Professional Documents
Culture Documents
Cherwell Software
www.cherwell.com
© 2017 Cherwell Software, LLC. All Rights Reserved.
CHERWELL SERVICE MANAGMENT
Copyright
Cherwell and the Cherwell logo are trademarks owned by Cherwell Software, LLC and are registered
and/or used in the United States and other countries. ITIL® is a registered trademark of AXELOS Limited.
All other product or company names referenced herein are used for identification purposes only and are
or may be trademarks or registered trademarks of their respective owners.
The information contained in this documentation is proprietary and confidential. Your use of this
information and Cherwell Software products is subject to the terms and conditions of the applicable End-
User License Agreement and/or Nondisclosure Agreement and the proprietary and restricted rights
notices included therein.
You may print, copy, and use the information contained in this documentation for the internal needs of
your user base only. Unless otherwise agreed to by Cherwell and you in writing, you may not otherwise
distribute this documentation or the information contained here outside of your organization without
obtaining Cherwell’s prior written consent for each such distribution.
© 2017 Cherwell Software, LLC. All Rights Reserved.
Contents
Information Security Management System mApp .................................................................. 1
Overview ................................................................................................................................................. 1
How the mApp Works ...................................................................................................................... 3
Related Reading .............................................................................................................................. 5
Steps to Apply the mApp.................................................................................................................. 5
How to Use the mApp ...................................................................................................................... 5
Configuring the Information Security Management System mApp ....................................... 6
Configuring the Information Security Management System mApp ........................................................ 6
Create a Security Analyst and Security Manager Role .......................................................................... 6
Security Analyst Role ....................................................................................................................... 6
Security Manager Role..................................................................................................................... 7
Create Security Groups .......................................................................................................................... 8
Security Administrator Security Group ............................................................................................. 9
Security Analyst Security Group ...................................................................................................... 9
Recommendations for Additional Security Groups ........................................................................ 11
Provide Object Data in Table Management for Information Security Management System mApp ..... 11
ISMS Specification Object.............................................................................................................. 11
ISMS Control Group Object ........................................................................................................... 11
ISMS Control Source Object .......................................................................................................... 12
ISMS Risk Mitigation Questions Object ......................................................................................... 12
Portal Event Configuration .................................................................................................................... 13
Update the Portal Customer Security Group: ................................................................................ 13
Update the Portal Dashboard with Security Event Link ................................................................. 13
Create Recurring Audit Scheduler ................................................................................................. 15
Using the Information Security Management mApp ............................................................. 16
ISMS Dashboards................................................................................................................................. 16
Create a Security Event ........................................................................................................................ 19
Create a Security Event via the Portal ........................................................................................... 19
Create a Security Event via an IT Incident..................................................................................... 19
Create a Security Event via an Integration .................................................................................... 21
Manually Create a Security Event .................................................................................................. 21
Close Security Event: ..................................................................................................................... 23
Specification Modified Compliance Policy tab Compliance Policy Tab shows summary
to display the correct summary form with greater detail
form
Audit Updated the Participant tab to Can create a new Participant from the
include ‘New’. form attachments tab
Compliance Updated the Participant tab to Can create a new Participant from the
include ‘New’. form attachments tab
Compliance Modified the Business Owner Business Owner is now filling correctly
One-Step updated to filter based
off team.
Risk Assessment Asset Owner field validation auto Asset Owner will only be populated if
populate properties empty by the Asset Owner from the
Configuration Item
Risk Assessment Modified visibility expression on No longer shows “No Current Form”
embedded form
Security Event Added visibility expressions to Only show tabs with linked records for
tabs on form arrangement specific linked objects (e.g. Change
Request, Incident, etc.)
