Tools For ISMS

MASARYKOVA UNIVERZITA
FAKULTA INFORMATIKY
Tools for information security

management
Bachelor thesis
Pavol Sojčík
Advisor: Ing. Mgr. Zdeněk Říha, Ph.D.
Consultant: Ing. Martin Tobolka, CISA
Brno 2012
Declaration
Hereby I declare, that this bachelor thesis is my original authorial work, which I have worked out
by my own. All sources, references and literature used or excerpted during elaboration of this work
are properly cited and listed in complete reference to the due source.
Signature: ………………………….
Acknowledgement
I would like to thank Ing. Mgr. Zdeněk Říha, Ph.D., the advisor of my thesis and Ing. Martin
Tobolka, CISA, the consultant of my thesis for their help, comments and time spent helping me
with this work.
Abstract
The aim of this thesis is to provide an overview of current software solutions for information secu-
rity management. The process of successfully establishing an information security management
system and its certification will be described in the theoretical part. In the practical part, complian-
cy of the software solutions with ISO/IEC 27001 will be verified and solutions will be compared
and analyzed. One chosen solution from each area of focus will be tested against the ISO/IEC
27002 standard. Five areas of the standard were chosen to be addressed in this thesis, specifically:
a) management and monitoring of network services
b) server monitoring
c) identity management
d) vulnerability management
e) incident management
Keywords
ISO/IEC 27001, ISO/IEC 27002, Information security management, ISMS, ISO certification, man-
agement and monitoring of network services, server monitoring, identity management, vulnerabil-
ity management, incident management.
Contents
1 Introduction ............................................................................................................................................. 7
2 Information security management system ............................................................................................ 8
2.1 Critical success factors for ISMS ........................................................................................... 8
2.2 Business size factor ................................................................................................................ 8
3 ISMS standards and certification ........................................................................................................ 10
3.1 ISO/IEC 27001 ..................................................................................................................... 10

3.2 Benefits of ISO/IEC 27001 certification .............................................................................. 11
3.3 Process approach of building ISMS ..................................................................................... 12
3.4 ISO/IEC 27002 ..................................................................................................................... 13
3.5 Certification process............................................................................................................. 13
4 Server monitoring ................................................................................................................................. 15
4.1 ISO/IEC 27001 requirements ............................................................................................... 15
4.2 Software comparison............................................................................................................ 15
4.3 ISO/IEC 27002 implementation guidance ........................................................................... 19
5 Network service monitoring and management ................................................................................... 22
6 Incident management............................................................................................................................ 28
7 Vulnerability management ................................................................................................................... 33

8 Identity management ............................................................................................................................ 39
9 Conclusion ............................................................................................................................................. 44
Literature and references .............................................................................................................................. 46
6
1 Introduction
Nowadays, information security is one of the most discussed expressions despite the fact that it is
so hard to precisely define this seemingly simple term. It has been proven countless times that state
of perfect information security is impossible to reach and the best that individuals or organizations
can do is try to get as close to this state as possible. In today's world where IT is utilized worldwide
on a daily basis, information is becoming as valuable as ever. Even one e-mail ending up in the
wrong hands could cause harm not only to individual person but also to the organization which he
or she is a part of. This is one of many reasons why organizations should have sophisticated infor-
mation security management system (ISMS).
Many organizations address information security, but their solutions are often unorganized
and ineffective. As a result, need for a formal document or a standard has emerged in order to help
with the process of managing information security. To support this process in an organization, in-
ternational standard ISO/IEC 27001 [1] was published in 2005. The standard is used as the basis
for a formal certification scheme, meaning that it is the document against which an ISMS will be
assessed [4]. However, ISO/IEC 27001 does not provide guidance in terms of actual implementa-
tion of the ISMS. To successfully implement ISMS in an organization guidelines from ISO/IEC
27002 [13], also referred to as Code of practice for information security management, should be
followed.
The aim of this bachelor thesis is to perform an analysis of available information security
management tools in accordance with ISO/IEC 27001. The thesis will focus on five areas consid-
ered in the standard, specifically: management and monitoring of network services, server monitor-
ing, identity management, vulnerability management and incident management. These areas were
chosen based on the agreement with my consultant Ing. Martin Tobolka, CISA since covering all
areas considered in the standard would be beyond the scope of bachelor thesis.
The first chapter of this work focuses on ISMS and factors critical to its success, addressing
also the significance of business size factor. The second chapter describes the ISMS standards in
detail together with the process approach of building ISMS as described in ISO/IEC 27001. It also
explains the benefits of being certified and the whole process of certification. Each of the following
five chapters addresses one chosen area of focus. In each one of these chapters, two software solu-
tions are analyzed. Firstly, the ability of those solutions to comply with ISO/IEC 27001 controls is
verified. Afterwards, the tools are compared using a methodology specific for that area and in the
final part one of these solutions is chosen and its ability to follow ISO/IEC 27002 guidance is test-
ed and demonstrated in practice.
7
2 Information security management system
Information security management system [1] (ISMS) based on ISO/IEC 27001 is a part of the
overall management system of the organization. It is based on a business risk approach and its goal
is to establish, implement, operate, monitor, review, maintain and improve information security of
the organization. It implements measurements in order to eliminate or minimize the impact that
various security threats and vulnerabilities might have on an organization while taking into account
the structure of the organization, its policies, planning activities and resources. This chapter focuses
on providing an overview of what contributes to the success of ISMS [2] and addresses different
approaches towards ISMS depending on size of the organization also described in [2].
2.1 Critical success factors for ISMS

Adopting ISMS is a very complex process and there are several critical factors. For an ISMS to be
effective in a specific organization, it must
 be managed centrally based on organization's strategy and policy;
 be part of overall management, closely related to organization's approach to Risk manage-
ment;
 have the continuous support of organization's top management;
 have appropriate human and financial resources;
 have the security objectives and activities based on business objectives and requirements;
 undertake only necessary tasks and avoid waste of valuable resources;
 be a never-ending, constantly improving process;
 be based on continuous awareness and training of staff.
As unimportant as the last point may seem, it is a key part of a successful ISMS. Infor-
mation security and its management is definitely not a technology-only issue, that is to be dealt
with by the IT department of the organization. The most important decisions regarding the infor-
mation security are the ones made by regular computer users (employees), therefore it is essential
for every member of the organization's staff to be properly trained and be aware of all the conse-
quences that any of his/her action will bring for the company.
2.2 Business size factor

Both large and small businesses have to undergo risk assessment to be able to identify the security
risks. The difference is the number of assets that are part of the risk assessment process. Smaller
organizations typically do not have a large amount of assets that need to be protected. Identified
threats are similar, independent of the size of the organization but the number of vulnerabilities is
8
the key difference as the larger organizations are much more vulnerable, because of working with
larger amounts of information. However, that does not mean that smaller organizations do not need
to have the ISMS properly implemented. It means that they need to fulfill only the basic ISMS
scope. On the other hand, organizations such as banks, financial institutes, telecommunication op-
erators, health institutes and public or governmental organizations need to fulfill much more legal
and regulatory requirements concerning information security. The objective of those requirements
is to protect sensitive or personal data as well as general public security requirements which forces
these organizations to devote much attention to information security risks. Along with the organiza-
tions' obligation to meet those requirements, need for international standards guiding the develop-
ment and implementations of ISMS has emerged.
9
3 ISMS standards and certification
First standard to support the ISMS, namely BS7799, was published in 1995 by British Standards
Institution (BSI) and was initially created as a technology and vendor-neutral management system
that, if properly implemented, would assure the organization's management of effectiveness of its
information security measures and arrangements. But as the organizations began to realize the scale
and severity of information security threats, along with the growing range of data protection and
privacy-related laws and regulations, the demand for certification option began to grow. However,
BS7799 did not provide the specifications needed for the external verification and certification
scheme, therefore the standard underwent a revision. After the review and addition of the second
part addressing the specifications, it became internationalized as a part of the ISO/IEC 27000 series
of standards [3].
The goal of this chapter is to provide an overview of the ISO/IEC 27000 family of stand-
ards [5], define the process approach compliant with the standards [1], describe certification pro-
cess according to [6] and the benefits of being certified [14].
3.1 ISO/IEC 27001

This standard provides a common model for ISMS, specifically operating, monitoring and improv-
ing ISMS operation. ISO/IEC 27001 is designed to be compatible with other management system
standards such as ISO/IEC 9001 which addresses quality management systems and ISO/IEC 14001
which addresses environmental management systems. The aim of ISO standards is to provide con-
sistent integrated implementation and operation of the ISMS with other management systems with-
in the organization. The similarities among the standards imply similarities in the supporting tools
and functions, meaning that if the organization has implemented other management standards, there
may be one audit and one management system where that management system applies to quality
management, environmental management or security management.
The importance of ISO/IEC 27001 is in providing a formal certification scheme used to
obtain a third-party international certificate that proves existence and operation of security controls
according to the requirements. The ISO/IEC 27001 standard describes the ISMS as an overall man-
agement system from business risk approach. According to the standard, ISMS should address all
aspects of the organizational structure, policies, planning, activities, responsibilities, practices, pro-
cedures, processes and resources.
With ISMS, senior management of the organization has the means to monitor and control
security while reducing residual business risk. After its implementation, the organization may for-
mally secure information and continue to fulfill customer, legal, regulatory or stakeholder require-
ments. If certification is pursued by the organization, the analysis of Sections 4 to 8 are essential, as
these clauses are mandatory for certification. They describe the implementation and construction of
specific organization's ISMS along with defining the general requirements and are specified as
follows :
 Information security management system
10
 Management responsibility
 Internal ISMS audits
 Management review of the ISMS
 ISMS improvement
Annex A in ISO/IEC 27001 [1] presents a list of controls corresponding with those listed in
ISO/IEC 27002. The list is not exhaustive and organization may decide that additional objectives
and controls are necessary but those from this list should be selected as part of the ISMS process if
certification is the goal. Control objectives and controls are specified in clauses 5 to 15 of Annex A
as follows :
5. Security policy
6. Organization of information security
7. Asset management
8. Human resources security
9. Physical and environmental security
10. Communications and operations management
11. Access control
12. Information systems acquisition, development and maintenance
13. Information security incident management
14. Business continuity management
15. Compliance
Annex B contains a table where OECD principles and corresponding ISMS procedures and
phases show, how the information security international standards fulfill the requirement of OECD.
If organization has already implemented other management standards, such as ISO 9001 or ISO
14001, Annex C contains a table to correspond to respective standards.
3.2 Benefits of ISO/IEC 27001 certification

