User Guide - CIAMM v5.3
Contents
1. All of the important evidence e g labelled as High and the majority of the 3 medium importance Medium and low importance Low evidence is available and is satisfactory G Weightings The tool allows for weighting values to be applied to specific questions where this is appropriate However the default set provided may have all weightings set to 100 The weighting value will influence the questions score value where these vary within the applicable question set To view the weighting associated with a question select the Question Information button from the Question Navigation panel Question Navigation aa tai Level 1 oat AS amp Change Questions Page 11 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED H Importance Ratings Importance ratings are entered via the Evidence screen i e see section C above Evidence items associated with a question are allocated an importance rating of High Medium or Low in order to help assess a score decision however these do not affect the tool s calculated score result The ratings are provided for guidance only and users may chose to apply different importance ratings as their business demands and make appropriate notes on the justifi2. UNCLASSIFIED UNCLASSIFIED C Evidence Selecting the evidence view button i e located in the area with the border labelled Evidence will reveal another window listing the evidence items related to this question including an Importance indicator The Comments areas in this window allow the user to enter details of the evidence collected to support the assessment of this element The below screen is in compare mode 4 Question 1 1 1 1 1 1 1 Evidence x Effective IRM disciplines are woven into the Fabric of the organisation in such a way that they are an integral part of normal business To regularly present an accurate picture of IA Importance Comments risk to the Main Board IA is considered as an HIGH integral part of the standard processes within the organisation at all levels and within its delivery partners and 3rd party suppliers where appropriate Test Data 4 All Board Members appreciate the critical role Importance Comments that information plays in the success of the HIGH organisations business evidenced through Main Board papers and the Annual Report of the organisation e g showing that decisions have been made based on expert guidance el Close Evidence D Answers It is possible at any stage to save the work done so far and then return to it later The Save Answers button will allow work done so far to be saved and the Open Answers button will
3. This will cause the tool to act as new e g as if it was just out of the box when it is next restarted Where errors persist or if errors are encountered when using the tool the please contact CESG enquiries through the following email address enquiries cesg gsi gov uk VI USING THE TOOL The first time the tool loads you will be presented with the tools license which you must accept to use the tool The first time the tool loaded it shall automatically load the Questions file e g the supplied CIAMM xml file as long as it is present within the same directory as the jar file Where this is not the case the tool shall prompt the user to request the question file s location Page 6 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED A Protective Marking You should consult the Security Policy Framework SPF to ensure that an appropriate protective marking is applied The appropriate marking can be selected from the drop down menu at any time during use of the tool Initial default set in Properties but only for a blank set The tool is configured to accommodate up to RESTRICTED where the platform on which it is running is appropriately accredited e g a RESTRICTED laptop In the event that the results of an
4. does exist due to the manual placement indicated above so the program then looks in what the Java Runtime Environment recognises as the user home location i e a location that may be specific for your corporate installation of Windows and Java which the Java Runtime Environment picks up when it is first executed through the Java System class user home property to use as a location for the user specific ciammConfig properties file Note In fact the location chosen is the ciamm subdirectory of the user home location As this is a first run it should not find a ciammConfig properties in that location and so it tries to create one If this fails then case B below applies Alternatively i e non B as a ciammConfig properties has been created in a location specific to that user i e if it is not specific to only that user then again case B below applies the IAMM Tool uses that ciammConfig properties in the same way as it would have done had the installation been on a laptop For information when you have successfully run the IAMM Tool if you use the properties button on the IAMM Tool it will state the location of the ciammConfig properties that the program is using B For the second case ignoring the user guide the B type of corporate i e non laptop release location would also have three files CIAMM v5 3 jar CIAMM xml ciammConfig properties e g with the MS Windows Read only prope