Overview
Cherwell Software’s Information Security Management System (ISMS) mergeable application (mApp) provides a
comprehensive solution for managing Risk, Compliance, and Security Operations. By leveraging Cherwell’s
Configuration Management Database (CMDB), Information Technology Service Management (ITSM) framework,
and lifecycle processes, the system marries the capabilities of typical Governance, Risk, Compliance (GRC) tools
with real-time operational benefits for Security Incident handling. Cherwell’s ISMS mApp can align security controls
and policies across multiple industry standards such as International Organization for Standardization (ISO)
27001:2013, Health Insurance Portability and Accountability Act of 1996 (HIPAA), Payment Card Industry (PCI), and
more. Downloading the mApp is not a requirement for security industry standards and does not automatically make
an organization compliant with security standards.
The mApp provides multiple tools and processes, including:
Security Event: A dedicated Business Object record used to track and manage security-specific events using
an independent process and lifecycle. Security Event is directly associated with Configuration Items, Supporting
Services, Risk Assessments, and Similar Events to provide a comprehensive view of the event. Links to IT
Incident, Task, and Change Management are also included when additional work is required from IT teams to
manage the Security Event. Security Event provides the means for analysts to quickly analyze possible security
threats and take necessary action.
Security Incident: If a Security Event results in a breach or loss of any type the event can be escalated to a
Security Incident. ISMS Security Incidents are specific to security breaches, and differ from the CSM Incident
Business Object. Security Incidents follow the NIST guidelines for Security Incident handling and allow strict
privacy throughout the process to recovery.
Risk Assessment: Allows users to weight and score predefined security posture questions to calculate mitigated
risk score, unmitigated risk score, business impact, threat likelihood, and security classification of a CI or
Supporting Service. The Risk Assessment are loaded in Table Management allowing the system to maintain
previous Risk Assessment questions and answers as an organization evolves its assessments over time.
Specification: A tool that allows you to navigate, view, select, and define a set of Controls (individual
requirements for specific areas of security) that align to industry standards, such as ISO 20071:2013. From the
Specification, you can quickly navigate between and define related Controls and associated Policies. Controls
can be linked directly to Policies and Policies can govern similar controls across multiple Specifications.
Compliance: A Business Object record used to manage compliance policies and activities needed to maintain
compliance. Compliance records can be created from most areas within ISMS such as Security Events, Audits,
and Risk Assessments. There are three types of Compliance records, including:
Policy: Used to create policy documents (recorded on the form or attached to the form) and track related
Controls.
Preventative Action: Used to record and track proactive actions taken to ensure compliance of a policy or
Control. You can create a Preventative Action directly from a Security Event, Audit, or Risk Assessment.
Corrective Action: Used to record and track reactive actions taken to ensure compliance of a policy or
Control. You can create a Corrective Action directly from a Security Event, Audit, or Risk Assessment.
Audit: A scheduled review of compliance related to an industry standard, such as ISO 20071:2013 or key
Configuration Items (infrastructure, supporting services and/or collateral). Audits can be scheduled on a
recurring basis and actions such as preventative and corrective can be associated with audit activities.
The following graphic shows the key elements of the ISMS mApp.
For detailed information on merge actions, refer to the Apply a mApp documentation.
Related Reading
About Dashboards
About the Configuration Management Database (CMDB)
About mApps
About Security Groups
Assign Roles to a Security Group
About Table Management
File Attachments: Attachment security rights (example: Import/link and global overrides).
Roles: Roles assigned to the Security Group. You can also designate a default Role for the Security Group.
Note: Encrypted Fields require additional System Requirements outside of the mApp. Ensure your organization
has the required software to support and create encryption before implementing Encrypted Fields.
10. Repeat Steps 6–8 for all 47 ISMS and Event Operations Business Objects.
Note: Radio buttons in the General section differ for each ISMS Business Object. Continue to select all radio
buttons except Limit Records Based on Criteria. This will ensure open access for the Security Administrator Group.
