ISMS MApp Documentation v1.1 06052017

Cherwell Service Management
Information Security Management

System mApp
Release: 1.1
5 June 2017
Cherwell Software
www.cherwell.com
© 2017 Cherwell Software, LLC. All Rights Reserved.
CHERWELL SERVICE MANAGMENT
Copyright
Cherwell and the Cherwell logo are trademarks owned by Cherwell Software, LLC and are registered
and/or used in the United States and other countries. ITIL® is a registered trademark of AXELOS Limited.
All other product or company names referenced herein are used for identification purposes only and are
or may be trademarks or registered trademarks of their respective owners.
The information contained in this documentation is proprietary and confidential. Your use of this
information and Cherwell Software products is subject to the terms and conditions of the applicable End-
User License Agreement and/or Nondisclosure Agreement and the proprietary and restricted rights
notices included therein.
You may print, copy, and use the information contained in this documentation for the internal needs of
your user base only. Unless otherwise agreed to by Cherwell and you in writing, you may not otherwise
distribute this documentation or the information contained here outside of your organization without
obtaining Cherwell’s prior written consent for each such distribution.
Cherwell Software, LLC

www.cherwell.com
info@cherwell.com
+1.719.386.7000
10125 Federal Drive, Suite 100
Colorado Springs, CO 80908
USA
Information Security Management System mApp ii

Contents
Information Security Management System mApp .................................................................. 1
Overview ................................................................................................................................................. 1
How the mApp Works ...................................................................................................................... 3
Related Reading .............................................................................................................................. 5
Steps to Apply the mApp.................................................................................................................. 5
How to Use the mApp ...................................................................................................................... 5
Configuring the Information Security Management System mApp ....................................... 6
Configuring the Information Security Management System mApp ........................................................ 6
Create a Security Analyst and Security Manager Role .......................................................................... 6
Security Analyst Role ....................................................................................................................... 6
Security Manager Role..................................................................................................................... 7
Create Security Groups .......................................................................................................................... 8
Security Administrator Security Group ............................................................................................. 9
Security Analyst Security Group ...................................................................................................... 9
Recommendations for Additional Security Groups ........................................................................ 11
Provide Object Data in Table Management for Information Security Management System mApp ..... 11
ISMS Specification Object.............................................................................................................. 11
ISMS Control Group Object ........................................................................................................... 11
ISMS Control Source Object .......................................................................................................... 12
ISMS Risk Mitigation Questions Object ......................................................................................... 12
Portal Event Configuration .................................................................................................................... 13
Update the Portal Customer Security Group: ................................................................................ 13
Update the Portal Dashboard with Security Event Link ................................................................. 13
Create Recurring Audit Scheduler ................................................................................................. 15
Using the Information Security Management mApp ............................................................. 16
ISMS Dashboards................................................................................................................................. 16
Create a Security Event ........................................................................................................................ 19
Create a Security Event via the Portal ........................................................................................... 19
Create a Security Event via an IT Incident..................................................................................... 19
Create a Security Event via an Integration .................................................................................... 21
Manually Create a Security Event .................................................................................................. 21
Close Security Event: ..................................................................................................................... 23
Information Security Management System mApp iii

Create a Security Incident .................................................................................................................... 24

Working a Security Incident .................................................................................................................. 25
Create a Risk Assessment ................................................................................................................... 29
Apply a Standardized Control Using the Specifications application ..................................................... 35
Create/Update a Compliance Policy..................................................................................................... 39
Conduct an Audit .................................................................................................................................. 44
Audit Calendar ...................................................................................................................................... 48
Create Compliance Records for the Information Management System mApp .................................... 49
Create a Corrective Action ............................................................................................................. 49
Work a Corrective Action ............................................................................................................... 50
Create a Preventative Action ......................................................................................................... 51
Work a Preventative Action ............................................................................................................ 52
Network Event ................................................................................................................................ 52
Cherwell Mobile .............................................................................................................................. 54
Information Security Management System mApp Workflow Diagrams .............................. 55
ISMS Audit ............................................................................................................................................ 55
Security Event....................................................................................................................................... 56
Security Incident ................................................................................................................................... 57
Compliance Policy ................................................................................................................................ 58
Specification ......................................................................................................................................... 41
Compliance Corrective Action .............................................................................................................. 42
Compliance Preventative Action ........................................................................................................... 43
ISMS Risk Assessment ........................................................................................................................ 44
About Cherwell Software ........................................................................................................ 45
Contact Information .............................................................................................................................. 45
Information Security Management System mApp iv

Revisions in Version 1.1
Modified Object Revision User Experience
Specification Modified Compliance Policy tab Compliance Policy Tab shows summary
to display the correct summary form with greater detail
form
Audit Updated the Participant tab to Can create a new Participant from the
include ‘New’. form attachments tab
Compliance Updated the Participant tab to Can create a new Participant from the
include ‘New’. form attachments tab
Compliance Modified the Business Owner Business Owner is now filling correctly
One-Step updated to filter based
off team.
Risk Assessment Asset Owner field validation auto Asset Owner will only be populated if
populate properties empty by the Asset Owner from the
Configuration Item
Risk Assessment Modified visibility expression on No longer shows “No Current Form”
embedded form
Security Event Added visibility expressions to Only show tabs with linked records for
tabs on form arrangement specific linked objects (e.g. Change
Request, Incident, etc.)
Information Security Management System mApp v

Information Security Management System mApp

Platform Version Requirements: 8.2.1
Out-of-the-Box Content Version Requirements: 8.2.1
Prerequisites: None
Overview
Cherwell Software’s Information Security Management System (ISMS) mergeable application (mApp) provides a
comprehensive solution for managing Risk, Compliance, and Security Operations. By leveraging Cherwell’s
Configuration Management Database (CMDB), Information Technology Service Management (ITSM) framework,
and lifecycle processes, the system marries the capabilities of typical Governance, Risk, Compliance (GRC) tools
with real-time operational benefits for Security Incident handling. Cherwell’s ISMS mApp can align security controls
and policies across multiple industry standards such as International Organization for Standardization (ISO)
27001:2013, Health Insurance Portability and Accountability Act of 1996 (HIPAA), Payment Card Industry (PCI), and
more. Downloading the mApp is not a requirement for security industry standards and does not automatically make
an organization compliant with security standards.
The mApp provides multiple tools and processes, including:
 Security Event: A dedicated Business Object record used to track and manage security-specific events using
an independent process and lifecycle. Security Event is directly associated with Configuration Items, Supporting
Services, Risk Assessments, and Similar Events to provide a comprehensive view of the event. Links to IT
Incident, Task, and Change Management are also included when additional work is required from IT teams to
manage the Security Event. Security Event provides the means for analysts to quickly analyze possible security
threats and take necessary action.
 Security Incident: If a Security Event results in a breach or loss of any type the event can be escalated to a
Security Incident. ISMS Security Incidents are specific to security breaches, and differ from the CSM Incident
Business Object. Security Incidents follow the NIST guidelines for Security Incident handling and allow strict
privacy throughout the process to recovery.
 Risk Assessment: Allows users to weight and score predefined security posture questions to calculate mitigated
risk score, unmitigated risk score, business impact, threat likelihood, and security classification of a CI or
Supporting Service. The Risk Assessment are loaded in Table Management allowing the system to maintain
previous Risk Assessment questions and answers as an organization evolves its assessments over time.
 Specification: A tool that allows you to navigate, view, select, and define a set of Controls (individual
requirements for specific areas of security) that align to industry standards, such as ISO 20071:2013. From the
Specification, you can quickly navigate between and define related Controls and associated Policies. Controls
can be linked directly to Policies and Policies can govern similar controls across multiple Specifications.
Information Security Management System mApp 1