5. ignoring the user guide there would be two files placed in the same directory possibly write enabled e g not made Read only The files in that directory would be CIAMM v5 3 jar CIAMM xml On the first run of the CIAMM_v5_3 jar file two further files would be created and these would be located in the same directory These four files in the initial directory would then be CIAMM_v5_3 jar CIAMM xml ciammConfig properties application log The application log file is used by the IAMM Tool s logging facility i e mentioned in the main text The ciammConfig properties file stores program and user specific information Hence in a corporate environment if each user doesn t effectively have their own personal write enabled directory to use then the parameters that a user saves will either be lost e g where the ciammConfig properties file is Read only or overwritten e g where other users can save their changes to the same ciammConfig properties file To signal to the IAMM Tool that you wish it to deal with the ciammConfig properties file differently i e your corporate environment needs the installation to do this to make the IAMM Tool save user configuration information appropriately you make the ciammConfig properties file Read only i e in MS Windows you use the file properties to set the MS Windows Read only property Having the ciammConfig properties file as Read
6. 4 CIAMM Application v5 2 15 x Overall Classification UNCLASSIFIED Question Classification UNCLASSIFIED Category ction Progress Leadership amp Governance x Board Responsibilities Governance Structure and IA Strategy and Programme The Main Board recognises the need to put in place effective IA measures throughout the organisation and its delivery chains to ensure the availability integrity and confidentiality of the organisation s information Organisation Deliv Partners Third Parties Evidence Comments C NjA Na NjA High 0 0 AN Bi i js o s an eo 6t ec Medium 0 0 x gi s s Low 4j4 CE 52 2 View LE c e Associated MetaTags Cyber Supporting Question Navigation e pi NP c E S G change Questions zi LL Open Answers IP Save Answers lt 2 Manage Answers C Review ih Score T Properties J Quit Question Classification UNCLASSIFIED Page 7 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED The navigation tree offers a dynamic interface to select which question is displayed as can be seen below Navigation Tree x Goto Go ViewSet VSET16775599380 o Leadership amp Governance B c Board Responsibilities Governance Structure and IA Strategy and Progr
7. GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED 4 CIAMM Application v5 2 O xi Overall Classification UNCLASSIFIED Question Classification UNCLASSIFIED Section Category enr Progress Leadership amp Governance Board Responsibilities Governance Structure and IA Strategy and Programme v BN Effective IRM disciplines are woven into the fabric of the organisation in such a way that they are an integral part of normal business Evidence Comments High 2 2 Bi 4 A OF Ab Medium 1 1 This example shows the various colours when three files are compared Low 0 0 To the left the Organisation panel is shown in green as the assessment from all three files were the same 5 View To the left the Delivery Phrtners panel is shown in amber as only some assessments were the same In this case the second file had the same assessment of 2 whilst the third File had a different Associated MetaTags assessment of 3 Cyber Supporting To the left the Third Parties panel is shown in red as no assessments from the thre Files were the same Question Navigation V quus 4 amp E S G E E S S Change I La Open Answers gt Save Answers 2 Manage Answers Review illa Score T Properties o ae o ae Question Classification UNCLASSIFIED Q Hyperlinks in Comments In certain Comments areas e g on the main application screen and the Evidence s
8. allow previously saved answers to be loaded The Manage Answers button allows you to export selected answers import selected answers compare the results from different answer file and also to reset the answer scores e g all achievement measures set to 0 It is possible to use this functionality to allocate different people to the completion of different sections categories and then for a central authority to import each of these completed sections in turn into an organisational level version of the Tool The Review button allows data to be exported to Excel If possible use the Excel 97 07 xsl format as some systems may need to try to repair records when using the Excel 07 xslx format Page 9 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED E Target Profile The business will need to determine to what extent it intends to use the IAMM and this assessment tool to improve its IA profile This is entirely a business decision on the part of the organisation which can be guided by GPG28 i e Improving Information Assurance at the Enterprise Level To set the required target profile for achievement of IA Maturity levels select the properties button in the tool and locate the Target Profile box In this are