11. Edit the File Attachment rights if desired (default selections are recommended).
12. In the Roles tab, select Add.
13. Select Security Manager and click OK.
14. In the Users tab, select Add.
15. Choose desired Users from the list and click OK.
16. Click the Save button.
4. In the Business Object tab, select ISMS Audit from the drop-down.
5. Under the General section, select the View, Add, and Edit options.
6. Select New Field and check View and Edit.
7. Repeat Steps 4–5 for 47 ISMS and Event Operations Business Objects.
8. Edit the File Attachment rights if desired (default selections are recommended).
9. In the Business Object tab, select ISMS Security Incident from the drop-down
10. Select Limit records based on Criteria, and click on Browse…
11. For the Custom Query use (ISMS Security Incident.User Access List Like Current User RecID)
ISMS Security Incident.User Access List= Field in dropdown menu
Current User RecID = Stored Expression
High/Med/Low questions generate a percentage and contribute to the Risk Assessment score for that
category.
Yes/No specifies the question as one that can only be answered with Yes or No.
e. Provide a numeric Risk Value and Sequence number based on industry standards.
4. Edit an example Question:
a. Double-click an example Risk Mitigation question.
b. Edit desired fields and click the Save button.
5. Repeat ISMS Question Steps 1–4 for ISMS Security Questions and ISMS Threat Analysis Questions.
3. In the Display page. click the dashboard link in the Show on Login field.
4. In the Dashboard editor, drag a link action onto the Dashboard.
5. Update the Link Label and font.
6. Right-click the link and select Widget properties...
7. In the Choose Action dialog, click the ellipses button to access the Action Manager.
8. In the Action Pane, choose the Commands category.
9. In the Action Tree, choose System>Other, then choose Create Business Object.
10. Edit the fields in the Create Business Object Options dialog.
Enter “Create Security Event” in the Display Text field.
Recurrence: Daily
Range of Recurrences: No end Date
7. In the Action page, select One-Step from the Action drop-down.
8. Click the Ellipses button. In the One-Step Action Manager, choose ISMS Audit from the Association drop-down.
9. Under the Blueprint folder, select Create a new Audit.
10. Select OK, OK again, and Exit.
ISMS Dashboards
The ISMS mApp provides three Out-of-the-Box security-oriented Dashboards.
The Governance, Risk & Compliance (GRC) Dashboard is focused on providing information dealing with an
organization’s overall compliance and risk posture as well as ongoing audit activities. Compliance Managers or
Governance department members would be interested in the types of information reflected in this Dashboard.
The Security Posture Dashboard aims to provide a Security Manager or Chief Information Security Officer (CISO) with
an overall view of the organization’s current security status. The Dashboard delivers real-time information on Security
Incident and Events by Risk as well as an Really Simple Syndication (RSS) feed of all recently posted cyber threats from
the United States Computer Emergency Readiness Team (US-CERT) website.
The Security Operations Dashboard is intended to be an aggregator of key operational security information and allow
Security Analysts to quickly analyze potential security threats. Events of interest from security information and event
management (SIEM), point security solutions, and network monitoring solutions are presented on the Security
Operations dashboard. Security analysts can quickly review these events in one place, compare them to active security
feeds from outside sources, and manage Security Event and Security Incident handling processes.
b. Description: Provide a description of the event (example: Laptop stolen from rental car).
c. Event Source: Select a source for the initiation of the event (example: Phone).
d. Event Date Time: Click the Date Selector button to access the Calendar.
e. Type: Select a category for the event (example: Loss or Theft of Equipment). The Type displays the top of the
ticket.
f. A Runbook will be populated if there is one associated to the selected Type.
h. Enter a Supporting Service if known. The Mitigated Service Risk will be populated if there is an active Risk
Assessment for the Supporting Service.
i. Priority: Select from the priority matrix (example: Low).
j. Hostname and Source IP Address will either be populated from an integration (e.g., from a Splunk alert) or
from a Config Item. If Hostname is populated first, the Config Item field will be populated with that value.
c. Detection and Analysis fields are populated from the Security Incident. Fill out any additional information in this
area as appropriate.
Note: The Status values are New, In Progress, Pending, and Closed. When a ticket is opened, the Status is New
and the Assigned to Group is Security Incident. The Security Incident team is notified that a new ticket has been opened
and requires ownership. The Status will be set to In Progress once an Owner is assigned.
Note: The Security Incident Stage starts at Containment. Detection and Analysis are completed in the Security
Event but the Stage bar represents the NIST-recognized lifecycle of a Security Event through the Post Review and
Close stage of a Security Incident.