 Compliance: A Business Object record used to manage compliance policies and activities needed to maintain
compliance. Compliance records can be created from most areas within ISMS such as Security Events, Audits,
and Risk Assessments. There are three types of Compliance records, including:
 Policy: Used to create policy documents (recorded on the form or attached to the form) and track related
Controls.
 Preventative Action: Used to record and track proactive actions taken to ensure compliance of a policy or
Control. You can create a Preventative Action directly from a Security Event, Audit, or Risk Assessment.
 Corrective Action: Used to record and track reactive actions taken to ensure compliance of a policy or
Control. You can create a Corrective Action directly from a Security Event, Audit, or Risk Assessment.
 Audit: A scheduled review of compliance related to an industry standard, such as ISO 20071:2013 or key
Configuration Items (infrastructure, supporting services and/or collateral). Audits can be scheduled on a
recurring basis and actions such as preventative and corrective can be associated with audit activities.
The following graphic shows the key elements of the ISMS mApp.

How the mApp Works

CSM provides Information Security Management System as a mergeable application (mApp) so that Customers can
effectively manage their security processes Download the mApp from the Cherwell mApp Exchange. Use the Apply
mApp wizard to apply the mApp to your CSM system, where the mApp can be viewed and published. After
evaluating and testing the mApp against the development system, apply it to your production environment.
The mApp includes the following items:
Item Category Item Typical Merge Action

Business Object ISMS Audit, ISMS Business Impact Classes, ISMS Category, Import
ISMS Compliance, ISMS Control, ISMS Control Group, ISMS
Specification, ISMS Controls, ISMS Groups, ISMS Information
Asset Format, ISMS information Asset Type, ISMS Participant,
ISMS Pending or Withdraw Cause, ISMS Priority Matrix, ISMS
RACI Definition, ISMS Risk Assessment, ISMS Risk
Mitigation, ISMS Risk Mitigation questions, ISMS Risk
Response, ISMS Roles ISMS Rot Cause Codes, ISMS Root,
Event Operations, Security Event, Network Event, Supporting
Service, Cause Deficiency Changes, ISMS Root Cause
Factors, ISMS Root Cause Types, ISMS security Classes,
ISMS Security Classification, ISMS Security Incident, ISMS
Security Incident Resolution, ISMS Security Questions, ISMS
Source, ISMS Status, ISMS Status Phase, ISMS Threat
Analysis, ISMS Threat Analysis Classes, ISMS Threat analysis
Questions, ISMS Threat Analysis Type, ISMS Threat Likelihood
Classes, ISMS Type, ISMS AdutLinksToCI, ISMS
ComplianceLinkestoCI, ISMS RiskAssessmentLInksCI, ISMS
RiskEventLInksCI, Journal Security Event, ISMS Security
Event ID, ISMS Risk Assessment, ISMS Compliance ID, ISMS
Customer, Customer - Internal, Journal, Knowledge Article Don't Change
CAPA ID, ISMS Policy ID, ISMS Audit ID
Counter ISMS Security Incidents, ISMS Risk Assessments, ISMS Import
Main, ISMS Audits, Network Events, Security Events
Dashboard Posture, Operations, Compliance, Statement of applicability Import
Image Definitions Global> mApp Factory: Multiple Image Definitions Import

Metric Security Events Older than 30 Days, Risk Assessments Import

Owned by Me, Print Boundary Def, Overdue Audits, My Active
Audits, In Progress Risk Assessments, Audits Ending in the
Next Week, Audit Preventative Actions, All Security Events,
All Risk Assessments, All Preventative Actions, All
Participants, All Corrective Actions, All Controls, All Control
Register, All Compliance Records, All Boundary Definition
Documents, All Audits with Major Non-Compliances, All Audits,
Active Security Events, Active Boundary Definitions, Active
Audits Starting in the Next Week, Active Audits
Stored Value Secondary Control Value, Primary Control Value, Market Cost Import
Medium Total, Market Cost Low Total, Market Cost High Total,
Market Cost, Legal and Regulatory High Total, Legal and
Regulatory Medium Total, Legal and Regulatory Low Total,
Legal and Regulatory, ISMS Compliance RecID, Financial
Medium Total, Financial Low Total, Financial High Total,
Financial Cost
Team Security, Security Incident Import
Theme Professional Grey Don't Change
Widget Numerous Varies
One-Step Numerous Import
Expression Numerous Import
Queries Numerous Import
 Import: Add new item.
 Overwrite: Replace target item.
 Merge: Merge differences.
 Don't Change: Referenced by the mApp, but not altered in any way. The mApp includes the definition for informational purposes only (the
definition is not imported into the target system).
For detailed information on merge actions, refer to the Apply a mApp documentation.

Related Reading
 About Dashboards
 About the Configuration Management Database (CMDB)
 About mApps
 About Security Groups
 Assign Roles to a Security Group
 About Table Management
 Information Security Management System mApp Workflow Diagrams
Steps to Apply the mApp

To apply the mApp, perform the following high-level steps:
1. Download the mApp.
2. Apply the mApp using the Apply mApp Wizard in CSM Administrator.
How to Use the mApp

There are multiple ways to use the mApp functionality, including:
 Create a Security Event
 Create a Risk Assessment
 Apply a Standardized Control Using the Specification

 Conduct an Audit
 Create a Corrective Action
 Create a Preventative Action
 Create a Boundary Definition

Configuring the Information Security Management System

mApp
Configuring the Information Security Management System mApp

Complete the following procedures to configure the ISMS mApp. Configuration procedures are completed in the CSM
Desktop Client and the CSM Administrator Client.
1. Create a Security Analyst and Security Manager Role
2. Create Security Groups for Security Administrator and Security Analyst
3. Provide Object Data in Table Management
4. Setup New Event in Portal (Optional)
5. Setup Recurring Audits Scheduling
Create a Security Analyst and Security Manager Role

The ISMS mApp and its workflows are based off Security Analyst and Security Manager Roles. Depending on the size and
security needs of your company, additional Roles may be required.
Security Analyst Role

To create a Security Analyst Role:
1. In the CSM Administrator, click the Security category.
2. Click Edit roles.
3. Click the Create New button to create a new Role.
4. Provide the name Security Analyst.
5. (Optional) Click the default image to open the Image Manager and upload an image to represent the Role.
6. Select Security Event as Primary Object.
7. In the Dashboard section, select the Dashboard radio button.
8. Click the Dashboard Manager button.
9. Locate the ISMS Dashboards folder under Global>mApp Factory.
10. Select Operations.
11. Click OK.