Certification of the ISMS is an objective proof that owners and management of an organization are
aware of the responsibilities regarding the information security. It also declares that the principles
of behavior and approach towards information security are a part of business for the organization.
The most important benefits of ISO/IEC 27001 certification are:
 Information security is integrated in the organization's management.
 Certification is one of the main factors affecting the business competition because when
certified, information and its security is in a managed mode.
 Employees are responsible for securing their workspace's information and their customers'
data.
11
 The requirement of continuous improvement guarantees long-term effectiveness of resource
management.
 Transparency of incident consequences and its avoidance, detection of risks, discrepancies
and incidents with unwanted impact on confidentiality, integrity and availability of infor-
mation and subsequently on running the entire organization.
 Increase of business credibility for investors, banks and insurance companies.
 Savings on penalties and sanctions related to information leakage.
3.3 Process approach of building ISMS

Figure 1 demonstrates the ISO Plan-Do-Check-Act model used to implement the ISMS. It is often
referred to as ISMS cycle or Deming cycle1. It is used to develop, maintain and continually im-
prove the ISMS. The goal of this model is to have an overall management system built in consider-
ation of business to implement, operate, monitor, maintain and improve information security.
Figure 1 ([1], page 7): PDCA model
The PDCA model phases are described as follows :

a) Plan
Establishing the ISMS policy, objectives, processes and procedures relevant to risk man-
agement and information security improvement. Delivering results according to organiza-
tion's overall policies and objectives is critical in this phase.
b) Do
Implementation and operation of the ISMS policy, controls, processes and procedures.
1
Named after its creator, American professor and statistician, Walter E. Deming [30].
12
c) Check
Monitoring and assessment of process performance against the ISMS policy and its objec-
tives, reporting the results to management for further review.
d) Act
Taking corrective and preventive actions based on the results of the internal audit and man-
agement review. The aim of this phase is to maintain and continually improve the opera-
tion of ISMS.
3.4 ISO/IEC 27002

This standard, referred to as Code of Practice for Information security, provides guidelines for a
consistent approach when implementing the ISMS. It addresses the selection of proper security
controls, as well as establishing good practices when applying the selected controls. However, the
procedures to actually implement the security controls are up to the organization. They often vary
depending on the physical and technical environment the organization is in. Today, there are many
means and methodologies that support protection of the information assets but many organizations
choose to use the ISO standard as a guideline.
ISO/IEC 27002 consists of 12 chapters covering approximately 39 key elements and 133
controls. The structure of every individual security control can be divided into the following parts:
Control
Provides the definition of security control with statement regarding the needed qualities to ful-
fill the requirements.
Implementation guidance
Includes information for implementation of the control and guidance to fulfill the requirements.
Other information
Only present in some controls, contains references to information related to the specific con-
trol.
In the practical part of this thesis, ISO/IEC 27002 will be used to analyze chosen software
and test its capabilities to fulfill the requirements for the security controls.
3.5 Certification process

