The integration effort debate!

Summary

For those of you that cant read the entire post, the question here is how much time it will take you to produce, upload and update the information asociated with ISO 27001 Risk Management or PCI-DSS.

In every case, the time you spent uploading or updating data to eramba is a small fraction in comparison to the time it actually takes produce the data in the first place. You could spend 1 hour identifying, validating, recording a risk while only 15 minutes documenting it in eramba. Once the risk is recorded keeping it updated (reviewed, re-validated) could take 1 hour of which 5 minutes would be used to update its records in eramba.

Identifying, validating and recording 50 Risk from scratch might take a seasoned practitioner some 9-10 days of which only 3 days are actually spent uploading data to eramba. If you would have all this risks in spreadsheet, you could upload all in some 2 days of work. Maintaining (keeping updated) all these risks, assets, controls, internal audits, etc would take a practitioner some 38 days of work of which again, only a couple of days (%5) would be used to upload the data in eramba. Is a lot more time consuming to maintain (38 days) a risk program than to start it (10 days).

We did the same analysis for PCI-DSS where a seasoned practitioner would require 3 days of work to assess and upload all controls, policies and compliance requirements and having them uploaded in eramba. Keeping that data relevant by doing internal control audits, policy reviews, would take some 32 days – of which only %3 would be spent in uploading data to eramba. Is a lot more time consuming to maintain (32 days) a compliance program than to start it (3 days).

The question

Today we got an interesting question that we think is of interest for the community and we will try to reply using our experience as Security Practitioners. Once I download and install eramba – how much effort will it take to integrate it and having running?

eramba is just a tool that is mostly useful to keep “things” (Risks, Controls, Audits, Compliance Requirements, Policies, Etc) organised, relevant and connected one with another. Once “things” are in place, most users get a higher degree of confidence about their security program because it becomes easy to see if things are going well or not (missing or failed audits, compliance gaps, too much risk, etc).

The ISO 27001 scenario

eramba does many things and is very unlikely you will use all this features at once. For example, if you aim to comply with ISO using eramba then you will need to decide what to “migrate” first – will that be Risk? SOA? Internal Audits Let’s say you start with Risk.

Imagine you document 60 assets, 20 third parties, 10 business units and their core processes and out of that you identify 50 risks (asset, third party and business risks) and their are treated with 50 controls, 10 policies and 5 risk exceptions. Producing and uploading all that data in the system will take you:

  • Business Units:  think of 20 minutes per BU and their processes.
  • Assets: 15 minutes per asset
  • Third Parties: 4 minutes.
  • Internal control: 15 minutes (assuming it exist and you dont have to produce it)
  • Every policy: 15 minutes (assuming it exist and you dont have to produce it)
  • Every risk Exception: some 15 minutes
  • Risks: 20 minutes each

All in all, if you do the math you end up with some 10days of work (approximately 1 hour per Risk – the norm if all the information is at hand). Remember, this means from nothing to having 50 risks identified, validated and recorded.

If you have all this data prepared and stored in spreadsheets (because you did Risk in spreadsheets before), you will need to simply upload it to eramba. If you are an enterprise customer we can provide you mass uploads CSV files for Assets, Controls and Policies. Estimate the following assuming you can normalise the data in your spreadsheets against eramba:

  • Business Units:  think of 4 minutes per BU and their processes.
  • Assets: 2 hours for all 60 if you use the CSV, otherwise 5-10 minutes if doing every click.
  • Third Parties: 4 minutes.
  • Every internal control: 15 minutes if you do it manually, some 2 hours if you mass upload all 50 controls with the CSV.
  • Every policy: 15 minutes if you do it manually, some 60 minutes for all 10 if you do it with the CSV.
  • Every risk Exception: some 5-10 minutes each.
  • Risks: 10 minutes each if you have uploaded all previous objects.

All this sums up to some 2 days of work, bare in mind, this assumes you use CSV to upload and you have all the data in a spreadsheet.

NOTE: By August 2016 eramba will have APIs which allow you to import data from CSV, JSON, Etc with a REST call. If you have all this data in a spreadsheet, you could reduce all that effort by at least half (you will be able to import many things, but still you will need to link objects, adjust missing fields, Etc).

Now all is up and clearly visible is quite simple to calculate how much effort it will take you maintain it. Let’s assume you will:

  • Perform one internal audit per control per year, and each audit takes 3hs in average.
  • You’ll review all exceptions, assets, risks and policies (120 objects) once a year and in average it takes you 60 minutes to get each one of them done.

You will be looking at some 38 days of work (assuming you do 7 hours a day). The actual update of the objects in eramba takes a small fraction of time, perhaps 2 days, the real work is what takes time. Once you do things this way, information will be visible, clear, structured so reports and status will be quite simply to obtain.

The PCI-DSS scenario

If you have in mind looking after PCI-DSS, then you will need to define your internal controls (firewalls, account reviews, Etc), their individual audit schedule, upload your policies and then link those to PCI-DSS requirements until no gap exist.

Assuming you are starting from zero, meaning you are new to an organisation and you need to assess what controls and policies exist then a seasoned practitioner could spend the following amount of time producing and uploading the data to eramba:

  • PCI-DSS compliance requirements (10 minutes)
  • Every internal control: 15 minutes (assuming it exist and you dont have to produce it)
  • Every policy: 15 minutes (assuming it exist and you dont have to produce it)

Since you will leverage your internal controls and policies, you should expect to have some 50 controls and 10 policies to cover all 250 or so PCI requirements. In time then this would mean the entire exercise would take some 3 days.

Once all is up – you will need to keep the system updated by updating the controls audits and by reviewing policies whenever they need to. If you have 50 controls and 10 policies linked to PCI’s 250 or so requirements then just do the math:

  • Each control takes a yearly audit that in average takes you 4hs of time (including failing audits, their incidents, etc), of which 10 minutes is what it takes to upload the audit result in eramba.
  • Each policy needs a review will take you in average 3hs to review, update and get stakeholders approval. Of that it will take you 10 minutes to upload it to eramba.

Then you should foresee approximately 32 days of work a year to keep your PCI-DSS compliance well tracked and monitored. Having that will greatly simplify the audit process and take from you some unnecessary stress

In any way, the time it will take you to upload data to eramba is marginal compared to the time it takes you to do the “actual job”.