12. Click the Save button to save the Security Role.
Security Manager Role

To create a Security Manager Role:
1. In the CSM Administrator, click the Security category.
2. Click Edit roles.
3. Click the Create New button to create a new Role.
4. Provide the name Security Manager.
5. (Optional) Click the default image to open the Image Manager and upload an image to represent the Role.
6. In the Dashboard section, select the Dashboard radio button.
7. Click the Dashboard Manager button .

8. Locate the ISMS Dashboards folder under Global>mApp Factory.
9. Select Posture.
10. Click OK.
11. Click the Save button to save the Role.

12. Configure Security Groups.
Create Security Groups

ISMS requires two Security Groups: Security Analyst and Security Manager. Use the Security Group Manager in the
CSM Administrator to create two new Security Groups. When creating a Security Group, define the following properties:
 Info: Name and description.
 Rights: Security rights to access CSM functionality.
 Business Object: Security rights to access CSM data (Business Objects/Fields).
 File Attachments: Attachment security rights (example: Import/link and global overrides).
 Roles: Roles assigned to the Security Group. You can also designate a default Role for the Security Group.

 Users: Users assigned to the Security Group.
Security Administrator Security Group

Users in this Security Group have open rights to edit, view, and create ISMS Business Objects.
To create the Security Administrator Group:
1. In the CSM Administrator Client, click the Security category.
2. Click Edit Security Groups.
3. Click the drop-down arrow on the Create New button and select New Cherwell User Security Group.
4. In the Info tab, provide the name “Security Administrator” and a description.
5. In the Rights tab, provide desired CSM data rights by clicking the Category drop-down.
6. In the Business Object tab, select ISMS Audit from the drop-down.
7. Under the General section, select all options except Limit Records Based on Criteria.
8. Under the File Attachment section, select all options.
9. (Optional) Under the Encrypted Fields section, select all options.
Note: Encrypted Fields require additional System Requirements outside of the mApp. Ensure your organization
has the required software to support and create encryption before implementing Encrypted Fields.
10. Repeat Steps 6–8 for all 47 ISMS and Event Operations Business Objects.
Note: Radio buttons in the General section differ for each ISMS Business Object. Continue to select all radio
buttons except Limit Records Based on Criteria. This will ensure open access for the Security Administrator Group.
11. Edit the File Attachment rights if desired (default selections are recommended).
12. In the Roles tab, select Add.
13. Select Security Manager and click OK.
14. In the Users tab, select Add.
15. Choose desired Users from the list and click OK.
16. Click the Save button.
Security Analyst Security Group

Users in this Security Group have limited rights to the ISMS Security Incident Business Object.
To create the Security Analyst Group:
1. Click the drop-down arrow on the Create New button and select New Cherwell User Security Group.
2. In the Info tab, provide the name “Security Analyst” and a description.
3. In the Rights tab, click the Category drop-down to provide desired CSM data rights.
4. In the Business Object tab, select ISMS Audit from the drop-down.
5. Under the General section, select the View, Add, and Edit options.
6. Select New Field and check View and Edit.
7. Repeat Steps 4–5 for 47 ISMS and Event Operations Business Objects.
8. Edit the File Attachment rights if desired (default selections are recommended).
9. In the Business Object tab, select ISMS Security Incident from the drop-down
10. Select Limit records based on Criteria, and click on Browse…
11. For the Custom Query use (ISMS Security Incident.User Access List Like Current User RecID)
ISMS Security Incident.User Access List= Field in dropdown menu
Current User RecID = Stored Expression
12. Click OK.

13. In the Roles tab, select Add.
14. Select Security Analyst and click OK.
15. In the Users tab, select Add.
16. Choose desired Users from the list and click OK.
17. Click the Save button.

Recommendations for Additional Security Groups

Based on your organization's needs, additional Security Groups may be required. For each additional Role created, assign
Security Groups to ensure appropriate View or Edit rights are applied. Based on your organization's needs, repeat steps
9-12 to apply the limitation that only user’s that have been granted access may view ISMS Security Incidents.
Provide Object Data in Table Management for Information Security Management

System mApp
Limited sample data is included with the ISMS mApp as an example only. Users must provide their own values to existing
Lookup Tables. Data can be added, edited, and customized through Table Management. Additionally, .csv files can be
used to upload data to the tables.
New Business Object values display in the Table Management interface. Use the Type drop-down to switch between
ISMS Lookup Objects. Complete the procedures in the following sections to add Object data to Table Management:
ISMS Specification Object

Specification assessments are based off security specifications, which will be use in the Specification form. We
recommend that ISMS Specifications align with current industry standards such as FedRAMP:2014, ISO 27001:2013,
and ISO 9001:2015. However, Specifications may vary based on the size and security needs of your organization.
To provide Object data for the ISMS Specification Lookup Object:
1. On the CSM Desktop Client toolbar, click Tools>Table Management.
2. In the Type drop-down, select ISMS Specification Lookup.
3. Right-click and select New. A blank ISMS Specification Object form opens.
4. Provide a name for the Specification (example: ISO 27001:2013).
5. Provide a description for the Specification.
6. Select the Active radio button.
7. Click the Save button to save the new ISMS Specification Object.
8. Repeat Steps 1–7 for all desired Specifications.
ISMS Control Group Object

Create Control Groups that align with current industry standards such as FedRAMP:2014, ISO 27001:2013, and ISO
9001:2015. Specified Controls are later added to each Control Group.
To provide Object data for the ISMS Control Group Object:
2. In the Type drop-down, select ISMS Control Group.
3. Create a new Control Group:

a. Right-click and select New.

b. Select from the Specification drop-down (example: ISO 27001:2013).
c. Provide a number for the Control Group based on industry standards or provide a custom number (this is used in
the Specification Form for the order in which they appear).
d. Provide a name for the Control Group (example: Human Resources Security).
e. Click the Save button to save the new ISMS Control Group.
4. Edit an example Control Group:
a. Double-click an example Control.
b. Edit desired fields and click the Save button.
ISMS Control Source Object

Control data is required to use the Specification form. It is recommended that Controls align with current industry
standards such as FedRAMP:2014, ISO 27001:2013, and ISO 9001:2015.
To provide Object data for the ISMS Control Source Object:
2. In the Type drop-down, select ISMS Controls.
3. Create a new Control:
b. Select a Specification from the drop-down (example: ISO 27001:2013).
c. Select a Control Group from the drop-down (example: Human Resources Security).
d. Provide a Control Number, Control ID, and Description.
e. Select the Required radio button to make the control required during Specification Assessments.
f. Click the Save button to save the new ISMS Control Object.
g. Repeat Steps a–f for all desired Controls.
4. Edit an example Control:
a. Double-click an example Control.
ISMS Risk Mitigation Questions Object

You must create Questions and assign Risk Values, Question Weight, and Question Sequence to use the Risk
Assessment Form. ISMS Risk Mitigation Questions, Security Questions, and Threat Analysis Questions populate the
Risk Assessment. It is recommended to align Risk Assessment Questions with current industry standards such as
FedRAMP:2014, ISO 27001:2013, or ISO 9001:2015.