There are several steps required for the successful completion of certification and must be complet-
ed in the following order:
1. Use ISO/IEC 27001 to create management framework for the ISMS. Framework is based
on the scope that is defined by Statement of Applicability2. Statement of Applicability or
SOA has to include sections 4 to 8 from the ISO/IEC 27001. Exclusion of any of the con-
trols described in clauses 5 to 15 in Annex A has to be approved by the certification body.
2
Documented statement describing the control objectives and controls that are relevant and applicable to the
ISMS of specific organization [1].
13
This step may take significant time and resources, depending on the scope of the ISMS and
the skill set of resources performing the implementation.
2. Contact a certification body to determine schedules, costs and planning for assessment, au-
dit and registration activities.
3. Acquire the approval of senior management for the project. Organization's senior manage-
ment should be aware of the costs, benefits, risks, mitigation strategies and the project plan
that indicates all the aspects of the project related to a timeline for completion.
4. Before the certification, whole first iteration of the PDCA cycle has to be completed in-
cluding complete guidelines, internal audits, control and monitoring logs, management re-
vision and staff training.
5. Schedule the assessment and audit activities with the certification body.
6. The certification itself is divided into 2 separate steps:
a) Study of the ISMS documentation which will be requested by the certification body
for a review prior to coming for the audit. The certification body is in position to
comment on any insufficiencies, for the corrections to be made prior to the audit.
b) The certification body conducts an on-site audit of the ISMS which length may
vary, depending on the certification body, size of the organization or scope of the
ISMS. The aim of this audit is to assess the technical compliancy of the ISMS im-
plementation with the standard
7. The organization is officially notified of the audit results and in case of failure, deficiencies
are communicated to the organizations in order to be corrected prior to the new audit.
After successfully passing the audit, the certification body will transmit a formal
certificate of registration to the organization. To indicate a successful registration of the
ISMS, the organization is then allowed to use the watermark of the certification body on
appropriate communications.
14
4 Server monitoring
Every organization that pursues ISO/IEC 27001 certification is likely to have one or more comput-
er networks as today, utilizing IT in business is one of the most critical success factors. Whether it
is a network located in the same building or across a number of geographic locations, effective
network management and monitoring is essential for the stability of its operations, meaning that
controlling this area is crucial for the organization. This chapter focuses on comparison, analysis
and testing of the latest network and server monitoring software. I decided to choose the most
widely used open-source solution Nagios and Cisco-recommended commercial solution Orion
NPM. Firstly, the ISO/IEC 27001 compliancy will be verified on these software solutions. After-
wards, the solutions will be compared functionality-wise in what they bring to an organization. In
the final part of this chapter one software solution will be chosen and its ability to fulfill the objec-
tives of ISO/IEC 27002 will be tested in practice.
4.1 ISO/IEC 27001 requirements
In its A.10.6.1 control, namely Network controls, the certification standard requires the following:
„Network shall be adequately managed and controlled, in order to be protected from threats, and
to maintain security for the systems and applications using the network, including information in
transit“ [1]. Nagios and Orion NPM comply with the requirement as they both provide monitoring
based on Simple network management protocol(SNMP). SNMP is a standard protocol for manag-
ing devices on IP networks and is functional only on devices that support this protocol like routers,
switches, workstations, servers or printers. It can be used to automatically discover network and
acquire a vast amount of information about every single network element, for example LAN or
WAN interfaces on a switch or a router along with their traffic. SNMP also supports limited num-
ber of configuration changes like shutting down network interfaces or modifying the routing tables
[7].
4.2 Software comparison
There are many criteria to be considered when choosing a network monitoring system but the re-
quirements differ with each organization. For example, a small company has a different network
structure compared to a national bank, therefore, the most important thing is to choose the solution
that is best for the organization's needs. I decided to make a complex comparison of the chosen
solutions by providing an overview of the most important features in the server monitoring field as
listed in [8] and [17]:
a) User interface
Everything being easily accessible is one of the key success factors of such a complex software
solution. In practice, it means that user should not be forced to navigate through a number of
15
screens or pages to get the desired information. Both NPM and Nagios are Web-based applica-
tions but as far as user experience, the consistency of the NPM's interface design is much better
and more intuitive.
b) Reporting
Generating reports regarding network traffic, interface availability and other device-specific
reports like Wireless, is one of the essential parts of server monitoring and should be integrated
in the solution. Both NPM and Nagios provide customizable reporting but Nagios requires an
add-on to be installed for this purpose whereas NPM has an integrated tool called Orion Report
Writer.
c) Automated network discovery and device-mapping
The ability to scan the whole network, properly identify servers and poll their specific data.
Again, Nagios supports this functionality only with a plug-in but NPM has an integrated
webpage wizard. In both solutions, this is done by sending out SNMP packets with specific
queries and in case of a device's response, the data from incoming SNMP trap are processed. If
the specific data cannot be polled from a server, the server simply does not respond to the que-
ry.
d) Special monitoring capabilities
WMI
WMI is the Microsoft implementation of Web-based Enterprise Management and allows moni-
toring of Windows-based servers and workstations. After providing appropriate Windows ad-
ministrative credentials, it provides information like file system usage, memory usage, server
and services state and event log data [9]. Both tested solutions have integrated WMI monitor-
ing capability.
Fibre Channel (VSAN)
Fibre Channel is a technology defined by a set of related networking standards that allows
computer devices to communicate at data rates of up to 10Gbps. Fibre Channel is well suited
for connecting computer servers to shared storage devices and for interconnecting storage con-
trollers and drives. Due to its speed, it quickly began to replace the Small Computer System In-
terface (SCSI) as a transmission interface between servers and clustered storage devices [10].
NPM has the ability to monitor servers using Fibre Channel technology and corresponding
Storage Area Networks whereas Nagios is able to monitor Fibre Channel devices only from
one vendor, specifically Brocade, after using the needed plug-in.
Virtualization
Server virtualization is being widely used in the enterprise environment mainly because of its
flexibility and affordability. The most popular solution in virtual infrastructure is ESX server
from VMware. What ESX server provides is a thin client with its own kernel running directly
over the hardware layer. The ESX kernel deployed on a specific hardware configuration then
works as a host operating system for layering other services. In practice, this means that nu-
merous virtual operating systems can be installed on this host OS, all with the predefined
hardware resources like RAM, storage or CPU [11]. This often creates a very complex virtual
16
server infrastructure and its monitoring is as crucial as monitoring any other physical servers.
Both of the tested server monitoring solutions are able to monitor VMware servers, datacen-
ters, clusters and virtual machines hosted on ESX servers, providing details on performance,
resource usage or availability. Nagios, however, needs a number of plug-ins to be installed to
enable this functionality.
e) Alerting, Notifications and Syslogs
Responding to various network scenarios, like device failures, in a timely fashion is the most
important responsibility of the network administrator but when having a large network infra-
structure, it is impossible to periodically check hundreds of devices for failure manually. Both
Nagios and NPM provide built-in customizable alerting and notification service that enables
company's administrator to configure multiple condition checking and sending an e-mail, SMS
or executing a script afterwards. Both solutions also add the ability to generate Syslog3 mes-
sages but Nagios requires a change in configuration file to do so whereas NPM has this ability
integrated within its alerting engine.
f) Distributed monitoring
When organization has a large network infrastructure, scalability becomes a critical part of the
server monitoring solution because one monitoring server is not able to handle the amount of
data that need to be processed. Distributed monitoring is possible in both NPM and Nagios.
NPM has its own special module, called Additional Poller, that is installed on a separate moni-
toring server. Nagios offers a choice of three possible solutions for distributed monitoring:
DNX, Nagios Fusion and MNTOS all having their specific advantages as described in [12].
g) Network change detection
Topology of large corporate networks changes on a daily basis and network monitoring tools
should have the ability to detect network changes as fast as possible in order to provide the
administrator with up-to-date network data. NPM has its own topology algorithm that uses
polling jobs assigned to each network node individually. It stores layer 2 and layer 3 data in the
database and periodically calculates the topology that is afterwards displayed on a map located
on the webpage. However this only detects topology changes between already added nodes. To
detect a newly added node, there is a possibility to run the network discovery periodically with
a defined recurrence period which will result in all new network devices being added to the
NPM and administrator being notified via NPM events. Nagios has a similar feature but needs
a plug-in to provide it. After defining a subnet, Nagios scans it for devices that are not current-
ly monitored and sends a notification to the administrator when new devices are found.
Table 1 summarizes the comparison of NPM and Nagios. As seen from the table, with
Nagios being an open source project, it is needed to install a number of plug-ins to provide the
same functionality as NPM, making NPM easier to deploy in an organization.
3
Syslog is a standard for SIEM (Security information and event management) systems that allows separation
of the software that generated the message from the system where the message is stored, guaranteeing sim-
ple integration of monitoring tools [29].
17
Orion NPM Nagios
Reporting Yes, customizable Yes, customizable
Network discovery Yes Plug-in
WMI Yes Yes
FibreChannel Yes, multi-vendor Yes, only Brocade (plug-in)
Virtualization support Yes Yes
Alerts Built-in customizable Built-in customizable
Syslog messages Yes Plug-in
Distributed monitoring Yes - DNX, Nagios Fusion,
Yes - Additional Poller
MNTOS
Network change detection Yes Plug-in
Table 1: Comparison of Orion NPM and Nagios
18
4.3 ISO/IEC 27002 implementation guidance
After the analysis and comparison of key features that Nagios and NPM provide, in my practical
part for server monitoring, I have chosen to test NPM mainly due to its completeness and practical-
ly no need to install any additional modules or plug-ins. Since the ISO/IEC 27002 is used for the
actual implementation of the ISMS, I decided to use this standard to test the software and demon-
strate its capability to fulfill the appropriate controls in practice. Testing was done in an actual cor-
porate environment with network spanning throughout America, Asia and Europe witch the latest
network devices and servers.
In the implementation guidance of control 10.6.1 Network controls, the standards states
that the following items should be considered:
a) „Operational responsibility for networks should be separated from computer operations
where appropriate“ [13].
Fulfillment of this control, referred to as Segregation of duties, is achieved by deploying
the software separately from any other administration tools not regarding networking.
NPM does not require any special hardware to run, so it can be deployed on any computer
connected to the network that needs to be monitored or even can be running on a virtual
machine with a bridged network adapter.
b) „Responsibilities and procedures for the management of remote equipment, including
equipment in user areas, should be established“ [13].
Establishing of procedures for management of remote equipment in NPM is done right af-
ter the successful installation of the product where administrator of NPM is offered a pos-
sibility to run so called Network Discovery. This process, as mentioned before, sends out
ICMP and SNMP packets and is also able to discover Windows-based servers or work-
stations through WMI and VMware ESX servers through the specific API. I tested the
Network discovery in a middle-sized company located in Brno. The company network is
defined as follows:
 93 Windows 7 workstations
 65 Windows-based server systems running systems from 2003 to 2008R2
 1 Linux-based server
 4 VMWare ESX Servers
 1 Wireless Access Point
 3 Cisco Fibre Channel Nodes
 1 Cisco UCS node
In total, these network devices had 194 hard-drives that needed to be monitored and net-
work discovery successfully recognized them along with RAM and Virtual memory on
19
specific computers. The discovery took exactly 10 minutes and 40 seconds, including the
process of importing the results into the database.
c) „… to protect the connected systems and applications special controls may also be re-
quired to maintain the availability of the network services and computers connected“ [13].
With the aforementioned NPM module, Advanced alert manager, the organization adminis-
trator is able to take a number of actions after a certain condition related to availability of
servers or their interfaces occur. These actions include sending an e-mail, logging an alert,
sending an SNMP trap or Syslog message and executing an external program or Visual
Basic script which gives the network administrator ability to execute a certain configura-
tion change after for example node becomes unavailable or one of server’s interfaces is
overloaded with data. The availability data are then stored and displayed in Availability re-
ports on the NPM webpage where after a set amount of time, they are aggregated and
moved to historical availability reports for the last week, month and year.
d) „Management activities should be closely coordinated both to optimize the service to the
organization and to ensure that controls are consistently applied across the information
processing infrastructure“ [13].
Consistency of the applied controls is one of the most important requirements of the stand-
ards and software solution like NPM does guarantee the consistency with its centralized
principle where one computer controls and monitors the whole network. Therefore, every
change or inconsistency is seen immediately and appropriate actions can be taken by the
company’s administrator, to either fix the issue or optimize the operation of the network, if
needed.
e) „Appropriate logging and monitoring should be applied to enable recording of security
relevant actions“ [13].
There are several features in NPM that allow administrator to monitor, log and record secu-
rity relevant data. First of all, it is the Reports page that covers the most frequently needed
reports about any network related activity, like Volume usage and status or CPU and
memory reports. Built-in reports are configured via Orion Thresholds webpage where the
administrator defines conditions that need to occur on a server for it to be displayed on a
report (for instance more than 85% memory is used or response time higher that 1500ms).
Data from many default historical reports, for instance VMware ESX server or Historical
traffic reports, are generated to reflect different time spans – day, week or month. The
functionality of reporting is then extended with the aforementioned Report writer where
customization or even use of advanced SQL scripts is possible to generate the desired re-
port. Useful addition for auditing is also a utility called Report scheduler which builds
tasks that will automatically run, print or e-mail an NPM report on a scheduled basis. An-
other utility used for logging is Log adjuster that is able to configure any log that NPM