9. assessment would exceed the RESTRICTED level then this tool is not designed to record the higher classified elements Please also note that when planning a CESG Supported Self Assessment any CESG laptop is likely to be accredited to carry information up to RESTRICTED only If there is an expectation that the protective marking of the completed Work Book will exceed RESTRICTED then this should be notified to CESG at the planning meeting so that appropriate discussions and arrangements can take place in advance of the workshop assessment The tool displays two classification values the question classification and the overall classification The question classification pertains to the classification of the answer that is specifically being viewed at that time The overall classification pertains to the aggregation of the classification of all of the answers together This overall classification value will be at the highest answer classification held in the tool and it will also include a listing of descriptors for all of the answers e g Overall Classification PROTECT PERSONAL Question Classification UNCLASSIFIED B Navigating through the Tool The tool allows question navigation through three mechanisms These are through the drop down lists at the top of the display or through the arrows at the bottom of the display or through the navigation tree available via the icon below the left arrow navigation icon
10. maturity levels cannot be greater than that already achieved at a lower level Therefore you will find higher scores at higher maturity levels greyed out and unavailable as appropriate If a justifiable risk based decision has been made that a particular requirement is not applicable then N A can be selected where appropriate The organisation must then record the justification for this selection in the Comment box When N A is selected higher maturity level scores for that particular requirement will not be available Changes to the scoring can be made later e g during a CESG supported Assessment Workshop if applicable A brief outline of each achievement measure score s applicable conditions is given in the following table A formal decision has been taken by the organisation that the required measure is N A not applicable in the context of managing information risk Hardly any of the important e g labelled as High medium importance 0 Medium or low importance Low evidence is available and that which is provided is not satisfactory Only some of the important evidence e g labelled as High and hardly any of the 1 medium importance Medium evidence and low importance Low evidence is available and is satisfactory The majority of the important evidence e g labelled as High and some of the 2 medium importance Medium and low importance Low evidence is available and is satisfactory
11. only allows the IAMM Tool to behave in the following ways depending on which is appropriate for your corporate environment These are defined as A and B below with B being a subsequent option where A is unsuitable Installation type A applies if you must install on the corporate environment in a way that is write protected or in a way that does not isolate each users utilisation of their IAMM Tool directory i e type A does not cover the case where multiple users would overwrite the same ciammConfig properties file Page 20 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED A For the first case ignoring the user guide a corporate i e non laptop release location would have three files CIAMM v5 3 jar CIAMM xml ciammConfig properties e g with the MS Windows Read only property set Note In this case the ciammConfig properties file would have previously been created by running the CIAMM v5 3 jar program on a suitable environment e g a laptop and then this ciammConfig properties file would be transferred to the corporate environment prior to it being made Read only On the first run of the CIAMM v5 3 jar the program would see that a Read only version of the ciammConfig properties
12. that for the tool to use this default once this value is changed you would have to Quit and restart the tool or use the work with Blank AnswerSet button available via the manage Answers button It should be noted that if an answer already exists in the answer set then the value of the default has no impact i e it will not change an existing answer sets classification This tool does not currently support the new classification policy as it was created before this was finalised However on the properties screen there is the facility to choose the new classification policy caveats but these were the draft list before final approval and so may not be consistent with the final approved classification caveats Page 15 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED M Save Confirmation For those advanced users who do not like the seeing the Save file location choice screen when pressing the Save button there is an option to bypass this safety feature From the Properties Screen accessible via the Properties button to turn off this safety feature enter a tick mark against the Save confirmation section Only use this feature if you are sure you will not overwrite a wanted file Save confirmation Ch
