As mentioned in the pre-face this is a continuation of the previous requirements match article of WCK-L. Let's get straight to the first part.

Risk calculation engine

WCK-L's risk calculation engine provides a business approach and automation of the risk management lifecycle, to the extent possible, in real time.

Business process approach

WCK-L prioritizes and assesses how certain IT risks may affect the business's goals via its ability to select business processes and match them to their relevant underlying IT assets.
By determining the business impact of an IT asset, WCK-L can provide you with an aggregated risk map. You can as well map IT risks to Business risks, e.g. xss attacks (IT Risk) to fraud (Business Risk).

Automation

WCK-L automatically assesses and quantifies risk, which the user can overrule if necessary.
The following items have an impact on quantification (simplified):

• Asset weigh (information needs to be provided by the user, weigh in this context stands simplified on how much an asset is worth)
• Question weigh (out of the box questions are already weighed, weigh in this context means impact on e.g. Confidentiality, Integrity and Availability)
• Answer weigh
• Mitigation weigh (a mitigation is automatically introduced if the answer provided exceeds a certain risk level)
  

Meaning that it might be enough to way your assets, whereas an asset can be a business process, an organisational unit, a system (a superset of components) or a component (e.g. a server).

The important factor here is that you will find non-human biased risk ratings.

Reporting

Reporting is one of the big strengths of WCK-L. With the above described risk calculation engine as a base it provides comprehensive reports for various stakeholders. Stakeholders targeted go all the way from System administrators to Executives. You can basically choose on what to report on (e.g. an organisational unit) and how to make the report available (e.g. export pdf, direct access to stakeholders). Each generated report can be commented and will be shown in the introduction of the automatically generated report.
A wealth of more or less pre-configured reports are literally generated in a more or less "fool-proof" manner within seconds. Of course you can also choose to create very specific reports in an advanced way, this will take a bit more than a few seconds, however you might have a specific need.

The two pictures to the right show a risk managers' dashboard reporting view (customizable) and parts of a management report. Please understand that the pictures are not very representative since the reports were made against a test installation with little data.

 

Interfaces

Currently the following types of interfaces respectively imports are supported by WCK-L:

• Assets from external asset repository systems and configuration management database
  
• Events from an external event management system
• Mitigations
• Vulnerability scanner information
• Review templates

All imports can currently be done by uploading standard xml files to a webinterface.

You can also export risks to an external operational risk management system.

I truely like the wealth of information which can be aggregated here to show an in-debth risk picture.
The only wish I'd have is that the imports and exports could also be done in an automated fashion, e.g. through webservices.

Conclusion

In my opinion WCK-L is a very promising tool in the IT-GRC and IT Risk Management Software field. The usability in combination with the wealth of possibilities without many dependencies is a great achievement by WCK!

Thanks

My thanks go to Eyal Adar and Alon Yavin from WCK who provided me with in debth information on their company and WCK-L.

My thanks also go to all the readers who have provided me with their good feedback through mails and words!