3. The Stage will change once you start to type in the Eradication field. Enter Eradication details.
4. (Optional) Create supporting tickets from the Actions panel or initiate supporting actions. These can be initiated at
any status prior to Resolved. A few are highlighted below.
a. Security Incident Notification provides an email template that can be modified to send out notifications as
needed to interested parties such as Legal, HR, etc.
b. Grant Acess to Users allows you to add users that will now have rights to view and edit this Security Incident.
5. Enter Recovery Actions section to move to the Recovery stage. This will automatically move to this stage when the
Recovery Actions field is updated
Note: Click Previous Stage in the Next Stage box to go back to different panels to enter additional date for
Containment, Eradication, and Recover. The Blue indicator color will remain on the most recently progressed to Stage.
6. Update Security Incident Timeline: include entries of the critical activities along with date/times and people involved.
These are also part of the Journals tab as well.
In the main Menu bar, click File/Print to Print or save a report format listing these entries.
7. Click the Next Stage arrow to move to the Post Review stage and complete the relevant Post Review fields.
Note: The Security Incident can be Resolved prior to Post Review being completed.
8. Click the Next Status arrow to change the Status to Resolved. There is no Closed status.
Note: Security Incident tickets can be Resolved if there are open Compliance Records. This can be modified by
the customer based on business requirements.
Note: Security Incident tickets can be Resolved if there are open Compliance Records. This can be modified by
the customer based on business requirements.
2. Record the assessment information and Owner:
a. Assign an Owner to the assessment by clicking one of the ownership links in the Quick Info Tile
b. When an Owner is selected, the assessment automatically enters the Assigned phase.
c. Description: Provide a description of the assessment (example: Quarterly assessment of the Sales Team
Laptops).
d. Details: Provide a detailed description for the assessment (example: Evaluate laptops for potential security risks).
e. Click Save to move to the Select Asset activities.
3. Select Asset: Click the Attachment icon and select an Asset for the Risk Assessment.
Note: There can only be one Active Risk Assessment for each Configuration Item/Asset. You will receive this
message if you try to open a duplicate Risk Assessment:
b. Select the appropriate Data Classification. This will be used in the calculations for the Risk classifications.
% Complete will be indicated in the panel and can be updated as you move through the activities.
c. Answer the questions for Data Classification, Threat Analysis, and Risk Mitigation. Click the arrow button to
move through the questions.
Note: The Browser client presents a different view when clicking through the records. After an answer
is populated, the view changes to a record view (not the listing). Use the arrow buttons to navigate through
the records. You may also change the view to horizontal.
d. Click Update Percentage Complete. You cannot move forward to the Findings activities until all three areas are
100%.
e. Click Calculate Risk when the all areas are 100%. The top left panels will show the Classification, Unmitigated
Risk Score and Mitigated Risk Score.
f. Create Corrective Actions or Preventative Actions from the Action areas (optional):
b. Click the Submit button to Activate the Risk Assessment. The status of the Risk Assessment will be Active and
all fields are locked.
7. Update Assessment: if modifications are needed to the Risk Assessment answers and associated calculated Risk
values, enter them here. The fields in the record can now be modified.
Calculate Risk and Submit to return the record to Active with any new values.
Specification: Select an industry-standard specification from the drop-down. The ISMS mApp provides
examples for ISO 27001:2013 by default. The industry standard displays in the Specification bar in the Quick Info
Tile.
ii. Load All Control Groups as Inclusion: Automatically loads all the Specification Controls in and creates
Control records with a status of Inclusion.
b. Select one of the options with the radio buttons to determine if Policy records will automatically be created for
each Control Group, or if these will be manually created and linked.
Automatically create Compliance Policies for each Control Group.
If you selected to Automatically create Compliance Policies, they are viewable in the Compliance Policy tab.
These are now linked automatically to the Controls based on the Control Group.
5. Complete the Justification area of each of the Controls. Included Controls require more fields to be captured and be
linked to a Policy. Excluded Controls only require an Exclusion Justification.
