icasuserguide

1. Overview

Caveris Information & Cyber Assurance Suite (ICAS)® gives business leaders, CISOs and security teams the real-time, in-depth information and tools they need to maintain effective cyber and information security across the entire enterprise. ICAS integrates and correlates infrastructure, events and analysis from multiple sources – technological and those requiring human attestation – to provide a real-time, enterprise wide perspective on your organisation’s information and cyber security posture, automating and tracking security controls and remediation activities. 

 

2. Introduction

This section introduces various fundamental concepts found within the ICAS® application. 

2.1. Hierarchical Treeview Model

Caveris ICAS models and tracks Information Security Controls across a business. In order to facilitate this Caveris ICAS uses the following hierarchy:

Above: Hierarchichal Treeview Model

2.1.1. Controls

A Caveris ICAS Control is the underlying mechanism by how an Activity is enforced. A Control is the object within Caveris ICAS that is tracked (and often executed).

2.1.2. Activities

A Caveris ICAS Activity is the actual activity carried out to deliver a specific function – Adding a User & Removing a Firewall Rule are examples of activities.  

2.1.3. Disciplines

A Caveris ICAS Discipline is a set of activities grouped into a specific subject area – i.e. the Firewall Management Discipline would comprise all the activities required to manage Firewalls.

2.1.4. Infrastructures

The Infrastructure (or Service) is a grouping of discrete technology environments within the Technology Domain. Within the Corporate Domain there is a Corporate DAC (Disciplines, Activities & Controls) Infrastructure where all non-technology related Information Security Controls are grouped. Additionally in the case of licensing the ISO 27001 Regulatory Standard module an additional ISMS Infrastructure is used to group all non-Annex A Information Security Controls together.

2.1.5. Domains

The second level category is then used to further group the Organisation; Caveris ICAS comprises 2 Domains – Corporate & Technology. The Corporate Domain is used to group all non-technology related objects, and the Technology Domain is used to group all technology related objects.

2.1.6. Organisation

The top level object, this is typically the Business Name (e.g. ACME Bank). 

2.2. Scoring 

The ICAS® scoring system is central to the ICAS® application and provides a succinct overview of data compiled from the Control level all the way up to the Organisational level. The Assurance page is a clear example of the how the scoring can be presented at a high level for a concise representation of how the Organisation is performing and any areas of security related weakness it might display.

 

The terminology related to scoring within the ICAS® application is detailed in the sections below.

 
powered by tomehost