creates and uses. It enables the NPM administrator to select the logging level for every par-
ticular log, depending on how detailed information is needed and how long should the log
20
be kept plus the size limit of the log file. Problem with large log files can be solved by for-
warding the logs to SIEM4.
4
Solution that combines security information management and security event management providing real-
time analysis of security alerts and allowing organization of large amounts of log data [19].
21
5 Network service monitoring and management
For proper functioning and maximal utilization of organization's network, there are certain network
services providing users with a specific functionality or shared resources. These services can either
be outsourced or in-house, depending on the budget or technical equipment of the company but the
process of network service monitoring needs to be established either way. This chapter will focus
on comparing one open-source project and one commercial solution that is focused on network
service monitoring. From commercial software I have chosen SAM, coming from the same product
line as earlier tested NPM. In many ways SAM is similar to NPM (for instance has identical net-
work monitoring core) but focuses on application and services monitoring. From open-source solu-
tions I have chosen OpenNMS. Similarly to previous chapter, I will verify their compliancy with
ISO/IEC 27001, afterwards compare these two tools functionality-wise according to requirements
described in [15]. Based on the results, I will choose a software that will be tested against ISO/IEC
27002 standard in the following chapter.
In ISO/IEC 27001, network service monitoring is considered in control A.10.6.2 called Security of
network services and it requires the following from an organization: „Security features, service
levels, and management requirements of all network services shall be identified and included in
any network services agreement, whether these services are provided in-house or outsourced“ [1].
Software solutions that will be tested in this chapter cannot guarantee fulfilling this control by
themselves, as network service agreements are responsibility of managers, as well as choosing
whether the service is outsourced or not. However, after this is taken care of, software solutions
help monitor these security features, service levels and also monitor that all the management re-
quirements are being continuously complied with.
Traditional IP networks have always been managed by measuring parameters like link utilization or
packet losses of routers, switches, servers and other network elements. However, this is sufficient
only for best-effort services. Network services that are used now have much more diverse require-
ments and require measurement of finer granularity. This chapter focuses on monitoring critical
network services in real time. This allows the organization to ensure that the network and services
adequately satisfy the requirements of its network users. There are various methods to acquire data
that can be analyzed in order to determine the performance of the network and network services.
Data acquisition methods include active and passive probes, software agents for mobile devices and
flow information from routers or other network elements. The monitoring in this chapter focuses on
three primary functions: service assurance, traffic profiling and fault detection and diagnosis. The
goal is to detect service quality degradations and identify the cause of the problems. Afterwards,
22
these information can be used to take remedial actions, minimizing the impact of quality degrada-
tion. The set of requirements of a monitoring platform for a network can be summarized as follows:
Extensibility
After new services are deployed on the network, monitoring software should be easily and seam-
lessly able to deploy new monitoring mechanisms for these services. In this aspect, SAM provides
a intuitive, web-based wizard immediately after the network discovery is completed where the ad-
ministrator is able to select every service that needs to be monitored. If a new network service is
integrated into the network, the only change needed from the administrator, is adding a new service
monitor through the wizard and SAM will detect the service and start polling the service-specific
data. OpenNMS takes a similar approach, even though in the earlier versions, all configuration
changes had to be done strictly with editing XML files. Since version 1.8.0 OpenNMS provides
functionality called Provisioning which enables the administrator to select from a number of prede-
fined services that need to be monitored on a specific network element. However, if there are ser-
vices that are not included in the default monitoring list of OpenNMS, there is still need to create a
configuration XML file that is called a Foreign source detector, which is imported afterwards.
Scalability
Growing link speeds and increase in amount of information that must be processed place an enor-
mous stress on the management system because the goal is to keep the performance of the network
on as high level as possible. Therefore, monitoring software should be able to handle increasing
network speeds and large number of network devices. There are many ways to effectively achieve
this, for instance, reducing the information collected from the network devices. or using distributed
monitoring. The network size is really where the difference is between the commercial and open-
source solution because on SAM, the size of the network to be monitored is limited by the license.
The smallest possible license starts at 50 monitors, selling at 2035€ and unlimited license selling at
24440€ [27]. OpenNMS does not have these limitations but it needs to be pointed out that both
product have very high hardware requirements when monitoring a large network. As a solution,
they both offer distributed monitoring called Additional Poller in SAM and Remote monitor in
OpenNMS where discovery is performed by the main monitoring server but monitoring tasks are
delegated to other polling servers.
Real time operation
Real time reporting of network service performance is essential for an organization to allow for a
timely remedial action to be taken. Monitoring software is required to support continuous and real
time mechanisms that detect problems in the network as they happen. This process is referred to as
fault management and both solutions support it in many aspects. Both software solutions are event-
driven and it is possible to generate alerts (SAM) or alarms (OpenNMS) based on the customized
conditions, assign a severity to each one of them and also take appropriate actions, by either notify-
ing affected group of people by SMS or an e-mail, running a corrective script, sending out an
SNMP trap or generating a Syslog message. The main difference is ,again, in the ease of use, since
the OpenNMS requires configuration XML files to be edited in order to generate a custom alert,
which in many cases is a time-consuming process, if the alert has a complex trigger condition.
SAM has an application that handles alerting and configures everything alert-related with that ap-
plication in a much shorter timeframe. Creating customized reports is also possible in both of these
23
software solutions. However, a feature that really separates SAM in real time operation monitoring
is called User experience monitors. This feature enables the network administrator to measure ser-
vice performance from an end user's perspective, ensuring the availability and most of all perfor-
mance which is critical for especially web services, as even a short performance degradation can be
a costly issue for a business organization.
Granularity
Each service utilizes a number of network protocols, therefore, monitoring the performance of the
services requires capturing the performance of a particular protocol. This allows the administrator
to isolate the root cause of the performance degradation and in a network with a big number of
network services, the administrator should be able to make a distinction as quickly as possible.
Root cause analysis is the one of the most critical features that contributes to the success of any
network monitoring solution and both tested products provide this functionality to the network
administrator. In SAM this is provided by Dynamic service groups. This feature enables the admin-
istrator to organize servers, services and applications into groups and provides a service-level status
across the organization. There is also a possibility to group objects according to logical connection
between them or geographic location, so after a failure, determining the root cause is very quick.
Similar approach can be seen in OpenNMS, with its Drools business logic engine which is used for
rule-based event correlation. Administrator is able to configure priority-based alarms and notifica-
tions that are defined by business rules. This gives the administrator ability to perform a quick root
cause analysis, if rules are appropriately configured to support the organization's needs.
Diversity
Network in an organization usually consists of network elements from multiple vendors, protocols
and applications pieced together to provide a complete package of services. Any monitoring solu-
tion should be able to handle this diversity. Comparison of default service monitoring capabilities
of both tested solutions is displayed in Table 2. This includes only out-of-the-box functionality and
it needs to be pointed out that both products support configuring additional monitoring capabilities.
These configuration templates are created by community members and are publicly shared on
products' forums. As seen in the table, the most significant difference is in SAM being able to mon-
itor Microsoft services that are highly utilized in enterprise environment, specifically Active Direc-
tory, SharePoint, IIS and remote desktop services.
SAM Cisco Call Manager, Citrix services, DHCP, DNS, FTP, HTTP, ICMP, IMAP, In-
formix, Microsoft Active Directory, Microsoft Exchange, Microsoft Internet Infor-
mation Services (IIS), MTP, NNTP, Oracle DB, MySQL DB, POP3, Postgres,
SNMP, Sybase, TCP, Windows Print services, Windows remote desktop services,
Windows OS services, Windows Share Point services
OpenNMS Citrix services, DHCP, DNS, FTP, HTTP, ICMP, IMAP, Informix, Microsoft Ex-
change, MySQL DB, Notes IIOP, Oracle DB, Microsoft DB, POP3, Postgres, SMTP,
SNMP, SSH, Sybase, TCP
Table 2: Supported network services in SAM and OpenNMS
24
Low cost
The cost of deployment and operating the monitoring solution must be low, implying that the sys-
tem must use the least amount of computing, storage, and communication resources. In this aspect
both solutions are very similar as none of them requires any special hardware equipment and can
run on any desktop PC, even though the requirements for SAM are higher in CPU power, RAM
and HDD space. Both solutions are able to monitor hundreds of devices with just one monitoring
server but when managing network with thousands network elements and services, aforementioned
distributed monitoring is needed to handle the amount of data.
After comparison of SAM and OpenNMS, I have decided to test SAM in my practical part, mainly
due to its broader monitoring functionality. As I stated earlier, OpenNMS is lacking monitoring
capabilities for services like Active Directory or Microsoft Share Point which are widely used in
enterprise environment, therefore, their monitoring is essential for an organization. As in previous
chapter, I will use implementation guidance from ISO/IEC 27002 to test the product and analyze its
capability to follow this guidance. However, since the standard does not provide as thorough re-
quirements as needed in this chapter, I have decided to utilize [4], as it offers more exhaustive ex-
planation of the controls and guidance in both standards. In the implementation guidance of control
10.6.2 Security of network services, the standards states the following:
„The ability of the network service provider to manage agreed services in a secure way
should be determined and regularly monitored, and the right to audit should be agreed“ [13]. Or-
ganization is required to provide a clear description of the security attributes, expected service lev-
els and management requirements of all network services that it utilizes, referring to outsourced, as
well as internal network services. A clear description of these characteristics should be provided for
the appropriate risk assessments to be carried out and so that, when incidents involving these ser-
vices take place, appropriate information is available to take remedial actions. The testing was done
in the same environment as in the previous chapter and it needs to be pointed out that there were no
outsourced network services used, so this chapter will be focusing mainly on internal network ser-
vices, their security and ability to monitor them regularly.
As it was demonstrated during comparison of solutions, SAM is strongly oriented on Mi-
crosoft and Windows-based services and it provides according security features. By default, it has a
monitoring template that allows administrator to monitor Windows Server-based Domain controller
and security of its services. This monitor includes checking for events from Windows security log,
monitoring for Replay attacks, Domain and Kerberos policy change and Windows firewall setting
change. Another security monitor is based on a Windows script that is searching the Event log for
specific events that occurred during a specified timeframe and it also reports number of occurrenc-
es to the SAM statistics. Next Event log monitor is scanning for recent events matching user-
defined criteria. After a matching event is found, component monitor goes to down status and after
a defined time returns to up status, so that alert creation is possible in case of an incident. SAM also
has a template for Microsoft Network Policy Server which uses Windows System and Security
Event Logs to assess the status and overall performance of the NPS. Last security-related monitor
25
that is part of SAM by default is for Cisco Secure Access Control Server5 which monitors its key
services like Authentication, TACACS (Terminal Access Controller Access-Control System), RA-
DIUS (Remote Authentication Dial-in User Service) and also logs via SNMP. As stated earlier,
many monitoring templates are created by the community and possibility to download them is inte-
grated on the SAM website.
One of the best rated security
monitors created by commu-
nity members is Linux Active
Directory User Authentica-
tion Check which verifies
whether user authentication
against AD ran correctly.
This is a valuable addition to
such a Microsoft-oriented
product.
After defining ex-
pected service levels and
management requirements
for all network services, as
stated in ISO/IEC 27002,
regular monitoring process
needs to be started. Figure 2
depicts the ease of root cause
analysis if a service stops
responding or is in a critical
Figure 2: Root cause analysis in SAM state. Besides the real-time
monitoring features, event and alert generation analyzed in the previous chapter, SAM also pro-
vides advanced reporting functions, the most critical being availability, response time and service
status reports. By default also CPU and memory usage reports are available on the website.
Paragraph Other information in ISO/IEC 27002 also recommends the organization to moni-
tor technical parameters of the network connection in accordance with the defined network connec-
tion rules. The networking core of SAM is identical with NPM analyzed in previous chapter, there-
fore the network administrator is aware of everything that happens on the organization's network
and is notified about any network-related incident. What organizations may consider to be a useful
advantage, is the ability of SAM to integrate with NPM (due to the same core module), providing a
complete solution for server and network service monitoring. Table 3 displays statistics about de-
ployment of NPM integrated with SAM on VMware virtual machine running Windows Server
2008 R2 with preinstalled MSSQL Server 2008. Software was used to discover and monitor the
same network that was defined in chapter 4.3, specifically services from Figure 3 were chosen to be
discovered. SAM successfully discovered 84 services that matched predefined criteria and started
monitoring immediately.
5
Provides identity-based access policy system information networks and is the integration and control plat-
form for managing access policy for network resources [16].
26
The standard also states that procedures for the network service usage to restrict access to
network services where necessary should be implemented. In SAM, this is possible with Advanced
alert manager and its ability to execute configuration scripts or external programs after a certain
user-defined condition occurs during service usage. Utilizing it, administrator can, for instance,
block access to a specific service when CPU or memory usage of the server is at a high level.
Task Time
Installation 5m:8s
Configuration 5m:41s
Network discovery 12m:19s
Service discovery 54m:23s
Table 3: Integration of SAM and NPM
Figure 3: Selected services to discover in

