News and information about verinice.

As of now verinice 1.9 is available for download. The update at a glance:

• VDA ISA Standard 2.0
  In verinice 1.9 the new IS-assessment Catalog of the Association of the Automotive Industry is implemented. The standard has been thoroughly revised and adjusted to the new requirements of the updated ISO 27001: 2013.
  Due to a special unify function existing levels of maturity can be transferred to the new chapter numbering. Existing assessment results can be reused, and users do not have to start completely from scratch. That should reduce the cost of the update and for the re-evaluation as much as possible.
  Any changes took place in close contact with the authors of the ISA catalog in the corresponding working group of the Association. Conformity to the questionnaire is 100% guaranteed.

• Account Management (verinice.PRO)
  A completely new user and group management facilitates the creation and maintenance of the authorization concept. This comes in handy especially for a large number of verinice users and groups.

• Report Repository (verinice.PRO)
  verinice 1.9 comes with a newly introduced central report repository. This makes reports generated with the vDesigner available for all users of verinice.PRO servers. The central report repository is synched by the client and cached locally so that all the reports are still available in offline mode. In addition, only local reports can be stored in the client - eg for testing or confidential evaluations. Here, local and server reports are designated and distinguished clearly in the list.
  For each report, the required and reasonable output formats can now also be programmed centrally (DOC, XLS, PDF...).
  The standard reports included with verinice can be managed in the same way. Thus, e.g. a standard report will be replaced by a custom template, for example if in all reports a company logo is to be used, etc.

• Easy changes in the permission dialog (verinice.PRO)
  The authorization dialog for assigning access rights to objects has also been revised. It is now easier and more comfortable to set, read and write permissions for individual objects or groups of objects.

verinice 1.8 has been released. The new version is ready to be downloaded here.

verinice 1.8 delivers a couple of new features to make the management of your ISMS even more friendly and efficient:

• Generic workflow
  When the deadline for a task has passed, the task stays with the person responsible. The initiator of the task receives a notification email. The asignee can request to postpone the deadline and the initiator can accept or deny this request.
• Deleting objects during import
  When repeatedly importing objects from the same data source, it is now possible to delete objects from a previous import that have also been removed in the source.
• Read permissions in task view
  The task view now regards read permissions of objects. A task is only displayed to the user when the user is also allowed to see the object for which the task has been created.
• Read permissions in file view
  Read permissions are now considered in the file view. Files are only displayed when the user also has permissions to read the object to which the file has been attached.
• Object path in the relation view
  The relation view now shows breadcrumbs for each displayed link target as a tooltip.
• Cc- and Bcc-Recipient for emails
  It is now possible to configure a Cc or Bcc address that is used in every email sent out by the email notification feature.
• Default directory for report templates
  The report dialog remembers the used template folder if the user selects this option.

Please regard the general notes for updating.

The new features in verinice 1.8 come from user requests. By close and frequent communication with the support and development team, users were able to communicate their experiences and to initiate improvements. We continue to promote this vibrant exchange. Please write us at verinice@remove-this.sernet.de - we will consider your concerns. 

verinice will be present at the IT-security expo it-sa from October 7th to 9th 2014 in Nuremberg. Meet up with the team in hall 12.0 / 12.0-339 and get all the news about verinice as well as the future roadmap. 

You're planning to attend? We'll hand out codes for etickets - just send uns an email to itsa@remove-this.sernet.de. It can be redeemed at www.it-sa.de/voucher from August 26th onwards.  

From now on verinice is available in version 1.7.0. Main changes are: 

ISO 27001:2013 / IT Baseline-Catalog, 13th Addition

The standards ISO / IEC 27001:2013 and the IT-Baseline Catalog with its 13th supplemental set are available in the most recent versions.

Direct import for file structures

verinice can now import entire subtrees from the file system into the database in a single action. Folder structures are also listed, files create appropriate objects and are imported simultaneously as attachments. Existing policies or audit evidence can be quickly and simply transferred into the database. The import can also create connections between objects, e.g. map the relationship between policies and the controls described therein.

Consolidate with links

A new consolidation function for IS Assessments makes it possible to transfere existing audit results to surveillance audits. Existing linkages such as to central directives and other objects are taken into acount. This feature facilitates the continuous checking of information security through the acquisition of past findings and the evidence as a starting point for a new audit .

Web service for Importing File Attachments

Other applications are now able to import attachments automatically using the web service. For example, reports from OpenVAS / Greenbone-GSM can be created automatically in the verinice database and the original reports are stated as well as reference.

Task overview

A new report for verinice.PRO users shows tasks in the system that are assigned using workflows. Thus, the processing status of each task, the person responsible and the time frames are visible and make it a lot easier to track tasks at hand.

