Introduction

As mentioned in my previous article, where I briefly outlined the requirements of a Tool in the Risk Management field, I would like to present you a tool called White Cyber Knight-Lancelot (WCK-L).

I've first encountered the product WCK-L during the research phase of my master thesis and it was one out of three tools which I have taken a closer look at.
The others were Agiliance's solution called IT-GRC, which made a very good impression as well and the open source approach SOMAP.org which is targeting Small and Medium Companies.
By now I have spent quite a few hours with the tool, doing an early evaluation pilot.

The company

<Vendor submitted>
WCK is a solutions company focused on  Security Risk Management and IT-GRC (IT Governance, Risk, and Compliance) . WCK has developed “WCK-Lancelot”, a strategic system to review and manage IT-GRC. WCK IS a spinoff of iTcon Ltd. (1995), an information security consulting firm specializing in enterprise security architecture and security risk management. iTcon was sold in 2008.
Eyal Adar, the founder of WCK, is a leading expert in risk management, CIP (Critical Infrastructure Protection) and IT security. He Joined the European research project that set the Risk Assessment research roadmap for Critical Infrastructures for 10 years – ACIP (2002-2003 ), and was the Chairman of the European Commission’s “Security Risk Management Initiative”.
“WCK-Lancelot” uses (patent-pending) methodology known as EESA (End-to-End Security Assessment). EESA was the first IT risk assessment model that integrates business process approach with technical IT assessment. EESA was presented  in European Commission conferences and CIP workshops.
In 2009, WCK was selected as one of the top 10 most innovative companies at the RSA Innovation Sandbox contest.
<End vendor submitted>

The tool

In the next article I will provide you with the information if and how well WCK-L fits the imposed requirements.
Mentionable is definetely that the tool has been build in a very modular fashion, allowing most customer change requests to be covered by content changes and not application logic changes. This leads to quick reaction times on customer change requests.
At this stage it is also to be said that another highlight of the tool is the risk rating engine which will also be covered in the next article.

This section outlines the basic functionality of WCK-L by myself going through the structure of the tool. Please find a picture of the Management Dashboard on the right.

• Asset Management, the base of Risk Management, substructured in
  • Organisational Units
  • Components, e.g. a specific server
  • Systems, usually a collection of components serving the same purpose
  • Business processes
• Threat Management, introducing the threats to assets (threats are custom configurable), substructured in
  • Threats ("Low" Level Threats, such as Cross-Site Scripting)
  • Business threats (e.g. Theft)
• Security Reviews, a large questions base is pre-defined for security reviews (questions derive from several Security Standards/Frameworks), however additional "custom" questions can be introduced. Security Reviews is substructured in
  • Reviews in Process, to check the state and the completement level of reviews in progress
  • Approved Reviews; where already processed and approved reviews can be found.
• Mitigations Management. This section contains the items, where the risk either demands for mitigation actions or exception permissions. These items derive from the security reviews. Mitigations Management is structured in
  • Main, showing all items which required "mitigation action or exception permission".
  • Follow Up Mitigation, indicating a specific user and or role that there is an action necessary.
  • Advanced Filter, ability to search for e.g. specific types of mitigations.
  • View by Review, possibility to check for mitigation items deriving from specific reviews.
  • View by Project
  • Add new mitigation, mitigation actions and or exceptions not deriving from security reviews
• Reports
  • Dashboard, offering a comprehensive overview of the risk state by default, based on the data you have fed the tool of course.
  • Review Reports, providing an overview of the security reviews state.
  • Mitigation reports, various possibilities to report on mitigation reports state, e.g. Overdue Open Risks, Accepted Risks, Open Risks by Assignee...
  • Asset Reports, possibility to view state of assets, asset types are mentioned in the Asset Management Section.
  • Management Reports, easy generation of "high level" comprehensive reports.
• Administration
  • Users, it is to be mentioned that User management is one of the big strenghts of the product.
  • User Profiles, possibility to e.g. create roles
  • Configuration, e.g. Mailserver
  • Export Lists
  • Application Integration, e.g. import vulnerability scanner information
  • Content Management, with the possibility to e.g. define custom security review questions, threats, security areas, asset types....