SAM
27
6 Incident management
During the course of administrating an organization's information system and its IT equipment, a
lot of security events and incidents need to be handled. It is important to point out that security
incident and security event are two different things. According to [28], security event is occurrence
in the system relevant to the security of the system. On the other hand, security incident is defined
as any adverse event that might threaten some aspect of computer security (specifically confidenti-
ality, integrity and availability). The process of incident management focuses on gathering infor-
mation about these issues and reestablishing the original, properly-working state of the system,
without affecting organization's productivity. Tools for incident management support this process
by providing means for every member of the organization to notify their IT department or any per-
son responsible using organization-wide accessible system, usually a webpage. In this chapter, I
have decided to analyze and test two incident management tools, specifically Dell KACE Service
Desk and Hesk. First their compliancy with ISO/IEC 27001[1] will be verified. Afterwards, both
tools will be compared according to the critical success factors of incident management as de-
scribed in ITIL (Information technology infrastructure library) [18] and in the final part of this
chapter, one chosen solution will be tested using implementation guidance from ISO/IEC 27002
[13].
To be able to analyze incident management, first a definition of the term incident needs to be estab-
lished. According to ISO/IEC 27001, information security incident is: „A single or a series of un-
wanted or unexpected information security events that have a significant probability of compromis-
ing business operations and threatening information security“ [1]. The standards considers inci-
dent management in part A.13.2 Management of information security incidents and improvements
whose objective is to ensure that consistent and effective approach is applied to the management of
information security incidents. Control A.13.2.1 Responsibilities and procedures requires the fol-
lowing: „Management, responsibilities and procedures shall be established to ensure a quick, ef-
fective, and orderly response to information security incident“ [1]. Both tools are compliant with
this control, as they offer web-based incident reporting where after proper deployment, the
webpage is accessible from every computer in the organization and every employee of the organi-
zation has the right to report an incident that will be resolved by the IT department. After resolving
the issue, user that submitted the incident is notified about its status or a workaround is suggested
by the person responsible for handling the incident.
28
When an organization aims to have a successful incident management system, the process of inci-
dent management needs to be divided into a number of key activities. I have decided to analyze the
ability of both software solutions to perform these key activities specified in [18]:
 Incident identification and registration
After detecting the incident, it should be reported and according record needs to be created
in the incident management system. As I stated earlier, both tools support this activity with
its organization-wide accessible web pages where all the incidents are submitted by users
and resolved by the organization's IT team. These records are stored in databases of respec-
tive products for the purpose of generating historical reports and creating knowledgebase
pages as a response to past incidents.
 Categorization and prioritization
Tools should provide the possibility to distinguish incidents by various types of attributes,
for instance type of incident or its current status. Every incident also needs to have its own
prioritization code that determines, how it is handled by responsible personnel. Both these
requirements are fulfilled in KACE and Hesk where besides the abovementioned basic pri-
ority selection and categories, there is a possibility to create custom categories, according
to the structure of the organization and its general needs. However, KACE was ready out-
of-the-box with more options to select when reporting an incident, specifically location,
department and most important of all, there is a default option to notify about the number
of people that are impacted by an incident.
 Diagnosis
Diagnose of the incident is carried out in order to discover full symptoms. User should be
able to notify administrators about everything relevant that may help with solving the issue.
This is one of the most basic requirements and both tools have the means to make the diag-
nosis easier for the people responsible for the resolving the incident. They provide options
for describing the problem, along with attaching the relevant files. Limitations can be ap-
plied, so that only specified file formats can be attached to the incident record and file size
can also be limited by the system's administrator.
 Escalation
If the incident is critical, there needs to be the option to escalate it for further support and
appropriate managers of the organization should be notified about the issue. This feature is
available in both KACE and Hesk. Administrator is able to create users and user groups
according to the structure of the organization and if a support engineer is unable to resolve
and incident within a given time frame, it can be referred to next level support. According
group of users will be notified together with the user submitting the issue.
29
 Resolution and recovery
After the solution has been found, affected users should be notified, solutions and issue
workarounds need to be archived for future reference. This also is one of the basic re-
quirements of any incident management software and is supported in both tested solutions.
After an incident is resolved, user that submitted it, is notified by the responsible staff
about it or a workaround is proposed and the response contains the steps needed to be taken
by the user in order to fix the incident. As I already mentioned, there is also a possibility to
add resolved cases to Knowledgebase pages, allowing users to search already resolved is-
sues giving a quicker response time when the incident is similar or same as the one that al-
ready occurred in the past.
 Incident closure
After the resolution, confirmation from user submitting the issue needs to be received in
order to successfully close the incident. This is the last step in the process of incident man-
agement and it is also supported in both tested tools. KACE adds the ability to submit
feedback about resolving the incident which can afterwards be utilized by the management
of the organization to assess the effectiveness and reliability of personnel responsible for
incident management.
Comparison of Hesk and KACE has shown that both software solutions are ITIL-ready and are
able to perform the critical activities needed for successful incident management. In this part, I
have decided to test Dell KACE Service Desk, as it is integrated with other Dell Management ap-
plications, for instance Asset management, Patch management or Software distribution, providing
the organization with a centralized way of managing certain aspects of information security. There
are several steps recommended by ISO/IEC 27002 in its implementation guidance, however, I have
decided to test software's compliancy only with points directly concerning incident management
since for instance vulnerability management that is also mentioned in the guidance, will be consid-
ered independently in the following chapter and service monitoring and management was already
analyzed in the previous chapter. Guidelines recommended to be considered are defined as follows:
 „Audit trails and similar evidence should be collected and secured...“ [13].
Integrated Reporting module can be utilized to follow this guideline. By providing a num-
ber of options to generate various reports, it gives organization's management needed his-
torical evidence about any incidents that occurred in the past. Customization of reports is
possible as well and is based on user-defined SQL queries being executed. Useful feature
of the reporting module is also the ability to save files to .csv, .html or .txt format which
can be utilized for archiving purposes. However the most critical feature of reporting is that
it provides data about current or historic incidents sorted to reports according to their status
(resolved, stalled, opened etc.), responsible person, priority and other attributes that are as-
signed to the incident. Besides historical evidence about incidents, reports enable manage-
30
ment to keep track of work effectiveness of personnel responsible for handling incidents
using built-in Work Reports.
 „Action to recover from security breaches and correct system failures should be carefully
and formally controlled“ [13].
Every action that is made during the process of resolving an incident is documented on the
page of the incident ticket on KACE webpage. User submitting the incident is notified
about the progress of resolving or any update to his ticket. There is also a possibility to
send all the ticket details in an email to higher management if needed, so proper controlling
procedures can be established.
 Incident management procedures according to [13] should cover:
1) analysis and identification of the cause of the incident
2) containment
3) planning and implementation of corrective action
4) communication with those affected by or involved with recovery from the incident
5) reporting the action to the appropriate authority
6) problem management
Majority of these guidance
steps have already been con-
sidered in the previous part of
this chapter, during compari-
son of tools with ITIL re-
quirements and it was proven
that KACE is able to follow
this guidance. It allows user
to work closely on helping
with incident resolution by
providing data needed for
analysis and identification of
incident's cause. KACE
webpage works as a commu-
nication channel between the
user, person responsible for
the incident and all users
Figure 4: Incident ticket page in KACE affected by the recovery pro-
cess, as well as management.
Figure 4 displays KACE's incident webpage, where the basic options can be seen. KACE
provides a centralized database that stores all the critical data of the whole containment
process. As stated earlier, any documentation about the implementation of a corrective ac-
tion is stored on knowledgebase page for future reference providing a quicker incident re-
covery if a similar incident occurs in the future. By creating a group of users with a defined
role in the KACE system, management of the organization is able to generate customizable
reports about incident management, schedule their creation and also set appropriate e-mail
31
or webpage alerts if an incident occurs (sending SMS alerts is not supported). This func-
tionality gives appropriate authorities in the organization control of the whole incident
management process. KACE also supports problem management6, as the reports provided
give the administrator statistic data about frequent, high severity incidents and he is able to
resolve them permanently instead of suggesting a temporary workaround.
6
Process of resolving frequently occurring incidents, with focus on eliminating the root cause ra-
ther than suggesting a quick but temporary solution [31].
32
7 Vulnerability management
Vulnerability in general has many definitions, however, in the field of information security the
definition is much more specific. According to [13], vulnerability is: „a weakness of an asset or
group of assets that can be exploited by a threat.“ In specific cases, weakness can also be the prop-
erty of an asset. The objective of vulnerability management is to reduce risks resulting from exploi-
tation of technical vulnerabilities. It should be implemented in an effective, systematic, and repeat-
able way with measurements taken to confirm its effectiveness. Implementation of vulnerability
management in any organization should consider operating systems, as well as any other applica-
tions being used [13]. The goal of this chapter is to compare and analyze available vulnerability
management tools. I have decided to choose Tenable Nessus and Security Manager Plus, both be-
ing commercial solutions. Firstly, compliance with [1] will be verified. In the following chapter,
both solutions will be compared according to the methodic defined in [20]. In the last part of this
chapter, one chosen solution will be tested and its ability to follow guidance in [13] will be demon-
strated.