To provide Object data for the ISMS Questions Object:

2. In the Type drop-down, select ISMS Risk Mitigation Questions.
3. Create a new Risk Mitigation Question:
b. Provide an industry standard Question title (example: Protection of data during movement).
c. Provide the Question Details (example: Are there any controls in place that secure the data during movement?)
d. Specify the Question Type from the drop-down.
 High/Med/Low questions generate a percentage and contribute to the Risk Assessment score for that
category.
 Yes/No specifies the question as one that can only be answered with Yes or No.
e. Provide a numeric Risk Value and Sequence number based on industry standards.
4. Edit an example Question:
a. Double-click an example Risk Mitigation question.
5. Repeat ISMS Question Steps 1–4 for ISMS Security Questions and ISMS Threat Analysis Questions.
Portal Event Configuration

The ISMS mApp allows for submitting Security Event via the portal form. Follow the steps below to enable this feature.
Update the Portal Customer Security Group:

1. In CSM Administrator, click the Security category.
2. Select Edit security groups.
3. Select Portal Customer from the Group drop-down.
4. In the Business Objects tab, select Security Event from the Business Object drop-down.
5. Select View, Add, and Edit radio buttons in the General section.
6. Select New Field Rights in the New Business Object Rights pane and check View and Edit.
7. Save and close the Security Groups Manager.
Update the Portal Dashboard with Security Event Link

1. In CSM Administrator, click the Browser and Mobile category.
2. Select Site Manager, right click on the portal site, and select Edit.

3. In the Display page. click the dashboard link in the Show on Login field.
4. In the Dashboard editor, drag a link action onto the Dashboard.
5. Update the Link Label and font.
6. Right-click the link and select Widget properties...
7. In the Choose Action dialog, click the ellipses button to access the Action Manager.
8. In the Action Pane, choose the Commands category.
9. In the Action Tree, choose System>Other, then choose Create Business Object.
10. Edit the fields in the Create Business Object Options dialog.
 Enter “Create Security Event” in the Display Text field.
 Select Security Event in the Business Object drop-down.

 Select Use One-Step for Creation.
 Search for Create Security Event from Portal

11. Select OK and close the Dashboard Editor.
Create Recurring Audit Scheduler

1. In CSM Administrator, click the Scheduling category.
2. Select Edit Schedule.
3. Select the Add button.
4. In the General page, give the Scheduled Item a name.
5. In the Schedule page, select Recurring.
6. Set a Start time, Recurrence, and Range of Recurrences. Recommended settings:
 Start Time: 12:00 AM
 Recurrence: Daily
 Range of Recurrences: No end Date
7. In the Action page, select One-Step from the Action drop-down.
8. Click the Ellipses button. In the One-Step Action Manager, choose ISMS Audit from the Association drop-down.
9. Under the Blueprint folder, select Create a new Audit.
10. Select OK, OK again, and Exit.

Using the Information Security Management mApp

When using the Information Security Management System mApp, Users can:
• Create a Security Event • Create and attach Policies to Controls

• Escalate a Security Event to a Security Incident • Conduct an Audit
• Create a Risk Assessment • Create a Corrective Action
• Set up a Specification • Create a Preventative Action
• Create and manage Controls
ISMS Dashboards
The ISMS mApp provides three Out-of-the-Box security-oriented Dashboards.
The Governance, Risk & Compliance (GRC) Dashboard is focused on providing information dealing with an
organization’s overall compliance and risk posture as well as ongoing audit activities. Compliance Managers or
Governance department members would be interested in the types of information reflected in this Dashboard.

The Security Posture Dashboard aims to provide a Security Manager or Chief Information Security Officer (CISO) with
an overall view of the organization’s current security status. The Dashboard delivers real-time information on Security
Incident and Events by Risk as well as an Really Simple Syndication (RSS) feed of all recently posted cyber threats from
the United States Computer Emergency Readiness Team (US-CERT) website.

The Security Operations Dashboard is intended to be an aggregator of key operational security information and allow
Security Analysts to quickly analyze potential security threats. Events of interest from security information and event
management (SIEM), point security solutions, and network monitoring solutions are presented on the Security
Operations dashboard. Security analysts can quickly review these events in one place, compare them to active security
feeds from outside sources, and manage Security Event and Security Incident handling processes.

Create a Security Event

Security Events are generated from multiple sources:
 User Portal (reporting anonymously is optional)

 IT Incident
 Integration with a Security Information and Event Management (SIEM) and/or network monitoring systems
 Manually
Create a Security Event via the Portal

The ISMS mApp will contain the following related to the Portal ‘Create ISMS Security Event’ capabilities. Incorporate
these into your Portal as appropriate.
 One-Step to open a Security Event form, allow anonymous reporting, and create a Security Event ticket.
 Security Event portal form
Create a Security Event via an IT Incident

The ISMS mApp contains the following related to the ‘Create ISMS Security Event’ capabilities.
 One-Step to open a Security Event
 Relationship between Incident and Security Event
 Summary forms for Security Event

To configure the Incident form:

1. Add a link to your Incident form to initiate this One-Step.
2. Add the Security Event tab to your Incident form.

Create a Security Event via an Integration

The ISMS mApp does not contain any integration automation. Below is an example of the email monitor set up for
Splunk in the Cherwell Demo environment.
Manually Create a Security Event

1. On the CSM Desktop or Browser Client toolbar, click New > New Security Event.
A new Security Event record is created with a unique ID and a status of New. The Security Event automatically
enters the New phase.
2. Record the required details:

a. Reported By (in the Quick Info Tile): Provide the name of the Customer who initiated the contact, and then press
Enter or Tab to search for the Customer Record.

b. Description: Provide a description of the event (example: Laptop stolen from rental car).
c. Event Source: Select a source for the initiation of the event (example: Phone).
d. Event Date Time: Click the Date Selector button to access the Calendar.
e. Type: Select a category for the event (example: Loss or Theft of Equipment). The Type displays the top of the
ticket.
f. A Runbook will be populated if there is one associated to the selected Type.
g. Enter a Config Item if it not automatically populated from an integration source.

If there is an active Risk Assessment associated with the Config Item, the Mitigated CI Risk field will also be
populated.
h. Enter a Supporting Service if known. The Mitigated Service Risk will be populated if there is an active Risk
Assessment for the Supporting Service.
i. Priority: Select from the priority matrix (example: Low).
j. Hostname and Source IP Address will either be populated from an integration (e.g., from a Splunk alert) or
from a Config Item. If Hostname is populated first, the Config Item field will be populated with that value.

3. Assign an Owner and Reviewer.

When an Owner is selected, the Security Event automatically enters the In Progress phase.
4. Event Analysis and Actions:

a. Populate the Analysis and Event Actions areas with details. These fields are audited; Journal entries will track
modifications made.
b. (Optional) Initiate other Actions as appropriate in response to a new Security Event:
Tabs provide additional details for supporting tickets and information.
Close Security Event:

1. Click on Close Security Event in the Actions area. The Discovery field must completed before closing the event.
2. Select a Cause Summary from the drop-down list. The Status will then be Closed.

Create a Security Incident

A Security Incident is defined as a violation or imminent threat of violation of computer security policies, acceptable use
policies, or standard security practices. Security Incidents can only be opened through a Security Event.
Note: Security Incidents have specific security rules against them.
 The Default Owner Team is Security Incident.

