INFORMATION SECURITY MANAGEMENT
“THE COBRA METHOD”
Managing Information Security Policies, Risk Analysis, ISO17799, BS7799, Security Audit, Business Continuity, Etc
It is used by governments and major corporations across the globe, and is the chosen product for countless security managers and security auditors.
But how can one product possibly perform this diverse range of security disciplines?
Consider the issues individually:
COBRA was first released in 1991, exclusively as a security risk analysis product. It changed the way risk was viewed and introduced a radical new approach. For the first time all elements of risk were dynamically linked: threats, vulnerabilities, controls, business impact, etc.
Since then, COBRA’s risk analysis component has evolved and advanced further still. It now embraces a selection of knowledge bases and is equipped for all risk assessment needs. It offers a fully comprehensive solution, but with a number of essential advantages: ease of use, business formatted output, flexibility, full knowledge base control, and many others. Little wonder it is viewed as the worlds leading method and product for risk analysis.
As COBRA matured as a security management product, it became obvious that its flexibility and sophistication allowed it to fulfil even more security related functions. Indeed, its portable knowledge base design ensured that it was capable of integrating almost any rationally linked knowledge elements.
Various other security audit type knowledge bases emerged. However, the most important was undoubtedly BS7799 (or ISO17799).
COBRA for BS7799 was released in 1995 following agreement with BSI. It is a comprehensive compliance product, capable of checking the degree of non-conformance with each section of the standard and making specific recommendations on the steps necessary to achieve full compliance.
In 1999 it was upgraded to reflect changes to the BS7799 standard, which is to form the basis of the new ISO17799.
COBRA has become the ideal aid for any organization seeking to achieve compliance with BS7799 / ISO17799 or simply wishing to check its position. It is also, obviously, ideally placed to meet the risk analysis demands of the BS7799 / ISO17799 standard (see above!).
The use of COBRA for compliance with an organization’s own information security policies is becoming more and more popular. The basis of this is simple: because of COBRA’s flexibility is it a straightforward task to replace the knowledge base shipped with one built-in house, based upon existing policy.
Many organizations take this opportunity to refresh their information security policies, perhaps aligning them with BS7799 / ISO17799, but of course many do not. It is completely down to choice.
The point of this is simple, having integrated the security policies into COBRA, the COBRA package can then be devolved and delegated throughout the organization, as an automated ‘compliance checker’! The intuitive and ease of use philosophy of COBRA enables devolved personnel to use the product to check their position against the integrated information security policies.
Not only will COBRA report the position against each security policy, however, it will also explain what steps are required to improve the position via detailed recommendations!
This process is equally valid in a heavily delegated environment, or in a situation of tighter central group control, where compliance reports must be sent (eg: electronically) to a central security or audit team.
Compliance with information security policies is core to the security management function. COBRA enables this to be performed on a rational and consistent basis.
Security risk analysis and business impact analysis are pre-cursors to sensible business continuity planning. COBRA, or course, is renowned for its risk functionality. However, it goes much further than this.
As with the component used for information security policies, the organization has full control over the COBRA knowledge bases. Consequently, these can be adjusted to support many other business continuity tasks.
Common uses include the auditing of a business continuity plan, resource dependency analysis, etc.
From the above information, it is clear that COBRA is also of substantial use for security audit… to drive audit plans and the audit process, to measure compliance with audit requirements, to record information and responses to issues, etc.
Many security audit programmes are now risk based – another ideal scenario for COBRA!
Yet another critical feature for security audit is the ‘tailorability’ of the product… the ability to customize the knowledge basis to meet specific demands.
COBRA’s flexibility and multi-functionality make it an extremely valuable addition to the auditor’s toolkit.
DOWNLOAD THE EVALUATION COPY
A fully functional evaluation copy of COBRA, with a number of the above components active, is available from our download site..
Links to COBRA related information on the Web.