ISO/IEC 27001 considers vulnerability management in 12.6 Technical Vulnerability Management,
specifically in A.12.6.1 Control of technical vulnerabilities. Control requires the following from an
organization: „Timely information about technical vulnerabilities of information systems being
used should be obtained, the organization's exposure to such vulnerabilities evaluated, and appro-
priate measures taken to address the associated risk“ [1]. Nessus and Security Manager Plus com-
ply with this requirement, as they provide means for centralized vulnerability management via their
web pages, both having specific vulnerability scanning algorithms that obtain information about
technical vulnerabilities that need to be handled. Both tools also provide exhaustive reports about
all the vulnerabilities and any vulnerability found, has an assigned solution in order to help the
organization's administrator take the necessary steps to address the risk.

Vulnerability management is a very complex process, particularly in large organizations, utilizing
IT as much as possible, the number of vulnerabilities is rising at an exponential pace on a daily
basis. According to Gartner's analysis [20], there are six steps needed for implementation of a suc-
cessful vulnerability management system. I will use this analysis to compare Tenable Nessus and
Security Manager Plus. Steps are defined as follows:
1. Policy definition
The first step is based on defining the desired state for device configurations, user identity
and resource access. This is supported in Tenable Nessus before the start of vulnerability
scanning where the administrator can define custom scanning policy based on organiza-
33
tion's requirements, its software and hardware equipment. For instance, it is possible to de-
fine scanning only for Windows vulnerabilities or Cisco device vulnerabilities if the organ-
ization does not own devices or software from any other vendor. Another way of utilizing
it, is creating a large number of different policies and running only certain scans when
needed, in order to save time and resources. The level of granularity when defining policy
is high, since you can select even the specific vulnerabilities from a vendor or a service. In
Security Manager Plus policy definition is supported using so called Vulnerability groups
where it is possible to define your own parameters of the scan based on specific require-
ments.
2. Create baseline of the environment
After creation of an according policies or vulnerability groups in the previous step, scan-
ning can be initiated. In order to scan some specific operating system vulnerabilities, in
both tools it is needed to provide credentials for any operating system used in the network.
When scanning with SNMP, also SNMP community strings are required. Afterwards the
desired IP range is entered and administrator is able to define other scanning parameters,
for instance ports to be scanned or protocols. When the scan completes, in Tenable Nessus
a report verifying compliancy with the predefined policy is generated. Report is editable al-
lowing removal of false positives and also is exportable to .html. In Security Manager Plus,
after the scan completion, the most critical data are displayed on the homepage of the
product. Specifically tables with most vulnerable assets and asset groups, prevalent vulner-
abilities in the network and latest found vulnerabilities. Both solutions provide feature of
comparing scan results in order to make investigation process easier for the administrator.
3. Prioritization of mitigation activities
Both solutions assign severity to particular vulnerabilities so organization's IT personnel is
able to deal with the most critical risks sooner. In addition to sorting vulnerabilities, Securi-
ty Manager Plus adds the ability to classify assets according to organization's policy and
create asset groups. It is possible to model the whole structure of the organization using as-
sets and asset groups. For instance, routers are a part of a separate group and Windows
workstation belong to other asset group. This way, administrator is able to distinguish in
which asset group the most critical vulnerabilities occur and tend to them in as short
timeframe as possible.
4. Shielding the environment
Prior to eliminating the vulnerability, shielding the environment should be completed. This
can only be achieved with external desktop or network security tools. However both prod-
ucts integrate with National Vulnerability Database7 (Tenable Nessus requires a plug-in to
be installed) and each found vulnerability is linked with NVD using unique ID. On each
vulnerability page of NVD there are references to advisories, technical details, solutions
and tools needed to successfully eliminate the vulnerability. Information about procedures
7
U.S. government repository of standards based vulnerability management data. NVD enables automation of
vulnerability management, security measurement, and compliance and includes databases of security check-
lists, security related software flaws, misconfigurations, product names, and impact metrics [21].
34
required to shield the environment can be found here or derived from the information pre-
sent in NVD and referred websites.
5. Mitigation of vulnerabilities
The goal of this step is to eliminate the root cause of the discovered vulnerability. As stated
earlier, every vulnerability, in both solutions, has a solution assigned that needs to be fol-
lowed in order to mitigate or eliminate the vulnerability. In addition to that, both solutions
have integrated patch management systems that are able to verify whether or not specific
patches are installed on managed hosts. Nessus is able to notify and generate compliancy
reports about Windows, Unix or third-party patches but is not able to automatically deploy
them to managed hosts using the website. On the other hand Security Manager Plus does
not support third-party application patches but is able to deploy supported Microsoft and
Linux patches centrally on defined hosts using its website. There is also possibility to con-
figure attributes like when to schedule the updates, restarting or shutting down a host after
patch deployment, displaying a message after a patch has been installed on a system or
sending an e-mail notification. Integration with aforementioned NVD can also be utilized
in this step since the database provides exhaustive descriptions and many external refer-
ences.
6. Maintaining and monitoring of the environment
This last step refers to monitoring the environment for new vulnerabilities and deviations
from previously-defined policies. This is basic and the most critical functionality of vul-
nerability management systems and is supported in both solutions. Scheduling previously
defined scanning jobs is possible with a defined recurrence and administrator is notified
about completion and results. Figure 5 demonstrates the scan scheduling in Security Man-
ager Plus. As it can be seen on the scheduling dialog, there are various reports that can be
attached to the e-mail that will be sent to the system administrator.
Figure 5: Scan scheduling in Security Manager Plus
35
After the analysis of Security Manager Plus (henceforth will be referred to as SMP) and Tenable
Nessus, I have decided to choose the former to demonstrate its compliancy with ISO/IEC 27002.
The reason is its ability to deploy patches in a centralized manner since in large organizations hav-
ing this functionality is crucial and saves a lot of time compared to manual deployment. There is a
large number of points to be considered in the standard's guidance, many of them requiring actions
from organization's management. I will focus mainly on guidance that concerns software tools and
their ability to comply with this guidance. As it is stated in the standard, specific information are
needed as a prerequisite for effective vulnerability management. Most importantly, complete inven-
tory of assets which is provided on the Inventory page of SMP which shows installed software and
operating systems throughout the organization also adding the information about most changed
assets and entities. Other required information are software vendor, version numbers, current state
of deployment, and the person within the organization responsible for the software. These prerequi-
sites are provided by SMP on the detail page of every asset. There is a number of steps that need to
be considered by the management before seeking compliance with a specific software tool. The
guidance states that organization should define and establish roles and responsibilities associated
with vulnerability management. After successfully completing this step, information resources that
will be used to identify vulnerabilities and to maintain awareness about them should be identified,
together with a timeline defining required reactions to vulnerability discoveries. The subsequent
guidance that is relevant to software tool compliance is defined as follows:
a) „Once a potential technical vulnerability has been identified, the organization should iden-
tify the associated risks and the actions to be taken; such action could involve patching of
vulnerable systems and/or applying other controls“ [13].
SMP is able to fulfill this by providing needed information about successful solution, an
exhaustive description that identifies the risks associated with the vulnerability and also
provides detailed explanation of exploiting the specific vulnerability. If a patch, service
pack or a needed package is available, administrator is notified and given the possibility to
deploy it to all affected hosts. Table 4 displays SMP's vulnerability scanning results on
Cisco router using SNMP. As it can be seen from the table, majority of the identified vul-
nerabilities are labeled with high severity since router is one of the most critical elements
of organization's network and any exploitable vulnerability indicates a costly threat for the
organization.
36
Severity Port Description
High 161 Cisco IOS IPv4 input queue blocking denial-of-service.
High 161 Cisco TFTP Long Filename Vulnerability.
High 161 Cisco IOS Software TCP Initial Sequence Number Randomization Im-
provements.
High 161 Cisco IOS ICMP Redirect Routing Table Modification Vulnerability.
High 161 Ntpd Remote Buffer Overflow Vulnerability.
Other Echo service is running.
Table 4: Results of vulnerability scanning in Security Manager Plus (Cisco router)
b) „Depending on how urgently a technical vulnerability needs to be addressed, the action

taken should be carried out according to the controls related to change management or by
following information security incident response procedures“ [13].
As it was stated earlier, SMP is able to model the organization's structure using Assets and
Asset Groups and it displays the most critical vulnerabilities and most vulnerable assets on
its home page. Utilizing this statistics, the responsible personnel is able to take appropriate
remedial actions according to the data provided by SMP or by following information secu-
rity incident response procedures. Statistics provided by SMP also enable the administra-
tor's to follow guidance mentioned further in the standard about the need to address sys-
tems at high risk first.
c) „If a patch is available, the risks associated with installing the patch should be assessed
(the risks posed by the vulnerability should be compared with the risk of installing the
patch)“ [13].
SMP's patch management module is closely connected to Microsoft's Knowledgebase pag-
es and TechNet where the consequences of installing the patch are described in detail and
also any related caveats are mentioned. In addition to that, SMP is able to list all the rele-
vant file and registry changes the patch makes in the system. These detailed information
about patches are periodically downloaded from Central Repository Server which is hosted
by company responsible for SMP. If the vulnerability has not occurred on Windows plat-
form, to follow this guidance integration with aforementioned NVD can be utilized where a
vendor statement or external references provide the needed information about risks associ-
ated with installing the patch. ISO/IEC 27002 also recommends to test and evaluate patch-
es before installing which is simple to accomplish using the integrated deployment mecha-
nisms and install scripts if there is a reference machine available for this purpose.
d) „An audit log should be kept for all procedures undertaken“ [13].
There is a number of built-in audit reports and SMP also has the ability to generate custom
reports to fit organization's needs. Table 5 provides an overview of all the built-in audit re-
ports that are available in SMP.
37
NAME DESCRIPTION
Summary report of vulnerability scanning, used mostly by
Executive report
management
In depth report of selected assets and their vulnerabilities in-
Remediation report
cluding solutions and links to references
Vulnerability report Lists security vulnerabilities for the selected assets
Differential report Report comparing results of two scans
Service pack and Report listing missing service packs and patches for the chosen
patches report assets
File and registry Displays files, folders and registry changes made on the select-
change report ed assets
Table 5: Built-in audit reports in Security Manager Plus
e) „The technical vulnerability management process should be regularly monitored and eval-
uated in order to ensure its effectiveness and efficiency“ [13].
Reporting in SMP can be utilized in this step as well, especially the Executive report, Vul-
nerability report and Differential report. Differential reports provides details about the level
of success of vulnerability management by comparing two independent scans launched and
gives the management statistics about efficiency of personnel responsible for vulnerability
management.
38
8 Identity management
With utilization of information technology in modern business organization at such a high level,
the need for identity management has emerged since digital identity of a user is as important as
physical identity. Identity management is a complex process that constitutes of many key elements
and the definition of the term itself is very difficult. From information security standpoint identity
management is defined as combination of business process and technology used to manage user
objects, identity attributes, authentication factors and security entitlements by providing automated
and self-service processes for on-boarding, termination and every change that impacts a user be-
tween these events [22][23]. This chapter will focus on comparing two identity management solu-
tions, namely Adaxes and Novell Identity Manager(henceforth referred to as Novell IdM). Firstly
compliancy with ISO/IEC 27001 requirements will be verified. Afterwards both products will be
compared according to functional areas of identity management as described in [24]. In the final
part of this chapter, one chosen solution's capability to follow ISO/IEC 27002 guidance will be
tested.