English Manuals

Manuals are available in English now. These include: 

• verinice.PRO installation under CentOS and RHEL
• Installation of the verinice.PRO Appliance
• Quick reference for the verinice. Report Designer (vDesigner)

The new verinice Risk Catalog is available as of now. ISO released the updated version of ISO/IEC 27001:2013 in October 2013 with numerous changes - all of which are incorporated in this new catalog. Whether verinice novice or expert: The up-to-date Risk Catalog will turn out to be a real time saver. 

The new version of this verinice risk cataloge contains all 14 control clauses, 35 security categories and 114 controls of the standard. Furthermore it contains 109 generic risk scenarios, 47 threats, 90 vulnerabilities and more than 1,100 Relations between them to combine all objects into a meaningful context.

All controls are supplied with short and concise descriptions as implementation guidance. Also, the objective for each security category is summarized briefly in comprehensive form.

The list of mandatory documents was adapted and shortened conforming to the new standard. However, all other documents that are recommended for successful operation of an ISMS are still there in the category "Recommended Documented Information".

All controls are linked accurately to fitting risk scenarios to speed up the process of risk assessment, risk treatment and risk-based selection of the standard Annex A controls.

Active risk reduction and time savings

The verinice risk catalog combines two time-intensive activities of ISMS implementation: the creation of the "Statement of Applicability" (SoA) and the risk analysis. The results of the SoA are taken into account directly in the risk analysis in verinice. This will save you a lot of time in the risk treatment. And the controls of ISO 27001 turn out to be more than just a compliance checklist: they reduce IT risks immediately. This renders formulating own controls for risk treatment redundant.

The cost of risk assessment and risk reduction is thus significantly reduced, allowing more time to be spend for the identification and treatment of organization-specific risks.

Get the new version of the risk catalog

verinice.PRO subscribers will find the new version of the risk catalog in the repository. The verinice risk catalog is available to them free of charge.
For users of the free verinice version the catalog is available in our web shop. 

The download code is valid for one year. So if you have purchased the 2005 version of the risk catalog within the last 12 months, the update is now free for you to download. 

Please note: The updated catalog for ISO 27001:2013 is currently only available in English. A German version will be released as soon as DIN finalizes the German translation of ISO 27001:2013. 

Import-Instructions:

As a new user please simply import the catalog

    "verinice_Risk_Catalogue_EN_-ISO_27001_2013",

to start with a new database based on the current standard.

If you are already a user of the risk catalog based on ISO 27001:2005,

please use the catalog

    "verinice_Risk_Catalogue_EN_-ISO_27001_2013-UPDATE"

The update catalog is imported over an existing risk catalog that was

imported in the past. Before you do that, you should save your database using the export-feature.

After the import, all omitted controls and documents are marked with "OMITTED" and should be deleted by you after manual verification.

Changed controls are marked with "REMOVE". These can also be deleted after manual verification.

In both cases you should verify that you have made all necessary changes to documents and other attachments that you may have added to objects that are no longer needed. You should also check for any relations that you have created since the original import of the old catalog before deleting anything. 

"Heartbleed" - a severe vulnerability in the OpenSSL encryption software - currently worries the IT scene. At SerNet and in the verinice team we looked into the matter intensively and found corresponding solutions. We will keep you updated about all possible developments. 

Information for verinice customers:

• The verinice client is not affected.
• Users of the appliances should draw or update the OpenSSL package , the update is already available.
• Heartbleed has also affected the verinice repository. We have already taken all the necessary measures , the server is no longer vulnerable.

UPDATE for SerNet customers with firewall systems:

All measures to be taken have been completed. Affected customers were informed and the vulnerability is closed. If necessary, the SSL certificates were exchanged.

If you have specific questions about your systems and Heartbleed, please call us at +49 551 37 0000 0 or send an e-mail to heartbleed@remove-this.sernet.de or contact the verinice support directly.

A case study from Greenbone Networks GmbH shows how to make automated vulnerability management possible in combination with verinice: LEONI AG, automotive supplier headquartered in Nuremberg, relies on a combination of Greenbone Security Manager (GSM) and verinice.PRO 

The case study "Vulnerability Management" is available as PDF at Greenbone.

As it stands out, LEONI was able to increase the elimination of vulnerabilities significantly as well as raise the efficiency of globally distributed IT teams. Success factor is the close integration of the two components - made possible by Greenbone Networks and SerNet working together closely. As a result LEONI achieved time savings and reduced the number of vulnerabilities to one tenth of the previous value.

You want to know more about GSM and verinice? Please feel free to send us a mail to verinice@remove-this.sernet.de.
 

From March 10th - 14th, our verinice-Team and SerNet relocate to Hannover to take part in the CeBIT 2014. You'll find us ins hall 6, stand G10 – visit us there and get to know all the developments regarding our ISMS-Tool.

Exchange your ideas and your future requiremets for verinice with us, learn more about the verinice roadmap and have a look at verinice.PRO. Or just enjoy a cup of coffee with us.

You need an eTicket? We've got one for you! Just contact us at cebit@sernet.de

We're looking forward to meet you in Hannover!