itrust consulting published a set of tools for risk assessment and management, audit reporting, key performance indicator monitoring, and policy and procedure management specific to cloud services to implement and assess the security requirements and risks for cloud infrastructures and services on GitHub and all publication are also added to the list of publications. CS-GRAM, short for “Cloud Services-Governance, Risk management, Audit, and Monitoring”, a toolset providing cloud security governance features such as policies, risk assessment models, audit templates, and KPI, is a sub-project of the CyFORT project, which in turn stands for “Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience”. Open source tools available: ARIANA (on GitHub), short for “Assistance for Reporting on Information system Audits with Normative Assessment”, is designed as an add-on to Microsoft Word and Excel applications and provides a simple and reliable process for creating policies, creating or updating audit reports, managing Excel and Word-based records of processing activities compliant with GDPR, and providing additional Word and Excel utilities useful to consultants in their day-to-day work, published on itrust consulting website. OpenARIANA (on GitHub), has been developed to address the repetitive task of creating policies, particularly Information Security Management System (ISMS) policies, published on itrust consulting website. DRAW (on GitHub), is used to graphically represent assets and their corresponding dependencies as well as to synchronize with TRICK Service, published on itrust consulting website. Trick2MonarcApi (on GitHub), a Java API for MONARC, which allows risk information from other sophisticated risk management tools such as TRICK Service to be imported by facilitating changes to the MONARC JSON data file, published on itrust consulting website.

The suite of tools for computer-aided design and development was recently published by itrust Abstractions Lab on GitHub. C5-DEC, short for “Common Criteria for Cybersecurity, Cryptography, Clouds – Design, Evaluation and Certification”, is a sub-project of the CyFORT project, which in turn stands for “Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience”.

As part of the research project CyFORT1, today itrust consulting published OpenARIANA2, developed as a successor of the in-house built ARIANA software, a Microsoft Word Add-in supporting the user, among other things, in generating policies and audit reports. Further details: OpenARIANA was developed to address the repetitive task of creating policies, particularly Information Security policies. These documents often consist of standardized text that needs to be tailored and extended to individual customers’ requirements. By integrating closely with Microsoft Word, OpenARIANA streamlines the process of document creation and customization in professional settings. It offers a user-friendly interface that enhances productivity and reduces manual effort, making the adaptation of standardized policies to specific client needs both efficient and reliable. The tool sequentially reads text from each row of an Excel table—constructed from a regulation or standard—and applies the style defined in the column headings. The tool can handle tags to create enumerations and bullets or some customized styles. The tool also allows replacing other tags by customer specific data, e.g. ‘#Organization’ by the name of the organization creating the document. itrust maintains a repository of ISMS standards like ISO 2700x in a structured format compatible with OpenARIANA. Users who wish to access these standards can contact us at openariana@itrust.lu. Please include proof of eligibility for the standard, such as a payment invoice. Upon verification, we will provide the structured standard free of charge. Standards currently available: ISO/IEC 27001:2022, 27002:2022, 27005:2022, 27701:2019, 22301:2019. As a CyFORT sub-project, CS-GRAM3 delivers a toolset comprising OpenARIANA, providing cloud security governance features such as policies, risk assessment models, audit templates, and KPI. It aims to incorporate the use of the Open Security Controls Assessment Language (OSCAL), developed by NIST. OSCAL is a standardized, data-centric framework for documenting and assessing security controls. This will bring us a step closer to achieving our goal of automating security assessment, auditing, and continuous monitoring. Finally, ISO content, typically expressed in natural language, will be converted into a machine-readable format, leveraging structured data to enable easier integration with existing tools. ____________ 1 Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience. 2 Open Assistance for Reporting on Information system Audits with Normative Assessment. 3 Cloud Services-Governance, Risk management, Audit, and Monitoring.