Identity management is a very complicated process and is divided into several key elements.
ISO/IEC 27001 considers identity management in part A.11.2 User access management consisting
of four controls. These controls require the organization to have
 formal user registration and de-registration procedure in place for granting and revoking access
to all information systems and services;
 restricted and controlled allocation of privileges;
 controlled password allocation process;
 regular formal reviews of users' access rights.
Both solutions are able to fulfill requirements set by the standard as they provide central-
ized user management procedures (provisioning, de-provisioning) controlled on product's webpage
having the ability to integrate closely with HR or other departments of the organization. Both solu-
tions also provide centralized organization-wide management of passwords, having control over
users' access rights and privileges with regard to organization's resources using for instance Active
Directory services. However, there are different supported ways that password, privilege and ac-
cess management can be achieved using the solutions depending on the technical equipment of the
company. This will be described in detail in the next chapter.
39
There are a number of ways of assessing the identity management system but to provide a compari-
son of functionality, I have decided to utilize functional viewpoint described in [24]. Its main ele-
ments are defined as follows:
 User provisioning
Creation, maintenance and retirement of user identities for access to IT systems and ser-
vices is the most essential requirement of identity management system. Novell and Adaxes
both provide means to automate user provisioning and its integration throughout the organ-
ization. Both solutions are able to work in Active Directory environment and support
SPML-based8 applications. Novell continually extends its integration capabilities using so
called Drivers which then add support for SOAP, DSML, various user databases etc. User
de-provisioning is also supported and can be customized based on the specified conditions.
For instance, organization wants to de-provision a user after 6 months of inactivity. Both
solutions are able to trigger a specific actions after a condition occurs, for instance creation
of home folder or a mailbox after creating a user. In Novell IdM this functionality is called
Jobs and in Adaxes Business rules.
 Modeling and mapping
Using a management model to map users to resources is critical and saves a lot of time
compared to manually assigning or revoking privileges. Both solutions support role-based
modeling, where roles are defined based on organization's structure. Afterwards, users are
assigned those roles and they are or are not able to perform specific tasks depending on
their role. Also rule-based resource mapping can be used in both solutions, utilizing afore-
mentioned Business rules and Jobs.
 Delegated administration
Delivering means to distributed administrators for defining a hierarchy of roles to manage
access to IT systems and services. In both Adaxes and Novell IdM delegation is possible
and is based on RBAC (Role-based access control) model, allowing the administrator to
delegate certain permissions. For instance in Adaxes, management of the organization can
utilize permission called Read Logging Information which will allow managers to view us-
er activity history. To make delegating activities more secure, solutions use approval-based
delegation, meaning that certain administrative activities can only be carried out after au-
thorized person gives the approval.
 Self-registration or self-service
Self-service means delegation delivered down to individual users. In both solutions there
are certain administrative tasks individual users are able to perform by themselves. For in-
stance both support password self-service, allowing users to reset their passwords without
8
Service Provisioning Markup Language is an XML-based framework for exchanging user, resource and
service provisioning information between applications [25].
40
intervention of IT department. Change of user's personal profile without the need to contact
responsible department is also possible. In both solutions self-service page is also used for
controlling requests for resources and approving those requests by users authorized to do
so.
 Workflow
Workflow refers to management of identity change, specifically request approval process-
es. In both solutions this is supported and request can be gradually escalated through dif-
ferent levels of users that are responsible for specific resource's management. Using Jobs
and Business rules, workflow-based provisioning can be also triggered without user inter-
action based on a specific event occurring.
 Auditing, logging, and reporting
This point requires tracking history of identity life-cycle and reporting that information ac-
curately. Both solutions provide extensive reporting and logging features. Adaxes logs are
accessible through the Administration console where logging can also be configured to on-
ly consider chosen objects or operations. The reports available by default on Adaxes
webpage show statistics about users, account status, password status, user groups, comput-
ers, organizational units, domain controllers and Microsoft Exchange. In Novell IdM re-
porting is achieved using Identity Reporting Module which has also the capability to create
custom reports. Predefined reports show data about access requests, account IDs, resource
assignments, role assignments, user password and status changes, managed systems and
identity vault related statistics. Secure, customizable logging and auditing of identity man-
agement activities is also supported in Novell IdM.
 Password management
The solution should provide an administrative interface for password policies, synchroniza-
tion, and enforcement. Both solutions provide password synchronization with external ap-
plications and services allowing users to need only one password for all systems used. En-
forcing a password according to a password policy is also supported along with alerting
specific users about upcoming password expiration.
 Integration
Ability to link multiple identity sources together is what separates the identity manager
tools because as it can be seen, the most important functional areas are well-covered in
both tested solutions. As it was stated in the first point of this comparison, Adaxes inte-
grates with SPML-enabled provisioning systems. In addition to that Adaxes is able to im-
port and export Active Directory data in these formats: .ldif, .dsml, .xls, .csv, .txt, .html.
This can be done either by using administration console or by executing a Powershell
script. Integration in Novell IdM is achieved using Drivers that are constantly being created
based on user's needs and feedback. Complete list of Drivers in the latest version of Novell
IdM can be found on [26].
41
As stated before, identity management is divided into 4 controls in ISO/IEC 27001 (11.2.1 - 11.2.4)
meaning that implementation guidance in ISO/IEC 27002 covers several areas. However, most of
the guidance refers to management decisions and duties, for instance giving users a written state-
ment of their access rights or changing default vendor passwords after software installation. In this
practical part I will consider only guidance relevant in terms of identity management software and
will test Adaxes and its ability to follow the guidance. ISO/IEC 27002 recommends the organiza-
tion to consider the following:
 „The access control procedure for user registration and de-registration should include us-
ing unique user IDs to enable users to be linked to and held responsible for their actions“
[13].
Following this guidance is implied from Adaxes being used in Active Directory environ-
ment where every user has his own unique user ID but this is only internal implementation
and is not seen on the outside. For instance, when importing users from .csv file it is possi-
ble that two employees have same first and last name. This can be handled by Business
rules and its ability to execute Powershell scripts where if this condition occurs, the script
is able to append a specific character or a set of characters to the ID providing the user with
a unique identity in the system.
 „Maintaining a formal record of all persons registered to use the service“ [13].
The records of all users connected to Active Directory and managed via Adaxes are visible
after running Adaxes Administration Console where by using so called Business units the
structure of the organization is modeled and users are assigned to certain business units.
Records about disabled users, who are no longer able to use the service, are accessible as
well.
 „Immediately removing or blocking access rights of users who have changed roles or jobs
or left the organization“ [13].
There are many cases where user de-provisioning should be carried out but there is no gen-
eral definition of what should be performed since there are many specific situations.
Adaxes handles all these specific situations using Custom commands, where administrator
is able to specify complex condition of when the de-provisioning should be carried out as
well as what specific tasks should be performed in the system afterwards. To avoid mis-
takes in de-provisioning, approvals can be utilized. Custom commands can also be utilized
in case of moving and employee within the organization when his access rights have to be
re-allocated, as stated further in ISO/IEC 27002 guidance.
 „Periodically checking for, and removing or blocking, redundant user IDs and accounts“
[13].
This task is performed by built-in scheduled task called Inactive User Deleter where the
administrator is able to define the conditions after which an account needs to be deleted.
42
Adaxes periodically checks the statuses of accounts and if condition (for instance 6 weeks
of user inactivity) occurs, account is deleted.
 „An authorization process and a record of all privileges allocated should be maintained.
Privileges should not be granted until the authorization process is complete“ [13].
Using workflow-based provisioning in Adaxes, user is granted privileges only if all re-
sponsible authorities approve. Record of all privileges is maintained and can be accessed
using Administration console. Administrator with sufficient rights is able to see the history
of all requests and approvals granted in the system.
 „Establish procedures to verify the identity of a user prior to providing a new, replacement
or temporary password“ [13].
Aforementioned password self-service can be utilized to follow this guidance. In case of
forgotten password, user is able to reset by himself only if he is able to answer the security
questions defined in his user profile earlier or if he enters the correct verification code sent
to him by SMS. There is also a possibility to combine these two methods for better securi-
ty.
 „Changes to privileged accounts should be logged for periodic review“ [13].
It was mentioned in the previous chapter that Adaxes provides configurable logging and
using Administrative console administrator is able to filter all events by operation per-
formed, initiator, target and host. Basic information about recent account modifications are
also visible on Reports webpage. Figure 6 displays logging in the Administration Console,
specifically filters all user account modifications.
Figure 6: Logging user account modifications in Adaxes
43
9 Conclusion
The aim of this work was to analyze available software solutions for information security manage-
ment with primary focus on compliance with ISO/IEC 27001. The work provided an overview of
the latest commercial and open-source tools for ISMS, comparing two solutions for each area of
focus in terms of functionality and requirements specific for that area.
For server monitoring, Orion NPM and Nagios were chosen as NPM is a Cisco-
recommended network monitoring system and Nagios is the most widely used open-source project
in network monitoring field. Nagios is also available as a commercial solution called NagiosXI,
however, this thesis focused only on open-source alternative Nagios Core. For network service
monitoring also one open-source and one commercial solution was chosen, namely OpenNMS and
SAM with SAM using the same network monitoring core as NPM as they are both come from the
same product line of network monitoring systems from Solarwinds. Chapter about Incident man-
agement compared Hesk and Dell KACE Service Desk, the former being open-source project and
the latter commercial solution from Dell's suite of system management appliances. In chapter ad-
dressing Vulnerability management two commercial solutions were analyzed, specifically Tenable
Nessus and Security Manager Plus. Tenable Nessus was recommended for comparison by the the-
sis consultant since AEC is currently implementing it as a vulnerability management solution for
their customers. Last chapter of the thesis focused on Identity management and compared Novell
Identity Manager and Adaxes, both solutions able to work in Active Directory environment, per-
forming the most critical user-related tasks in a centralized manner and also integrating with other
systems used by an organization.
Comparison of open-source and commercial solutions pointed out that the difference was
not generally in the functionality but in commercial solutions' completeness and better out-of-the
box readiness. Also the ability to perform specific tasks in a much shorter timeframe which is criti-
cal when addressing information security in an organization.
Furthermore, significant differences were discovered in the ability of the tools to integrate
and cooperate with other systems and solutions addressing different areas of information security.
This was noticeable in network service and server monitoring areas as NPM and SAM were able to
integrate into one centralized solution covering both areas. Also identity management chapter
shown that the ability to cooperate with as many systems as possible was the most critical factor of
software comparison. Integration and cooperation capabilities are often the most crucial for organi-
zations as interconnectedness of those systems improves both productivity and information security
of the organization.
To thoroughly test one chosen software solution from each area, guidance from ISO/IEC
27002 was used, as the standard is the basis for actual implementation of ISMS. The solution's
ability to follow this guidance was analyzed and tested in order to assess the suitability of solution's
deployment in organization aiming for the ISO/IEC 27001 certification. It was proven that all five
tested solutions are able to successfully follow the guidance. However, as it was emphasized in the
thesis, the ability to follow ISO/IEC 27002 and consequently achieving ISO/IEC 27001 compliance
is not accomplished by the software itself. Whole management of the organization needs to be
44
committed to continuously support the ISMS since there are numerous duties that need to be car-
ried out by organization's managers.
This work may be followed by implementing a tool for managing a specific area of infor-
mation security while taking advantage of the detailed analysis and comparisons this thesis pro-
vides.
Thesis will be utilized by AEC, spol. s.r.o. as the company will be able to offer and suc-
cessfully implement tested software tools in organizations pursuing ISO/IEC 27001 certification.
Thesis can also be presented to customers of the company to provide them with an overview of the
latest ISMS solutions, therefore allowing them to choose one that best addresses their needs.
45
Literature and references
[1] ISO/IEC 27001 Informační technologie – Bezpečnostní techniky – Systém managementu