13. 11 April 2013 CESG IA MATURITY MODEL CIAMM ASSESSMENT TOOL V5 INSTRUCTIONS Version 1 2 do CESG Crown Copyright 2013 All Rights Reserved Page 1 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED THIS PAGE IS INTENTIONALLY LEFT BLANK Page 2 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED CONTENTS l GUIDANCE 2 nihi o dr ee cree erre o eren ti ecd 5 ll DOWNLOADING THE TOOL nerit ixo esee rinne sete dene Ex diss iex ed Rug 5 He SETTING UP THE TOOL iini tret retia rri eie tipa ta er taire ra tenue 5 IV RUNNING THE TOOL cesses once eee tao ee eee eee 6 V DEALING WITH ERRORS 4 enim spetta ciere nie ee ie ea 6 Vie USING THE TOO be 6 A Protective Marking 2i uae aut cored em ae eth meni eet Ob ee LR RA I IARE 7 B Navigating through the Tool sister eie Erro Ea ton Ee ro RP E e Renee 7 EE ZUG 9 DEUM HE 9 Bess Target Profle ERR TES 10 E MO COMING siones e age tc ceades oc abate fesses ambe pedes e od ane e for e ns eaite Sonn edet uf dt 11 Ge Melghilngs uo e bec ee cda d data dt RISE 11 H Importan
14. a values may be entered for the current year s target scores and a future score by default this is 5 years ahead These values will then be displayed when the score graph is generated Target Profile The business will need to determine to what extent it intends to use the IAMM and this assessment tool to improve its 14 profile This is entirely a business decision on the part of the organisation 4 target profile For achievement of IA Maturity levels should be entered by completing the Target Profile box below Enter a value of 1 to 5 against each IAMM category d 2013 2018 N Leadership amp Governance E S 4 Training Education amp Awareness Information Risk Management Through Life IA Measures Assured Information Sharing Sih hehehehehe Compliance Page 10 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED F Scoring Working through the tool the Team should assess which of the four scoring descriptions i e the achievement measures best describes how far the organisation has progressed in meeting the requirement Record your score e g 0 to 3 by selecting the appropriate radio button Please note that because the IA Maturity Model is designed to be cumulative the assessment at higher
15. amme EQ The Main Board recognises the need to put in place effective TA measures throughout the E The Main Board has directed and resourced the work needed to address weakness in the Q The required improvements in IA are being delivered the IA Strategy is regularly reviewed Qo The main board sets the strategic direction on managing all information and security risks i Qo Effective IRM disciplines are woven into the Fabric of the organisation in such a way that Q The IA Strategy is fully aligned to the overall business strategy and its application is Q the implementation of the strategy is actively managed to ensure that sustainable Q Effective engagement by the organisation has resulted in the Main Boards of the organisation s B o Gaining the Public s Trust Qo The Board has committed the organisation to take appropriate care of personal information 4 The Board has taken action to disseminate information both internally and externally that Qo There is improvement in the level of trust that both employees and the public have in the Qo The organisation has implemented robust measures to safeguard its information so that Bl Question QUES 16775599380 selected Page 8 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk
16. cation for the change in the evidence box As can be seen above i e see section F above a score is designed to reflect the amount of satisfactory evidence that is available at each of the High Medium or Low importance ratings In some cases for example there may not be any High importance evidence requirements listed in the IAMM Tool and a common sense approach to interpreting a score is required For example assume all evidence is listed as Medium as there are no High or Low importance items against a particular question Where 4 out of 5 pieces of evidence are available and satisfactory a score of 3 would be appropriate Had only 3 out of the 5 pieces of evidence been available and satisfactory a score of 2 would be appropriate Alternatively had only 2 of the pieces of evidence been available and satisfactory a score of 1 would be appropriate There are no hard and fast rules here but a pragmatic approach is recommended l MetaTags Version 5 2 and previous 5 series versions of the tool includes a MetaTag association with each question A MetaTag represents an association for a question e g a question that is associated with Cyber may hold the MetaTag Cyber Business Critical All of the MetaTags associated with a particular question are displayed within the main screen section labelled Associated MetaTags Associated MetaTags Cyber Business Critical Page 12 of 22 This inf