 Team members will be notified that a new Security Incident has been created.
 The user who opened the Security Incident is added to the Granted Users list (and associated tab). Only users that
are in the Security Manager Security Group and/or are on the Granted Users list can view/modify a Security Incident.
To create a Security Incident:
1. Open the Security Incident
a. Select Yes in the Does this event meet the requirements for a Security Incident? prompt.
b. Enter key details in the Security Incident Description field.
c. Detection and Analysis fields are populated from the Security Incident. Fill out any additional information in this
area as appropriate.

Working a Security Incident
Note: The Status values are New, In Progress, Pending, and Closed. When a ticket is opened, the Status is New
and the Assigned to Group is Security Incident. The Security Incident team is notified that a new ticket has been opened
and requires ownership. The Status will be set to In Progress once an Owner is assigned.
Note: The Security Incident Stage starts at Containment. Detection and Analysis are completed in the Security
Event but the Stage bar represents the NIST-recognized lifecycle of a Security Event through the Post Review and
Close stage of a Security Incident.
1. Complete Containment information.
2. Click Next Stage to move to the Eradication Stage.

3. The Stage will change once you start to type in the Eradication field. Enter Eradication details.
4. (Optional) Create supporting tickets from the Actions panel or initiate supporting actions. These can be initiated at
any status prior to Resolved. A few are highlighted below.
a. Security Incident Notification provides an email template that can be modified to send out notifications as
needed to interested parties such as Legal, HR, etc.
b. Grant Acess to Users allows you to add users that will now have rights to view and edit this Security Incident.

5. Enter Recovery Actions section to move to the Recovery stage. This will automatically move to this stage when the
Recovery Actions field is updated
Note: Click Previous Stage in the Next Stage box to go back to different panels to enter additional date for
Containment, Eradication, and Recover. The Blue indicator color will remain on the most recently progressed to Stage.
6. Update Security Incident Timeline: include entries of the critical activities along with date/times and people involved.
These are also part of the Journals tab as well.
In the main Menu bar, click File/Print to Print or save a report format listing these entries.

7. Click the Next Stage arrow to move to the Post Review stage and complete the relevant Post Review fields.
Note: The Security Incident can be Resolved prior to Post Review being completed.

8. Click the Next Status arrow to change the Status to Resolved. There is no Closed status.
Note: Security Incident tickets can be Resolved if there are open Compliance Records. This can be modified by
the customer based on business requirements.
Create a Risk Assessment

Information security risk assessment is an on-going process of discovering, correcting and preventing security problems.
To create a Risk Assessment:
1. On the toolbar, click New>New ISMS Risk Assessment.
A new Risk Assessment record is created with a unique ID and a status of New.
Note: Security Incident tickets can be Resolved if there are open Compliance Records. This can be modified by
the customer based on business requirements.
2. Record the assessment information and Owner:
a. Assign an Owner to the assessment by clicking one of the ownership links in the Quick Info Tile
b. When an Owner is selected, the assessment automatically enters the Assigned phase.
c. Description: Provide a description of the assessment (example: Quarterly assessment of the Sales Team
Laptops).
d. Details: Provide a detailed description for the assessment (example: Evaluate laptops for potential security risks).
e. Click Save to move to the Select Asset activities.

3. Select Asset: Click the Attachment icon and select an Asset for the Risk Assessment.
Note: There can only be one Active Risk Assessment for each Configuration Item/Asset. You will receive this
message if you try to open a duplicate Risk Assessment:
4. Assign an Asset Custodian and Risk Owner:

a. Assign an Asset Custodian by clicking one of the ownership links in the Quick Info Tile (Asset Custodian section).
The Asset Custodian is the stakeholder that owns the related Business Service or Configuration Item (example:
Desktop Management). The Asset Custodian also approves the Risk Assessment during the Approving phase.
b. The Owner in the selected Asset will automatically bring over the Asset Owner fields if they are populated.
c. Assign a Risk Owner by clicking one of the ownership links in the Quick Info Tile (Risk Owner section). The Risk
Owner is the stakeholder that is responsible for any risks identified as part of the Risk Assessment.
5. Complete the Security Classification assessment:
a. Click the Begin Assessment link to start the Risk Assessment activities.
b. Select the appropriate Data Classification. This will be used in the calculations for the Risk classifications.

% Complete will be indicated in the panel and can be updated as you move through the activities.
c. Answer the questions for Data Classification, Threat Analysis, and Risk Mitigation. Click the arrow button to
move through the questions.
Note: The Browser client presents a different view when clicking through the records. After an answer
is populated, the view changes to a record view (not the listing). Use the arrow buttons to navigate through
the records. You may also change the view to horizontal.

d. Click Update Percentage Complete. You cannot move forward to the Findings activities until all three areas are
100%.
e. Click Calculate Risk when the all areas are 100%. The top left panels will show the Classification, Unmitigated
Risk Score and Mitigated Risk Score.

f. Create Corrective Actions or Preventative Actions from the Action areas (optional):
6. Activate the Risk Assessment:

a. Complete the Findings area of the Risk Assessment. These fields are not visible until all questions are
completed.
 Accept the Risk: No additional activities are required.

 Avoid the Risk: No additional activities are required.
 Transfer the Risk: No additional activities are required.
 Mitigate the Risk: Click Attach Controls and add Controls that will help additionally mitigate the risk.
b. Click the Submit button to Activate the Risk Assessment. The status of the Risk Assessment will be Active and
all fields are locked.
7. Update Assessment: if modifications are needed to the Risk Assessment answers and associated calculated Risk
values, enter them here. The fields in the record can now be modified.

Calculate Risk and Submit to return the record to Active with any new values.
8. Retire a Risk Assessment. Retires a Risk Assessment.

Apply a Standardized Control Using the Specifications application

Use the Specifications area to apply a standardized control (example: ISO 27001:2013) and then define related policy
information using Policy Compliance records. The Specification is a tool to align company security programs with industry
standards. Prior to using Specification, ensure that Object Data has been configured through Table Management.
1. On the CSM Desktop Client toolbar, click New>New ISMS Specification
A new Specification record is created with a unique ID and a status of Assessment.
2. Assign an Owner and Executive Sponsor:

a. Assign an Owner to the Specification by clicking one of the ownership links in the Quick Info Tile (Owner and I
Want To sections).
b. Assign an Executive Sponsor by clicking one of the links in the Quick Info Tile (Executive Sponsor section). The
Executive Sponsor is the stakeholder that ensures that the Owner is effectively completing the Specification
process.
3. Select a Specification:
a. There are several tables that are used to define the Specifications. This can be modified and other
Specifications can be imported or added manually.

