an overlay for making status updates. The meanings of the status choices are described below.
- Open -- the default state.
- Fixed -- the vulnerability has been fixed.
- Accepted -- risk associated with the vulnerability has been accepted, and the vulnerability will not be fixed.
The Attack field should be the name of an attack, i.e. something an attacker can do that is of concern. The menu shows a list of standardized attack names which should be used if possible. If not, a custom entry may be created by selecting <Add Attack>. If it is desired to remove a custom entry and switch to using the menu, delete the contents of the text field and press enter.
It is possible that a finding will have no direct attack scenario, yet there is still a reportable software defect that should be included as a finding. For example, in some cases weaknesses in syntactic or semantic validation may not be exploitable, but of concern regardless. In such a case, a generic attack name such as "Parameter Tampering" or "Filter Bypass" may be used. But more specific attack names should always be used when possible.
Finding Test Group
The Test Group field should correspond to the test group of the test which generated the finding.
The user interface for writing findings consists of an editing pane containing content blocks. New content blocks can be created using the buttons above the editing pane. The block types are explained below.
- H -- The content will be rendered as a section heading.
- P -- The content will be rendered as paragraphs. Content will be split at newlines to form multiple paragraphs. Blank lines will be omitted.
- IMG -- An image may be uploaded and will be bundled with the report. The Caption field contains a caption for the image. Images in PNG format will be analyzed for size and automatically rescaled if necessary.
- CODE -- The content will be rendered as a preformatted code section using a monospace font. Newlines will be preserved. A caption may be specified.
- TABLE -- The content will be interpreted as pipe-separated rows of data and rendered as a table, with the first row rendered as column headings.
- LIST -- The content will be interpreted as items in a list, one on each line.
- HTML -- Raw HTML may be entered and this HTML will be inserted into the document.
Content blocks may be moved using the up and down arrows at the left of each block. They may be deleted using the X button at the upper right of each block.
The editing pane has several sections in it by default. They are all generally useful, but on a case-by-case basis may be modified or removed if needed.
The URL section should contain the full URL of the vulnerable page. If the finding applies to more than one page, the section can be omitted or contain multiple URLs, depending on which would be clearer.
User Interface Section
Since pages may have complex designs, it is generally useful to present a description and screenshot of the part of the page in question for purposes of clarity. This helps identify what part of the application workflow is affected.
The vulnerability section is for describing what the software weakness is. In other words, it is for describing what specific feature has been implemented incorrectly.
Code Listing Section
The code listing section is for listing the affected code, if possible. This helps identify what needs to be fixed.
The attack section is for describing what actions an attacker can carry out to exploit the vulnerability, and what the impact of those actions is.
The recommendation section is for writing a detailed technical recommendation for fixing the vulnerability.
The Executive Summary editor is an optional feature for writing an executive summary for the assessment. The tools available are the same as for finding writeups.
The Finding Report section shows a table of findings, and allows the user to include or exclude findings from the report using the checkboxes in the Report column. Many of the columns are sortable by clicking on the column header.
The Performance Dashboard application provides an executive-level summary of certain aspects of the security program's performance. It is in the early stages of development.
The Tests tab shows performance statistics for assets whose security tests have been documented using the Test Manager. Only the most recent assessment for each asset is included. The first column shows the name of the asset, and the subsequent columns show a summary of the test groups used in the assessments. The rest of the columns show an increasingly filled-in circle to indicate the approximate fraction of the tests which have been completed. The top number in these columns shows the number of completed tests, and the bottom number shows the total number of tests.
For purposes of this table, a test status of "N/A" is not counted as either complete nor in the total, the statuses of "Incomplete" and "Not Performed" count toward the total but not complete, and any other status (such as Pass or Fail) counts as complete and counts toward the total.
Detailed information about the tests which were performed for each asset may be seen by clicking the Details button at the top right of the table. When a cell in the first column is selected, the table in the overlay panel will show all tests for the asset. When one of the subsequent cells is selected, only tests from that test group will be shown.
The filter overlay allows the collection of tests to be filtered by tag. The filter affects both the table shown in the interface and the report and export output.
The Findings tab shows information about findings created in the Test Manager. Only findings which have the status "open" are shown.
Table of Open Findings
The Open Findings table shows a list of all open findings. The table may be sorted by any column by clicking the column headers. The selector above the table controls which plot is shown at the right. Clicking a row in the table selects that finding for viewing in the Selected Finding area.
Severity By Age Plot
The Severity by Age plot shows how many findings of each risk level are within each age group. The age is computed as the number of whole 24-hour periods since the finding was originally created.
Severity By Age Plot
The Age by Asset plot shows how many findings in each age group are associated with each asset. The age is computed as the number of whole 24-hour periods since the finding was originally created.
Details of Selected Finding
The Selected Finding area shows detailed information about the finding selected in the Open Findings table.
The Analysis of Findings table shows the risk associated with each vuln category for each asset. The risk is represented graphically according to the highest risk of any finding for that asset and vuln category. The total number of findings is represented numerically to the left of each graphic. Clicking the Details button shows the list of findings whose information is represented in a given cell. Clicking on one of the cells not corresponding to a vuln category shows all findings associated with the asset.
The vuln category columns are taken from the standard list of vuln categories in the menu in Test Manager. Custom or blank vuln categories are represented in the Other column.
The Asset Compliance table shows the number of times each response was given on the most recent assessment for each asset. The level of concern associated with the response is shown graphically via the color of the circle in each cell. Clicking the Details button shows the list of control items whose information is represented in a given cell.
The Asset Manager application is for defining information security assets against which assessments are performed.
The Asset Table interface is a navigation interface for assets. An asset may be selected by clicking a row in the table. Once selected, the asset properties may be edited in the Asset Editor interface to the right.
The properties of the currently-selected asset may be edited in the Asset Editor. Note that deleting or renaming an asset may cause problems in other applications such as Test Manager if the asset is referenced there. You will be warned about this only the first time per session you attempt such an operation. For assistance reorganizing your asset collection, please contact firstname.lastname@example.org
last update: Apr 2015
Information We Gather
The following information is gathered from our website visitors:
- IP address
- email or login name
- login date/time
- application accessed
How We Use It
Information is used for logging site activity only. We will not sell or disclose any information collected.
Who Can Access It
Your information is accessible by a limited number of employees only.
How It Is Protected
To safeguard your information, we maintain an information security program based on ISO 27001-2 and are audited annually by an independent third party.
Our website requires cookies that enable us to maintain session state and support device authentication. We do not track behavior.
In addition to code written by Caliber, this software contains code derived from the Yahoo User Interface library (YUI). The YUI code used here was modified both manually and via script, and the resulting code is not the preferred form for editing. Therefore we understand the code included here to be in "binary form", and in accordance with the license under which YUI is distributed, we reprint the below copyright notice, list of conditions, and disclaimer. Note that the GRC Select Suite is not distributed under the same license, nor should any of the below provisions be construed to apply to the GRC Select Suite code written by Caliber. Use of the GRC Select Suite is governed by the Caliber Master Subscription Agreement.
-- Begin YUI Copyright Notice --
Copyright (c) 2009, Yahoo! Inc. All rights reserved.
Redistribution and use of this software in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of Yahoo! Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission of Yahoo! Inc.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-- End YUI Copyright Notice --