bezpečnosti informací – Požadavky [available internally]. Český normalizační institut. 2006–.
Praha: XEROX ČR, s.r.o.
[2] Risk Management Implementation principles and Inventories For Risk Management/Risk As-
sessment methods and tools [online]. European Network and Information Security Agency, 2006
[quot. 7. 2. 2012]. Available at: <http://www.enisa.europa.eu/act/rm/cr/risk-management-
inventory/files/deliverables/risk-management-principles-and-inventories-for-risk-management-risk-
assessment-methods-and-tools/at_download/fullReport>.
[3] Information Security and ISO27001 – an Introduction [online]. IT Governance Ltd., 2006
[quot. 8. 2. 2012]. Available at: <http://www.itgovernance.co.uk/files/Infosec_101v1.1.pdf>.
[4] CALDER, A., WATKINS, S. A Manager's Guide to Data Security and ISO27001/ISO27002.
London: Kogan Page Limited, 2008.
[5] ARNASON, S.T., WILLET, K.D. How to Achieve 27001 Certification. New York: Auerbach
Publications, 2008.
[6] TIPTON, H.F., KRAUSE, M. Information Security Management Handbook Sixth Edition. New
York: Auerbach Publications, 2007.
[7] MAURO, D.R., SCHMIDT, K.J. Essential SNMP. Sebastopol: O'Reilly Media, 2001.
[8] ORLOFF, Jeffrey. How to choose a network management system. Computerworld [online].
31. 5. 2009 [quot. 11. 3. 2012]. Available at: < http://www.computerworld.com/s/article/9000849/
How_to_choose_a_network_management_system?taxonomyId=16&pageNumber=1>.
[9] About WMI [online]. Microsoft, 2012 [quot. 24. 3. 2012]. Available at:
<http://msdn.microsoft.com/en-us/library/windows/desktop/aa384642(v=vs.85).aspx>.
[10] HILLERSON, Tony. Fibre Channel. [online]. 1.9.2008 [quot. 24. 3. 2012]. Available at:
< http://searchstorage.techtarget.com/definition/Fibre-Channel>.
[11] SEDLÁK, Jan. VMware ESX Server Virtualizace bez limitů. Živě.cz [online]. 12.5.2009
[quot. 25. 3. 2012]. Available at: <http://www.zive.cz/clanky/vmware-esx-server--virtualizace-bez-
limitu/sc-3-a-146985/default.aspx>.
[12] Nagios – Distributed Monitoring Solutions [online]. Nagios Enterprises, LLC, 2011 [quot.
25.3. 2012]. Available at: <http://assets.nagios.com/downloads/general/docs/Distributed_Monitorin
g_Solutions.pdf>.
[13] ISO/IEC 27002 Information technology – Security techniques – Code of practice for infor-
mation security management [available internally]. ISO/IEC. 2007–. Geneva: International Organi-
zation for Standardization.
46
[14] TOBOLKA, Martin. Kdy se zabývat certifikací organizace v oblasti bezpečnosti IT. IT Sys-
tems[online]. 3/2012. Brno: CCB spol. s.r.o., 2012 [quot. 14.5.2012]. Available at:
< http://www.aec.cz/download.php?f=ecd0c0b2d4b599fe68282087685f20f3>.
[15] Monitoring infrastructure for converged networks and services [online]. Wiley Periodicals
Inc, 2007 [quot. 16. 4. 2012]. Available at: <http://research.satkin.com/papers/bltj.pdf>.
[16] Cisco Secure Access Control Server 4.2 [online]. Cisco Systems, Inc., 2009 [quot. 24. 4.
2012]. Available at: < http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps2086/data_s
heet_c78-453387.pdf>.
[17] LESKIW, Aaron. Network management software autumn smackdown. Victoria:
Network management software, 2011 [quot. 18.5.2012]. Available at:
<http://www.networkmanagementsoftware.com/network-management-software-autumn-
smackdown>.
[18] DE JONG, A., et al. ITIL V3 Foundation Exam: The Study Guide. Zaltbommel: Van Haren
Publishing, 2008.
[19] SIEM: A Market Snapshot [online]. CRN, 2007 [quot. 13.5. 2012]. Available at:
< http://www.crn.com/news/security/197002909/siem-a-market-snapshot.htm>.
[20] Improve IT Security With Vulnerability Management [online]. Gartner, Inc., 2005 [quot. 1.5.
2012]. Available at: <http://www.gartner.com/resources/127400/127481/improve_it_security_with
_vul_127481.pdf >.
[21] National Vulnerability Database Version 2.2 [online]. NIST, 2011 [quot. 1.5. 2012]. Available
at: <http://nvd.nist.gov/home.cfm>.
[22] Identity Management Terminology [online]. Hitachi ID Systems, Inc., 2012 [quot. 5.5. 2012].
Available at: <http://hitachi-id.com/access-certifier/docs/identity-management-terminology.html>.
[23] Defining Enterprise Identity Management [online]. Hitachi ID Systems, Inc., 2012 [quot. 5.5.
2012]. Available at: <http://hitachi-id.com/password-manager/docs/defining-enterprise-identity-
management.html>.
[24] KING, Chris., PERKINS Earl. The Role of Identity Management in Information Security: Part
1 - The Planning View. ZDNet [online]. 14.10.2003 [quot. 5.5. 2012]. Available at:
<http://www.zdnet.com/news/the-role-of-identity-management-in-information-security-part-1-the-
planning-view/299247>.
[25] Glossary [online]. Softerra, Ltd., 2012 [quot. 6.5. 2012]. Available at: <http://adaxes.com/help
/Glossary.html#Glossary.SPML>.
[26] Identity Manager 4.0.1 Drivers [online]. Novell, 2012 [quot. 7.5. 2012]. Available at:
< http://www.novell.com/documentation/idm401drivers/>.
[27] Application Performance Monitoring [online]. Solarwinds, 2012 [quot. 7.5. 2012]. Available
at:<http://www.solarwinds.com/products/orion/application_monitor/application-performance-
monitoring.aspx>.
47
[28] Taxonomy of the Computer Security Incident related terminology [online]. TERENA, 2010
[quot. 13.5. 2012]. Available at: <http://www.docstoc.com/docs/22190596/Taxonomy-of-the-
Computer-Security-Incident-related-terminology>.
[29] Syslog [online], updated 5.5.2012, [quot. 16.5.2012], Wikipedia. Available at: <http://en.wikip
edia.org/wiki/Syslog>.
[30] W. Edwards Deming [online], updated 17.5.2012, [quot. 18.5.2012], Wikipedia. Available at:
<http://en.wikipedia.org/wiki/W._Edwards_Deming>.
[31] Problem Management [online]. Service Definition Software Ltd., 2010 [quot. 18.5. 2012].
Available at: <http://demotrackit.servicedefinition.com/node/65>.
48

Tools For ISMS

Uploaded by

Copyright:

Available Formats

Tools For ISMS

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tools For ISMS

Uploaded by

Copyright:

Available Formats

MASARYKOVA UNIVERZITA

Tools for information security

Advisor: Ing. Mgr. Zdeněk Říha, Ph.D.

Consultant: Ing. Martin Tobolka, CISA

3.1 ISO/IEC 27001 ..................................................................................................................... 10

7.1 ISO/IEC 27001 requirements ............................................................................................... 33

2.1 Critical success factors for ISMS

2.2 Business size factor

3.1 ISO/IEC 27001

3.2 Benefits of ISO/IEC 27001 certification

3.3 Process approach of building ISMS

Figure 1 ([1], page 7): PDCA model

The PDCA model phases are described as follows :

3.4 ISO/IEC 27002

3.5 Certification process

4.1 ISO/IEC 27001 requirements

4.2 Software comparison

Table 1: Comparison of Orion NPM and Nagios

5.1 ISO/IEC 27001 requirements

5.2 Software comparison

5.3 ISO/IEC 27002 implementation guidance

Table 3: Integration of SAM and NPM

Figure 3: Selected services to discover in

6.1 ISO/IEC 27001 requirements

6.3 ISO/IEC 27002 implementation guidance

7.1 ISO/IEC 27001 requirements

7.2 Software comparison

Figure 5: Scan scheduling in Security Manager Plus

Table 4: Results of vulnerability scanning in Security Manager Plus (Cisco router)

b) „Depending on how urgently a technical vulnerability needs to be addressed, the action

Table 5: Built-in audit reports in Security Manager Plus

8.1 ISO/IEC 27001 requirements

Figure 6: Logging user account modifications in Adaxes

[1] ISO/IEC 27001 Informační technologie – Bezpečnostní techniky – Systém managementu

You might also like