Completed Controls will be GREEN in the grid. Controls that are RED are incomplete either due to missing justification
information or missing a link to a Compliance Policy.
d. Complete the Projected Start Date and Projected End Date to proceed through the workflow.
e. Click Next Active Status: In Progress. The record Details fields are now read-only.
d. Controls are listed on the Controls tab. Policies can be linked to Controls directly in the Control record, or in the
Control record view in the Specification. You cannot link a Control record to a Policy record from the Policy
record.
e. Complete the Compliance Type and Policy Details fields. These are all required to move the status to Active.
f. Record additional information about the Policy in the Document Details tab (optional).
ii. The Review Date changes to the date that maps to the Review Frequency and a Journal entry is added
identifying the date/time and user who did the review.
ii. Use this option when a Policy needs to be modified. A new Compliance Policy record is created and the
current Policy is referenced in a tab called Parent Compliance.
Conduct an Audit
To conduct an Audit:
1. On the CSM Desktop Client toolbar, click New>New ISMS Audit.
2. A new Audit record is created with a unique ID and a status of New.
b. In the Status bar, click Next Status: Assigned. The Audit automatically enters the Assigned phase.
c. In the Audit Participants tab of the Form Arrangement, define stakeholders for the Audit. Use Table Management
to populate this table or Click New ISMS Participant.
Note: You need to have at least one participant with a role of Approver to proceed through the Audit process.
You will receive the following message when you try to go to the Approving phase.
f. After the Audit is approved, the status changes to Active. During this phase, the Audit Description and Audit
Scope and Schedule fields are locked.
7. (Optional) Link related Security Incidents to the Audit:
a. Click the Security Incident tab in the Form Arrangement.
b. Click the Link button.
c. Select one or more Security Events from the list in the ISMS Security Event Selector and click OK.
8. (Optional) Link related Risk Assessments to the Audit:
a. Click the Risk Assessments tab in the Form Arrangement.
b. Click the Link button.
c. Select one or more Risk Assessments from the list in the ISMS Risk Assessment Selector and click OK.
9. (Optional) Link related Controls to the Audit:
a. Click the Controls tab in the Form Arrangement.
b. Click the Link button.
c. Select one or more Controls from the list in the ISMS Control Selector and then click OK.
10. (Optional) Create a Corrective Action or Preventative Action:
a. Create a Preventative Action: Click the link in the Quick Info Tile to create a Preventative Action Compliance
record (example: Include download procedures in employee security training).
b. Create a Corrective Action: Click the link in the Quick Info Tile to create a Corrective Action Compliance record
(example: Provide Melanie and Andrew with additional security training).
b. Click Next Status: Closed to close the Audit once all activities are completed. The following error will occur if
there are still open actions.
Audit Calendar
An Audit Calendar is included in the ISMS mApp. This provides a calendar view of Proposed Start/End Dates and Actual
Start/End Dates.
1. From the Portal: Click on the Audit Calendar from the Governance, Risk and Compliance Dashboard.
Entries in BLUE are planned audits. Entries in GREEN are completed audits.
a. Description: Provide a description of the Corrective Action (example: A noncompliance was discovered while
conducting a Risk Assessment on the Sales Team's Laptops).
b. Details: Provide details of the Corrective Action and why it is needed (example: Additional security training
should be provided to the Sales Team and the noncompliance should be removed from all laptops).
c. Source: The source field automatically populates based on the record the Corrective Action is created from
(example: Risk Assessment).
d. Asset: The Configuration Item that is the focus of the action (optional)
e. Projected Start Date: Click the Date Selector to choose a projected start date.
f. Projected End Date: Click the Date Selector to choose a projected end date.
4. Assign an Owner and Business Owner:
a. Assign an Owner to the Corrective Action
b. Assign a Business Owner
After Owners have been assigned, click Next: Assigned in the status bar to move the Corrective Action to the Assigned
phase.