17. cation not normally used by the tool e g if you wish to retain any specific logging information Log Please choose the level at which the tool should log to The Higher the logging level the more that will be logged Please note that the tool will run more slowly the higher the logging level Any changes made will come into effect the next time the tool loads 3 INFO Log errors warnings and informative remarks ts 1 ERROR Only log errors 2 WARN Log errors and warnings O Log errors warnings and informative remarks 4 DEBUG Log debug information 5 TRACE Log very detailed debug information SLOW Page 16 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED O Maturity Model Measurement MMM Threshold This threshold governs when a maturity model level is reached The default is 95 of the questions are completed in a level and each of these questions was rated at either an assessment level of 2 or 3 MMM Threshold Please choose a value For the MMM theshold by default this should be 95 95 When using the Score button if you wish to see what your score is related to incomplete levels e g to monitor progress then set the MMM Threshold to 0 in the Properties screen You will then see all
18. ce FiallgS s osse dece iste ope Ee cA Mud So DAS 12 l MOI Tags csi d um t tbe e tum nho bum atl d ot cota ce 12 J FIG sicubi aea a decine tu vai deti Pade siut ba Scu duoc ei 13 K Assessment Hesults oot ea e al iecen a edere eder ud edere due 14 L Classification Settings o emite ei hera eph er aes eh rk urs 15 M Save GConimiallohiceis ode te eti bee tate et repe tdi pas Eod rare dre enne 16 N LOGGING MOOS eio emi io oon id oa ad topi eom ep e 16 O Maturity Model Measurement MMM Threshold sssssssssss 17 P Manage Answers aoc ice ede od ded eres este eee e de 17 Q Hyperlinks in Comments oue cos deo arte bpaeit toner oni eee eee ee 18 Ri Advanced Features ede NR OD xax eo 19 Vil FURTHER HELP vice nee Cope ne eee 19 Vik ANNE Gy Reem rer Dee ie ee EE 20 Page 3 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED THIS PAGE IS INTENTIONALLY LEFT BLANK Page 4 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED I GUIDANCE The assessment team charged with completing a Cabinet Office Sec
19. creen it can be possible to link to other files e g local or networked or intranet locations i e should an intranet location be served from where the IAMM Tool is executing However if the below doesn t work then your installation environment may not support these file or intranet options Where your installation environment does support this option you need to write some meaningful text for the link in the Comments area e g TestLink Then highlight this text and then use the button labelled Ab either above or to the right of the Comments area You will be shown an input screen which prompts you To Enter a URL Valid URL s for files could be of the following type Note Within the IAMM Tool the link is accessed by using the Ctrl and a left mouse click simultaneously file H TestLink txt where H is the drive location and the file is called TestLink txt file H subdirectory TestLink txt as above but with the file in a subdirectory Those without similar access to your local or externally accessible web server won t be find the information via the following type of link e g if you pass the answer file to another IAMM Tool installation However where you have a link to a web server e g via your intranet a valid URL could be of the following http type http www yourdomain yourpage html Page 18 of 22 This information is exempt under the Freedo
20. directory i e create this sub directory if it doesn t exist of the user home directory ciammConfig properties e g with the MS Windows Read only property set Thus the IAMM Tool notices the Read only file and so the program asks for a new location possibly starting the search for a suitable location by opening at the known Java user home directory The user then manually directs the file search to the location that the user wishes to use Note The user may have to prepare a suitable location in advance and hence the local user instructions may give guidance on this i e if the local area has produced these In this manually entered location a writable ciammConfig properties is searched for in that location If the writable ciammConfig properties file exists in this chosen location then it is used If an application log file exists in that chosen location then it is also used However if neither exist the following two files are created in the chosen location If they can t be created then the program should go back to the window that allows the choice of an alternate file location ciammConfig properties application log As a ciammConfig properties has been found or created in a location specified by that user the IAMM Tool uses that ciammConfig properties in the same way as it would have done had the installation been on a laptop However in relation to type B there is no way fo