Specification: Select an industry-standard specification from the drop-down. The ISMS mApp provides
examples for ISO 27001:2013 by default. The industry standard displays in the Specification bar in the Quick Info
Tile.
4. Add Controls to the Specification:

a. Select one of the options with a Blue arrow to determine how Controls are added.
i. Step Through Control Groups: This provides the user with the opportunity to individually review each
control and determine Inclusion or Exclusion. In the following example, the Control with the checkmark is
given a status of Inclusion. The Control without the checkmark has a status of Exclusion. Each Control
Group is worked by clicking on the arrows to go to the next panel of Controls.

ii. Load All Control Groups as Inclusion: Automatically loads all the Specification Controls in and creates
Control records with a status of Inclusion.
b. Select one of the options with the radio buttons to determine if Policy records will automatically be created for
each Control Group, or if these will be manually created and linked.
 Automatically create Compliance Policies for each Control Group.
 Manually link new Controls to existing Compliance Policies

Once the Controls have been added, the Assessment Phase is Complete. Instructions on next steps are
outlined.

If you selected to Automatically create Compliance Policies, they are viewable in the Compliance Policy tab.
These are now linked automatically to the Controls based on the Control Group.
5. Complete the Justification area of each of the Controls. Included Controls require more fields to be captured and be
linked to a Policy. Excluded Controls only require an Exclusion Justification.

Completed Controls will be GREEN in the grid. Controls that are RED are incomplete either due to missing justification
information or missing a link to a Compliance Policy.
Create/Update a Compliance Policy

There are three types of Compliance records in the ISMS mApp: Policy, Preventative Action, Corrective Action. Policy is
related to Controls.
Policy records can be created automatically during the creation of a Specification and Controls, or they can be created
manually (File>New) and linked to Controls. Policy documents can be attached to the record or they can be created as
part of the record.
1. On the CSM Desktop Client toolbar, click New>New ISMS Compliance or Search Compliances for new Policies
created from the Specification activities.
2. A new Compliance record is created with a unique ID and a status of New. The example below was created from
the ISO Specification activities.
a. Complete the Owned By and Business Owner fields.
b. Complete the Description, Details, Type, and Priority if not filled in from the auto-create process.

c. Click Next Status: Assigned to change the Status.
d. Complete the Projected Start Date and Projected End Date to proceed through the workflow.
e. Click Next Active Status: In Progress. The record Details fields are now read-only.
3. In Progress Compliance Policy activities.

a. Initiate Actions as appropriate:
b. (Optional) Assign Responsible/Accountable/Consulted/Informed (RACI) roles and responsibilities. Enter an

Activity in the Activity field—this can then be selected again to assign a different role to another Accountable
Staff.

c. Add Participants. Participants are defined in Table Management.
d. Controls are listed on the Controls tab. Policies can be linked to Controls directly in the Control record, or in the
Control record view in the Specification. You cannot link a Control record to a Policy record from the Policy
record.

e. Complete the Compliance Type and Policy Details fields. These are all required to move the status to Active.
f. Record additional information about the Policy in the Document Details tab (optional).
g. Click Next Status to put the ticket into an Active status.

4. Keep the Policy current.

a. Option 1: Review – No Action Needed. Notice that the Review date is 5/2/17 in the example below.
i. Click Reviewed – No Action Needed button in the Compliance Type area.
ii. The Review Date changes to the date that maps to the Review Frequency and a Journal entry is added
identifying the date/time and user who did the review.
b. Option 2: Revise this Poly.

i. Click the Review this Policy under the Actions area.
ii. Use this option when a Policy needs to be modified. A new Compliance Policy record is created and the
current Policy is referenced in a tab called Parent Compliance.

Conduct an Audit
To conduct an Audit:
1. On the CSM Desktop Client toolbar, click New>New ISMS Audit.
2. A new Audit record is created with a unique ID and a status of New.
3. Record the details:

a. Description: Provide a description of the Audit (example: Internal Audit on Access Controls).
b. Details: Provide a detailed description for the Audit (example: Ensure that all company laptops are security
compliant).
c. Source: Select a category for the action that initiated the Audit (example: Penetration Test).
d. Type: Select the type of audit being performed (example: Internal Audit).
e. Priority: Click a priority number (example: Medium). The priority is displayed in the Priority alert bar of the Quick
Info Tile.
f. Level of Effort: Select the level of effort required for the Audit (example: Medium).
4. Assign a Lead Auditor, and participants:
a. Assign a Lead Auditor to the Audit by selecting a Team and an Owner.

b. In the Status bar, click Next Status: Assigned. The Audit automatically enters the Assigned phase.
c. In the Audit Participants tab of the Form Arrangement, define stakeholders for the Audit. Use Table Management
to populate this table or Click New ISMS Participant.
Note: You need to have at least one participant with a role of Approver to proceed through the Audit process.
You will receive the following message when you try to go to the Approving phase.
5. Define the scope and schedule:

a. Audit Scope: Provide information related to the extent and boundaries of the Audit (example: Audit affects all
laptops, but focuses on remote employee laptops).
b. Audit Criteria: Provide criteria necessary for the Audit (example: Policies, procedures, and requirements). The
Audit criteria will be used as a reference analyzing evidence found during the Audit. P
c. Proposed Start Date and Proposed End Date are populated and represented on the Audit Calendar.
d. Click Recurring Audit if appropriate. A new Audit record will be created 2 weeks prior to the future Start Date
and the Lead Auditor will be notified.

6. Submit the Audit for approval:

e. In the Status bar, click Next Status: Approving. The Audit automatically enters the Approving phase. An
Approval record displays in the Approvals tab of the Form Arrangement. The Approver reviews the Audit record
details and validates the dates, scope, and criteria.
f. After the Audit is approved, the status changes to Active. During this phase, the Audit Description and Audit
Scope and Schedule fields are locked.
7. (Optional) Link related Security Incidents to the Audit:
a. Click the Security Incident tab in the Form Arrangement.
b. Click the Link button.
c. Select one or more Security Events from the list in the ISMS Security Event Selector and click OK.
8. (Optional) Link related Risk Assessments to the Audit:
a. Click the Risk Assessments tab in the Form Arrangement.
c. Select one or more Risk Assessments from the list in the ISMS Risk Assessment Selector and click OK.
9. (Optional) Link related Controls to the Audit:
a. Click the Controls tab in the Form Arrangement.
c. Select one or more Controls from the list in the ISMS Control Selector and then click OK.
10. (Optional) Create a Corrective Action or Preventative Action:
a. Create a Preventative Action: Click the link in the Quick Info Tile to create a Preventative Action Compliance
record (example: Include download procedures in employee security training).

b. Create a Corrective Action: Click the link in the Quick Info Tile to create a Corrective Action Compliance record
(example: Provide Melanie and Andrew with additional security training).
11. Record the findings:

a. Objective Evidence: Provide information related to evidence found during the course of the Audit (example:
Discovered that two employees downloaded unauthorized programs on their computers.)
b. Audit Response: Select the type of response used to resolve the Audit (example: Corrective Actions Created).
c. Overall Conclusion: Provide information related to the conclusion of the Audit (example: Provided two
employees with additional security training).
12. Complete the Audit:

a. In the Status bar, click Next Status: Complete. The status changes to Completed. This indicates that the core
auditor activities have been completed. There may still be active Compliance activities occurring.

b. Click Next Status: Closed to close the Audit once all activities are completed. The following error will occur if
there are still open actions.
Audit Calendar
An Audit Calendar is included in the ISMS mApp. This provides a calendar view of Proposed Start/End Dates and Actual
Start/End Dates.
1. From the Portal: Click on the Audit Calendar from the Governance, Risk and Compliance Dashboard.
Entries in BLUE are planned audits. Entries in GREEN are completed audits.
2. From the CSM Desktop Client: Click Tools>Calendars>Audit Calendar.

