SOMAP.org

Security Officers Management & Analysis Project

ORICO Framework & Tool

image
The ORICO Framework is the foundation for the ORICO Tool. Both build an Information Security Governance, Risk and Compliance application which can be used for Gap Analysis, Risk Analysis and as a general IT Security Risk Management tool.

The ORICO Tool is the reference implementation of our OGRCM3 methodology and follows the risk assessment and analysis workflow as described in our Guide.

Tool set

It is our goal to build the ORICO Tool like an extendable toolset. While all the needed functionality is built into the ORICO Tool, it is possible to extend and personalise that standard feature set with your own changes, scripts and extensions.

Data Abstraction / Personalisation

To abstract the database and to access the data more easily the ORICO tool makes use of the Cayenne Framework. The configuration information is published with the ORICO Tool and it is therefor possible to enhance the default configuration with your own data views and tables. Such personalised data views and tables can be used from within your own extensions to enhance the standard feature set of the ORICO tool.

The ORICO tool makes heavy use of the structures and references from the Repository and features a layer with personalised data ontop the theoretical layer provided by the Repository. The ORICO tool links theoretical information with a concrete inventory to help the security officer in analysing and managing his or her assets.

With the data and calculations from the ORICO Tool a security officer can generate reports about situations, gaps, protection profiles and the state of an environment.

Since the ORICO tool uses the Cayenne Framework to abstract the database layer it is no problem to exchange the default Derby database system with any other database system like PostgreSQL or DB2 in future releases. It is also possible for a security officer to switch from the internal database to a database server of his or her own choice. This is an important feature for the ORICO tool should help a security officer with his work and not stand in his way.

Synchronisation

We are working on a synchronisation function for road warriors so that different users can work asynchronously on the same data and resynch their different state when coming back to the office.

Extensions / Scripting

The ORICO tool has a built in extension engine. Extensions are small pieces of application logic which together define the whole application. The navbar as example is completely built from extensions. Extensions consist of a data file describing the extension and some kind of logic (and possibly data). The logic is typically written in form of a script.

The ORICO tool makes use of the Bean Shell scripting engine. With the help of that engine you can change and personalise many aspects of the ORICO tool. Please consult the integrated help system for further details.

Status / Downloads

In the "Current Releases" section on the left you can find further information about the latest release of the ORICO tool and all our other projects.

If you find an error or bug in the ORICO tool then please make sure that you are testing with the latest version before sending us a bug report.