21. ecking this option will stop all save confirmation boxes from appearing thus immediately overwriting a pre existing file This is not recommended It is good practice to keep copies of the answer set file in a suitably backed up location that is not usually accessed by the normal use of the tool Thus if a working answer set file gets accidentally damaged then the amount of lost work could be minimised N Logging Mode The tool is provided with a logging facility This may help to identify problems with the tool should these occur To understand the log file is quite an advanced feature and using the logging is thus unlikely during normal use of the tool However CESG may request a copy of the log file if this could aid the resolution of a reported problem e g you don t need to send the log file when you experience a problem unless CESG requests it The default logging mode is 3 INFO but it can set it to a level appropriate for your activities For example when trying to identify a specific issue the tool may be set to mode 4 or mode 5 Do not set these modes unless there is good cause as the tool will probably be slow and the logging file i e file application log will fill up The logging utility will continue to use the logging file even if it has been filled up e g by overwriting earlier entries Thus leaving logging on at a higher numbered mode may need the storing away of copies of the application log file in a lo
22. i e available through the tabs labelled as Table and Graph First in the Graph tab view they are presented in graphical form against the organisation s target profile i e those values that were provided at the start of the assessment process Second in the Table tab view they are presented in full detail on an additional table On this screen you can select whether the Maturity Model Measurement MMM level the current target level e g shown as 2013 below and the future target level e g shown as 2018 below are displayed The MMM level is also set via the Properties button see section O below which describes how to use the MMM threshold to allow you to see the score in incomplete levels e g to aid progress monitoring IA Maturity Model Self Assessment Summary w Year 2013 target Levels Ii Year 2018 target Levels MMM Threshold Level 5 2 0 5 Maturity Index z Level 2 0 86 Level 1 0 23 Level 12 0 19 Level 17 0 0 Level 12 0 0 Leadership amp Training Education amp Information Ris Through Life IA Assured Information Compliance Governance Awareness Management Measures Sharing IA Maturity Model Domains WLevel 1 MLevel 2 WLevel 3 Level 4 WLevel 5 JV Show Target Levels For 2013 JV Show Target Levels For 2018 I Show MMM Threshold Save Graph to File Close Page 14 of 22 This information is exempt under the Freedom of Information Ac
23. it is necessary to first install and configure the latest Java Runtime Environment JRE Instructions for doing this are available from www java com CESG do not provide advice or guidance on this process For those who have not moved to the latest version of Java e g for commercial and risk assessed purposes the IAMM Tool should run on Java version 1 5 and later If Java is set up in your environment correctly you should be able to find the install version by typing the following at a command prompt java version Page 5 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED IV RUNNING THE TOOL To run the tool double click on the jar file or alternatively the tool can be started from the command prompt by navigating to the directory where the jar is located and entering e g for CIAMM v5 3 jar java jar CIAMM v5 3 jar Note Running the tool from the command line in DEBUG or TRACE mode will also allow the provision of a command line feed of information V DEALING WITH ERRORS Should the tool fail to launch for any reason then please first ensure that the JRE is configured correctly If the tool can launch but it fails on loading then try removing any previously generated properties file ciammConfig properties
24. m of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED R Advanced Features Some features are usually hidden and are only to be used by those who know how to operate the tool in an advanced mode For example the advanced mode allows you to edit the question file i e not just the answer file However unless you have studied this as a separate exercise i e this not currently part of the normal use of the IAMM Tool within government bodies you may have to request consultancy to use these features correctly Without such consultancy you may damage your CIAMM xml file and you may then need to reinstall the IAMM Tool e g restoring the release version of the CIAMM xml file To be able to see the advanced options you need to manually edit the ciammConfig properties file and set the ciamm advanced property to true When the IAMM Tool is next run the ciammConfig properties file would be read and it would then show the Advanced gt gt button when on the Properties screen as this ciammConfig properties file would then contain the line ciamm advanced true The extra options displayed when using the Properties screen Advanced gt gt button allows various parameters to be changed e g the classification label text and to switch the tool back a