1. In the status bar, click Next: In Progress to move the Corrective Action to the In Progress status.
2. Record Root Cause notes.
3. Complete Actions Taken/Action Plan.
4. Choose a Completion Date.
5. In the status bar, click Next Status: Complete to close the Corrective Action record.
Network Event
The Network Event is part of the Operational Event group object. The workflow and fields are similar to the Security
Event (also part of the Operational Event group object).
Network Events will generally be opened via automation but could also be opened manually (New > New Security
Network Event)
1. Working a Network Event:
a. Generally, the Details, Event Source, Last Event Date Time, Type, Event Count and, at times, the
Configuration item are populated from the monitoring system. Populate these fields if you are creating the
ticket manually.
Cherwell Mobile
Instruction included in the mApp installation activities. Security Events can be viewed and updated in the Cherwell
Mobile client.
ISMS Audit
An Audit is a scheduled review of compliance related to an industry standard, such as ISO 20071:2013 or key
Configuration Items (infrastructure, supporting services, and/or collateral). Audits can be scheduled on a recurring
basis and actions such as preventative and corrective can be associated with audit activities.
Security Event
Security Events are used to track and manage security-specific events using an independent process and lifecycle.
Security Events provide the means for analysts to quickly analyze possible security threats and take necessary
action. The following graphic shows a Security Event workflow.
Pend in g
Status
Create Create
Create Task Corrective Change
Action Req uest
Create
Create IT Add Affected
Preventative
Populate the Analys is and Incident Users
Action
Event Actions information
ongoing throughout the
analysis activities.
Complete Create
Assign Analyze the Additional Security
required fields in Yes Take Action(s) Yes Security
Owner Event Actions Needed? Incid ent?
Detection area Incident
No
These fields may be auto Link Related
Link Related
populated by integration or Security No Closed
CIs
when opened from I ncidents Events
or Network Events A Security Event can be
Link Related View Similar closed or remain open
Network Security independe nt on the state of
Events Events the Security Incident
Security Incident
If a Security Event results in a breach or loss of any type, the event can be escalated to a Security Incident. ISMS
Security Incidents are specific to security breaches, and differ from the CSM Incident Business Object. Security
Incidents follow the NIST guidelines for Security Incident handling and allow strict privacy throughout the process to
recovery. The following graphic shows a Security Incident workflow.
Status
Stage
Containment Containment Eradicatio n Recovery Post Review
Compliance Policy
Compliance Policies are used to create policy documents (recorded on the Compliance form or attached to the
Compliance form) and track related Controls. The following graphic shows a Policy workflow.
Status
Review – No
Modifications
Add Needed
Document
Origination from: Details
Complete Policy
Details
ISMS Specification Complete/ information
Add Active Retired
Update Details Assign Owner
Create New Complete Participants
area
Compliance
Type
information Add
Responsible
parties
Revise this
Policy Action
Current information
Actions: copied over to the new
record
New Compliance
Create Create
Policy Record
Corrective Preventative
created
Action Action
Specification
Use a Specification to define a set of Controls (individual requirements for specific areas of security) that align to
industry standards, such as ISO 20071:2013. The following graphic shows a Specification workflow.
Assessment
Select the
Specification
Assign Assign
Owner Sponsor
Select controls to be
All Controls created
included in each
with ‘Inclusion’ status
Control Group
Definition
Yes
All Controls
completed?
(Green)
Active
Activate
Specification
Status
New Assigned In Progress Complete
Add Controls
Origination from: (optional)
Status
New Assigned In Progress Complete
Add Controls
Origination from: (optional)
Create a
Take
(1) Required Fields include: New Risk
Ownership
Description and Owned By Assmt (1)
Fill out
Assessment
Information
Assigned
Begin Risk
Withdraw Assessment Assessment
Process
In Progress
Select Data
Classification
Complete Complete
Complete Risk
Data Thread Update Percent Complete
Assessment
Classification Analysis
100%
No
Complete?
Update Assessment
Yes
Calculate Risk
Attach Controls
Complete Mitigate Risk
Yes Create Corrective Action
Findings Finding?
Create Preventative Action
Submit
Assessment
Active
Active
Retired
Retired
Withdrawn
Contact Information