Create Compliance Records for the Information Management System mApp

Use Compliance Records in conjunction with other ISMS Business Objects to create policy documents, track proactive
actions, or ensure compliance with security policies and Controls. Compliance Records are tools to align company
security programs with industry standards. Downloading the mApp is not a requirement for security industry standards
and does not automatically make an organization compliant with security standards.
Users can:
 Create a Corrective Action
 Create a Preventative Action
 Create/Update a Compliance Policy
Create a Corrective Action

Create a Corrective Action manually or directly from a Security Event, Security Incident, Audit, or Risk Assessment.
To create a Corrective Action:
1. Click Create a Corrective Action from the Actions area of an Active Security Event, Audit, or Risk Assessment. A
Corrective Action can also be created from the File/New area.
2. A new Corrective Action record is created with a unique ID and a status of New.
a. Description: Provide a description of the Corrective Action (example: A noncompliance was discovered while
conducting a Risk Assessment on the Sales Team's Laptops).
b. Details: Provide details of the Corrective Action and why it is needed (example: Additional security training
should be provided to the Sales Team and the noncompliance should be removed from all laptops).
c. Source: The source field automatically populates based on the record the Corrective Action is created from
(example: Risk Assessment).
d. Asset: The Configuration Item that is the focus of the action (optional)

e. Projected Start Date: Click the Date Selector to choose a projected start date.
f. Projected End Date: Click the Date Selector to choose a projected end date.
4. Assign an Owner and Business Owner:
a. Assign an Owner to the Corrective Action
b. Assign a Business Owner
After Owners have been assigned, click Next: Assigned in the status bar to move the Corrective Action to the Assigned
phase.
Work a Corrective Action
1. In the status bar, click Next: In Progress to move the Corrective Action to the In Progress status.
2. Record Root Cause notes.
3. Complete Actions Taken/Action Plan.
4. Choose a Completion Date.
5. In the status bar, click Next Status: Complete to close the Corrective Action record.

Create a Preventative Action

Create a Preventative Action manually or from a Security Event, Security Incident, Audit, or Risk Assessment.
To create a Preventative Action:
1. Click Create a Preventative Action from the Actions area of an Active Security Event, Audit, or Risk
Assessment. A Preventative Action can also be created from the File/New area.
A new Preventative Action record is created with a unique ID and a status of New.
a. Description: Provide a description of the Preventative Action

b. Details: Provide details of the Preventative Action and why it is needed
c. Source: The source field automatically populates based on the record the Preventative Action is created
from (example: Risk Assessment).
d. Asset: The Configuration Item that is the focus of the action (optional)
e. Priority: Select a priority for the Preventative Action
f. Projected Start Date: Click the Date Selector to choose a projected start date.
g. Projected End Date: Click the Date Selector to choose a projected end date.
3. Assign an Owner and Business Owner:
After Owners have been assigned, in the Status bar, click the Next: Assigned link to move the Preventative Action to
the Assigned phase.

Work a Preventative Action

1. In the Status bar, click Next: In Progress to move the Preventative Action to the In Progress status.
2. Record Root Cause notes.
3. Complete Actions Taken/Action Plan.
4. Populate the Completion Date.
5. Click Next Status: Complete to close the Preventative Action record.
Network Event
The Network Event is part of the Operational Event group object. The workflow and fields are similar to the Security
Event (also part of the Operational Event group object).
Network Events will generally be opened via automation but could also be opened manually (New > New Security
Network Event)
1. Working a Network Event:
a. Generally, the Details, Event Source, Last Event Date Time, Type, Event Count and, at times, the
Configuration item are populated from the monitoring system. Populate these fields if you are creating the
ticket manually.

2. Assign an Owner and Reviewer:

a. Assign an Owner to the event by clicking one of the ownership links in the Quick Info Tile. When an Owner is
selected, the Network Event automatically enters the In Progress phase.
3. Event Analysis and Actions:

a. Populate the Analysis and Event Actions areas with details. These fields are audited and Journal entries will
track modifications made.

b. Initiate other Actions as appropriate in response to a new Security Event (optional):
4. Close Network Event:

a. Click on Close Event in the Actions area. The Discovery field must be filled out to close the event. The
Status will then be Closed.
Cherwell Mobile
Instruction included in the mApp installation activities. Security Events can be viewed and updated in the Cherwell
Mobile client.

Information Security Management System mApp Workflow

Diagrams
ISMS Audit
An Audit is a scheduled review of compliance related to an industry standard, such as ISO 20071:2013 or key
Configuration Items (infrastructure, supporting services, and/or collateral). Audits can be scheduled on a recurring
basis and actions such as preventative and corrective can be associated with audit activities.

Security Event
Security Events are used to track and manage security-specific events using an independent process and lifecycle.
Security Events provide the means for analysts to quickly analyze possible security threats and take necessary
action. The following graphic shows a Security Event workflow.
Security Event Workflow Diagram
Pend in g
Status
New In Progress Closed
Create Create
Create Task Corrective Change
Action Req uest
Create
Create IT Add Affected
Preventative
Populate the Analys is and Incident Users
Action
Event Actions information
ongoing throughout the
analysis activities.
Complete Create
Assign Analyze the Additional Security
required fields in Yes Take Action(s) Yes Security
Owner Event Actions Needed? Incid ent?
Detection area Incident
No
These fields may be auto Link Related
Link Related
populated by integration or Security No Closed
CIs
when opened from I ncidents Events
or Network Events A Security Event can be
Link Related View Similar closed or remain open
Network Security independe nt on the state of
Events Events the Security Incident

Security Incident
If a Security Event results in a breach or loss of any type, the event can be escalated to a Security Incident. ISMS
Security Incidents are specific to security breaches, and differ from the CSM Incident Business Object. Security
Incidents follow the NIST guidelines for Security Incident handling and allow strict privacy throughout the process to
recovery. The following graphic shows a Security Incident workflow.
Security Incident Workflow Diagram
Status
New In Progress Resolved
A Secu rity In cident must

always be opened through
a Security Event.
Create Create Security
Create Task Corrective Chan ge Incident
Action Request Notification
Create Grant Access

Create IT Add Affected
Preventative to Users
Incident Users
Action
Enter Enter Enter Post

Assign Enter Recovery Resolve
Containment Next stage Eradication Review
Owner Actions (manu al)
activities activities information
Security Incid ents can be

The Security Incident Stage Link Related Review Reso lved with out the Pos t
starts at Containment. Security Add Timeline Review completed.
Runbook if
Detection and Analysis were Events Entries
any
completed in the Security
Event. Detectio n and View Similar Link Related
Link Related
Analysis fields will come over Security Network
CIs
from the Security Event Events Events
Stage
Containment Containment Eradicatio n Recovery Post Review

