SOMAP.org

Security Officers Management & Analysis Project

Open Risk Model Repository
Overview

image
A comprehensive repository of best practice rules and guidelines is very important for the asessment and management of information security. This is the reason why the SOMAP.org project builds and maintains an open database with such rules and guidelines. This database is called the Open Risk Model Repository (ORIMOR) and is made available under the ORIMOR Licence.

ORIMOR basically consists of template information like Assets, Threats, Vulnerabilities and Countermeasures which we call Entities:

  • The ORIMOR describes types of Assets and how these influence each other.
  • ORIMOR contains potential Vulnerabilities and describes what kind of Countermeasures and Safeguards can be used to protect from a Threat.
  • Checklists link assets with Vulnerabilities and Countermeasures and
  • Questionnaires help build and understand an infrastructure.

The entities are linked with each other and thereby form a logical construct which can be automatically interpreted (as is done with the SOBF Tool). Because of the modular architecture of the ORIMOR it is possible to add further entities later on.

The content of the ORIMOR is described by the SOMAP.org Handbook and Guide. Please see these documents for further details on a specific entity.

ORIMOR Snapshot

ORIMOR is only as good as its content and ease of use. Therefore the ORIMOR knows the concept of Snapshots. A Snapshot is basically a file containing parts of the central ORMIOR database. A Snapshot file is typically generated on a regular basis by the maintainer of the Repository.

SOMAP.org plans to make available different versions of Snapshots for different usages. When following a specific standard like COP or ISO 17799 then only Entities of that respective standard are put into the Snapshot file. It is our intention to work towards a compatibility between the ORMIOR content and widely used standards like ISO 27001, ISO 27005, the German Grundschutz and others.

Such a Snapshot file can then be imported into an information security risk analysis and management tool like our SOBF Tool. The Snapshot file builds the basis - or meta data - for the SOBF Tool. Based on data from the ORIMOR a security officer will analyse and manage his environment.

Please see the documentation of the SOBF Tool for further information about how the user of the SOBF Tool is able to link the theoretical information concerning best practices from the ORIMOR with his actual and concrete environment.

Technologies
Universally Unique Identifier (UUID)

Every data record saved within the Repository does not use a sequence as an identifier but has a DCE 1.1 and ISO/IEC 11578:1996 compliant Universally Unique Identifiers (UUID). These UUIDs take care that updates can be easily managed, that there is no problem with multi language support and this feature is used to do updates and installs of new releases without the hassle because of the identification of records changing from installation to installation and from system to system.

Internationalisation (i18n)

Because this project is focused on an international usage, the Repository is planned to be used in multiple languages right from the beginning. The Repository and all the descriptions and texts within are kept multi lingual which allows the translation to be done by different teams with different languages without interfering with each other.

The Repository is started with German and English as the two first languages. Volunteering translators are welcome to help translate the Repository to other languages as well.

Security within a changing system

The analysis of assets as isolated systems is dangerous because the combination of several assets can ask for different requirements when looked at in a connected scenario. The coherence of the different types of data and the relationship model used to design the Repository allows us to look at a security environment as a whole system.

This also means that the linking and referencing model of the Repository allows to act on changing environments. To enable such features, the Repository is using ideas from the Topic Map technology to put the assets into context with each other. Changing context will therefore provoke a changing view at an asset (and indirectly at it's needs and requirements).

Open Source Vulnerability DataBase (OSVDB)

It is our intention to use the OSVDB as a basis for risk and vulnerability factors. These factors are meant to be used as a guidance and the values can be personalised during an assessment.