IT Infrastructure X-Ray

For ISO27001 you will need to set a scope, meaning you have to decide what is and is not your responsibility from an ISMS (security) perspective.

There are 2 scope definitions:

  1. Scope as defined for external audit = mandatory Documentation for certification. Simply explained: 1 or 2 lines that will describe what you do and what will be published on your certificate document. read more: https://compleye.wiki/compleyeonline/mandatory-documentation/

  2. More important scope definition: the understanding of where your responsibility lies with respect to security (ISO 27001) but also what might be important for the future (Privacy and Quality requirements). That is why at Compleye we use the X-ray – spitting up in X-ray components. In blue the ones that are in scope for ISO 27001 and in red are the ones that you can use for other frameworks or requirements.

During your onboarding X-ray session, we designed and uploaded your first X-ray on your dashboard and we have uploaded all individual components in this section.

You can upload new versions – if your IT infrastructure changes or new components. Make sure when you upload a new X-ray version, you will make the changes in the individual components as well.

There are 2 views of X-ray components:

1. Overview of all X-ray components (below)

Per Components, you have 3 options in this view. (view details, edit details or delete the component).

You can add new components if needed, by making use of the yellow button ADD NEW in the top left corner.

TIP: Only create a new component if it is ‘in business, not a pilot, BusDev project because once you have added it, it becomes part of your ISMS, and that comes with responsibilities to assess, implement and maintain.

Mandatory fields are X-ray component = give a name, Owner, and Type.

Choose what type of component you want to add to the dropdown list. Below is the list of Types of components:

  • App – add the name of the app
  • Web Portal – meaning a web application for your customer or end-user, your own team – name that product/portal
  • Server Environment – your cloud environment (AWS, Google, Azure, local, own server, etc) add the name of the supplier. If you have multiple server environments add more. You will also have to choose if this is outsourced (AWS, Google, etc. ) or if you have your own server on-site. This will create a different template.
  • Office Network – this is your office, even if you have an online office and only working remotely – you will need to add this component.
  • API/SDK Environment – not every API needs to become a separate component, only if this is a specific part of your product/service
  • Other [we are in the process of defining more types of components – in the meantime, you can use this general component template for eg BlockChain environment or other technologies.

If you can’t choose, always pick ‘Other’.

Once chosen a type, it will create a form that you will need to fill in.

  • There are helpr buttons to support you with context how to address and document.
  • Keep the info high level – you are writing this for 2 reasons:
    • external audits and vendor assessments: inform external stakeholders what the purpose of the component is, and what security measures you have in place.

External auditors can be invited to view this information in an observer role to prepare themselves for audits.

You can download a pdf and use it during vendor assessment for external communication.

    • Internal stakeholders: inform (new) team members about IT Infrastructure.
  • Do not share your most confidential information.
  • You can add documents and graphics for better understanding.
  • Keep the language understandable for every stakeholder (including those without tech knowledge).

⇒ Once you’ve added and SAVED the X-ray component, you’ve already created and documented the first of 3 Tabs of the X-ray Component.

                                                                                                                                    

2. Every X-ray component is divided into 3 different tabs:

General Info – Interactions – Change and Impact

Per tab, we dive into the purpose and usability.

TAB 1 : General Info

See above content: Add a new X-ray Component.

TAB 2 : Interactions

Purpose: By connecting compliance documentation and activities to specific X-ray components, you will be better informed about the impact of changes – due to risks and opportunity assessments.

You’ll perform an ISRA annually – https://compleye.wiki/compleyeonline/isra/ . However, on a more regular basis (think of security meeting topics – https://compleye.wiki/compleyeonline/security-meetings/ ) you’ll make changes and before you can make a decision, you’ll need to have all relevant information available to make proper impact analyses.

That’s why you can connect the following compliance activities and documentation to a component:

OPCs Recurring compliance activities

Improvements One-time activities to mature your compliance framework

Policies & Procedures Documentation that needs to be reviewed on a yearly basis

Suppliers Organizations that deliver products or services

You can link them (OPC, Improvement, P&P, Supplier) to the X-ray component or you can create a new one from this view. And you can click on the card to be redirected to the specific item.

TAB 3: Change & Impact

Purpose: It’s mandatory to document changes, not only what you have changed, but also why, the impact, and implementation evidence.

Aside from that, you can use this tab for the preparation of 2nd and 3rd audit visits to summarise for auditors what has been changed over the last year. Even better – if the auditor has access to Compleye Online as an observer user, he/she can read and better prepare the audit.

Standard topic during security meetings: check if there are changes made. Per X-ray component you can use the information of the first 2 tabs (general info and interactions) to inform yourself what further impact the change will have on OPCs, Improvements, Policies & Procedures, and Suppliers.

In the Change Management Policy template (check section ‘Templates’ for the document) you have documented how to implement a change and we advise that you use a checklist for this by making use of the section Checklists https://compleye.wiki/compleyeonline/checklists/ . You can already create a template for Change Management.

Use the Yellow Top Right button ‘CREATE NEW CHANGE’ to add a change and a form will appear.

Steps to follow:

  1. Give the change a title.

  2. Determine the impact. You can make use of the General and Interactions tab to determine the impact on other compliance elements.

  3. Notes: add additional content if needed.

  4. Add a link to a checklist in Compleye Online or to any other environment (e.g., your own GitHub environment).

Save the Change

  1. After the change is saved, the owner of the X-ray component can review and approve the change at any time.

FieldNameDescriptionExample
Details
X Ray ComponentFree text for the name of the componentCustomer Dashboard
Component imageUpload the image
OwnerResponsible for the component[Name from drop-down list]
Type or componentSelect from drop down menu: App/Web Portal/Server Environment/ Office Network/ API/SDK Environment/ OtherApp
GeneralFree text field – describe high level the application purpose, functions and/or intended use[Describe purpose of the app]
Access managementFree text field – describe how the access management rights are organised and managedAll access management is documented on Confluence
Links to more informationFree text field – name of the source/link + upload a document – for any other relevant product description content or diagrams
SecurityFree text field – what are the security measures implemented?Encryption data
MonitoringFree text field – how do you monitor this component of quality, security and availability? Is there a standard report or dashboard in place? How do you monitor incidents?Monitoring is performed by collection of managed services by Amazon working in union (CloudWatch, CloudTrail, GuardDuty…), Following items are also monitored: RDS database critical metrics (CPU and storage)…
Configuration managementFree text field -describe and document how you manage the whole cycle of the security configuration for your technology to ensure a proper level of security and privacy. This includes the measures to prevent unauthorised access, configuration definition, implementation, monitoring, and review taking into consideration technology, operational, and business processes.
Information deletionFree text field -describe your processes implemented for the purposes of data deletion that is no longer required. The data deletion processes are required to avoid leakage of sensitive information and to enable compliance with privacy and other requirements. The information deletion includes the following: deletion in your IT systems, removable media such as laptops, mobiles, or cloud services.
Data maskingFree text field -describe how data masking is implemented to protect sensitive data, especially personal data, where it is being used for testing, development, or other purposes where the original data is not needed.
Data leakage preventionFree text field -describe what measures or solutions you have in place to prevent and detect unauthorised disclosure of data from within your organisation to an external entity (for example, with access controls, encryption, monitoring and detection tools, awareness training, etc.).
Web filteringFree text field -describe the filtering measures implemented to prevent access to websites that may pose a security risk.

  

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.