Compliance Policy
Compliance Policies are used to create policy documents (recorded on the Compliance form or attached to the
Compliance form) and track related Controls. The following graphic shows a Policy workflow.
Compliance Policy Workflow Diagram
Status
New Assigned In Progress Active Retired
Review Date field

modified
Review – No
Modifications
Add Needed
Document
Origination from: Details
Complete Policy
Details
ISMS Specification Complete/ information
Add Active Retired
Update Details Assign Owner
Create New Complete Participants
area
Compliance
Type
information Add
Responsible
parties
Revise this
Policy Action
Current information
Actions: copied over to the new
record
New Compliance
Create Create
Policy Record
Corrective Preventative
created
Action Action

Specification
Use a Specification to define a set of Controls (individual requirements for specific areas of security) that align to
industry standards, such as ISO 20071:2013. The following graphic shows a Specification workflow.
Assessment
Select the
Specification
Assign Assign
Owner Sponsor
Select Automatically create

or Manually link Policies
Select Control Group Action

(Step through or Load all) and
Automatically create or
Manually link Control Policies
Select controls to be
All Controls created
included in each
with ‘Inclusion’ status
Control Group
Definition
Update Status for

those to be
Excluded
Compliance New Compliance

No
Policies Created? Policy Record (s)
Yes
Update each Control with

Justification and Compliance
Policy link as appropriate
based on Status
All Controls
completed?
(Green)
Active
Activate
Specification

Compliance Corrective Action

A Compliance Corrective Action is used to record and track reactive actions taken to ensure compliance of a policy or
Control. You can create a Corrective Action directly from a Security Event or Audit. The following graphic shows a
Corrective Action workflow.
Corrective Action Diagram
Status
New Assigned In Progress Complete
Add Controls
Origination from: (optional)
Security Event Projected

Complete
Risk Assessment Start/ End
Details area Complete
Assign Date
(Description, Root Cause
Audit Type, Priority,
Owner
and Actions
Complete
Add
Security Incident Details) Participants Taken areas
(optional)

Compliance Preventative Action

Used to record and track proactive actions taken to ensure compliance of a policy or Control. You can create a
Preventative Action directly from a Security Event or Audit. The following graphic shows a Preventative Action record
workflow:
Preventative Action Diagram
Status
New Assigned In Progress Complete
Add Controls
Origination from: (optional)
Security Event Projected

Complete
Risk Assessment Start/ End
Details area Complete
Assign Date
(Description, Deliverable Complete
Audit Type, Priority,
Owner
Add area
Security Incident Details) Participants
(optional)

ISMS Risk Assessment

A tool that uses several questionnaires to determine the mitigated risk score, unmitigated risk score,
business impact, threat likelihood, and security classification of a Security Event. A Risk Assessment is
completed by answering a set of questions that are weighted using a classification scale driven by Table
Management. The following graphic shows a Risk Assessment record workflow:
New
Create a
Take
(1) Required Fields include: New Risk
Ownership
Description and Owned By Assmt (1)
Fill out
Assessment
Information
Assigned
(2) If there is already a Risk Assessment against

Select an the selected asset, a notice is provided and the
Asset (2) new risk assessment cannot proceed until the
other risk assessment is retired.
Assign Risk Owner

Assign
Owners Assign Asset Custodian
Begin Risk
Withdraw Assessment Assessment
Process
In Progress
Select Data
Classification
Complete Complete
Complete Risk
Data Thread Update Percent Complete
Assessment
Classification Analysis
100%
No
Complete?
Update Assessment
Yes
Calculate Risk
Attach Controls
Complete Mitigate Risk
Yes Create Corrective Action
Findings Finding?
Create Preventative Action
Submit
Assessment
Active
Active
Retired
Retired
Withdrawn

About Cherwell Software

Cherwell Software is the developer of Cherwell Service Management® (CSM), an award-winning
business technology and IT service management (ITSM) platform recognized by leading industry analysts
worldwide. Cherwell customers are part of a fast-growing, caring community using Cherwell Service
Management to implement both ITSM solutions and business technology that goes beyond ITSM.
Cherwell Software has the deepest expertise in the service management industry, including a global
network of expert partners currently serving customers in more than 40 countries. Corporate
headquarters are in Colorado, United States, with EMEA headquarters in the United Kingdom.
Contact Information
Support Website: www.cherwellsupport.com
Sales Website: www.cherwell.com
Support E-mail: support@cherwell.com
Sales E-mail: sales@cherwell.com
Corporate Headquarters — North America
Support Phone: +1.719.434.5819
Sales Phone: +1.719.386.7000 ext.1
Address: 10125 Federal Drive, Suite 100

Colorado Springs, CO 80908, USA
Europe, the Middle East, and Africa
Support Phone: +44 (0)1793 544899
Sales Phone: +44 (0)1793 544885
Fax: +44 (0)1793 544889
Address: Delta 1200, Delta Office Park

Swindon, Wiltshire, SN5 7XZ


ISMS MApp Documentation v1.1 06052017

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISMS MApp Documentation v1.1 06052017

Uploaded by

Copyright:

Available Formats

Cherwell Service Management

Information Security Management

Cherwell Software, LLC

Information Security Management System mApp ii

Information Security Management System mApp iii

Create a Security Incident .................................................................................................................... 24

Information Security Management System mApp iv

Revisions in Version 1.1

Modified Object Revision User Experience

Information Security Management System mApp v

Information Security Management System mApp

Information Security Management System mApp 1

Information Security Management System mApp 2

How the mApp Works

Item Category Item Typical Merge Action

Information Security Management System mApp 3

Metric Security Events Older than 30 Days, Risk Assessments Import

Information Security Management System mApp 4

 Information Security Management System mApp Workflow Diagrams

Steps to Apply the mApp

How to Use the mApp

 Create a Risk Assessment

 Apply a Standardized Control Using the Specification

Information Security Management System mApp 5

Configuring the Information Security Management System

Configuring the Information Security Management System mApp

Create a Security Analyst and Security Manager Role

Security Analyst Role

Information Security Management System mApp 6

12. Click the Save button to save the Security Role.

Security Manager Role

7. Click the Dashboard Manager button .

Information Security Management System mApp 7

12. Configure Security Groups.

Create Security Groups

Information Security Management System mApp 8

 Users: Users assigned to the Security Group.

Security Administrator Security Group

Security Analyst Security Group

12. Click OK.

Information Security Management System mApp 10

Recommendations for Additional Security Groups

Provide Object Data in Table Management for Information Security Management

ISMS Specification Object

ISMS Control Group Object

Information Security Management System mApp 11

a. Right-click and select New.

ISMS Control Source Object

ISMS Risk Mitigation Questions Object

Information Security Management System mApp 12

To provide Object data for the ISMS Questions Object:

Portal Event Configuration

Update the Portal Customer Security Group:

Update the Portal Dashboard with Security Event Link

Information Security Management System mApp 13

 Select Security Event in the Business Object drop-down.

 Search for Create Security Event from Portal

Information Security Management System mApp 14

11. Select OK and close the Dashboard Editor.

Create Recurring Audit Scheduler

Information Security Management System mApp 15

Using the Information Security Management mApp

• Create a Security Event • Create and attach Policies to Controls

Information Security Management System mApp 16