25. nd forth from the answerer and editor mode indicated above Vil FURTHER HELP For Technical Help on any aspect of the IA Maturity Model itself the IAMM assessment Tool the Supported Self Assessment service or any other CESG assessment service then please contact CESG enquiries in the first instance enquiries cesg gsi gov uk For Advice on any aspect of the SRMO requirement then please contact GSS in the first instance annualreport cabinet office x qsi gov uk Page 19 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED VIII ANNEX A The IAMM Tool is only supported for use on a laptop However some government bodies deploy the IAMM Tool onto their corporate environment after appropriate risk assessment by that body This annex describes some features in the IAMM Tool that may assist deployment This is an advanced feature and considering that the government body has made the decision to install the IAMM Tool on their corporate environment it is assumed that they will apply the appropriate skilled IT resources to understand and hence to try the aspects described here However there is no guarantee that in a specific corporate environment that the following will necessarily work As background when distributed on a laptop
26. ormation is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED J Filter Turning on the filter allows you to choose only to display selective questions and then hiding the rest To enable the filter select the filter icon from the Question Navigation Panel Question Navigation epe 4 Level 2 m isl amp Change Questions The filter display allows questions to be filtered by their level score or associated MetaTags Filter x When activated the filter will hide Questions showing only those that meet the specified criteria C Filter by Question s Level Filter by Question s Scores Filter by Question s MetaTags Level 1 v Cyber Supporting Level 2 Modified In GPG40 v2 Level 3 v Cyber Peripheral Level 4 New In GPG40 V2 Level 5 v Cyber Business Critical Select All Select None OK Cancel Page 13 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED K Assessment Results The results derived from the completion of the IAMM Tool can be viewed by hitting the Score button and the results are presented in two forms
27. r the IAMM Tool program to know about this location from an accessible ciammConfig properties file due to the Read only properties set on the corporate environment distribution Hence every time the user runs the IAMM Tool the user may need to remember where the ciammConfig properties and the application log file was stored However if you local environment allows you may be able to manually set the user home when starting the IAMM Tool e g from the command line Unfortunately you must first go to the appropriate drive e g D and then the appropriate directory e g Writable location before invoking the following type of command Note this assumes that the path has been set up to find the javaw program javaw Duser home D Wiritable location jar DMAMM Tool Location CCIAMM v5 3 jar Note In this case the ciammConfig properties file would then be located in D Writable locationciamm sub directory of DAWritable location Obviously you would change the drive and the writable location to those that would be specific for your local user s use Page 22 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED
28. rty set Note Also in this case the ciammConfig properties file would have previously been created by running the CIAMM v5 3 jar program on a suitable environment e g a laptop and then this ciammConfig properties file would be transferred to the corporate environment prior to it being made Read only The difference from case A above is that the Java Runtime Environment location known as the user home directory i e a location that may be specific for your corporate installation of Windows and Java which the Java Runtime Environment picks up when it is first executed through the Java System class user home property is not suitable to be used by each individual user for some local corporate deployment reason The reason could be that this location has been made Read only in your corporate environment or that every user is directed to use the same location and hence multiple users would overwrite the same ciammConfig properties file in that location Page 21 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED To signal to the AMM tool that it should not use the Java Runtime Environment location known as the user home directory the following Read only file must be placed in the ciamm sub
29. t 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg gchq gsi gov uk UNCLASSIFIED UNCLASSIFIED Dev Partners 4 o o o o te 2 oo obo z o o o oto o o o ofo o o rho o o o Orennisation 6 o s o o e o s o o re o s obo 1 s o s o o o r o s ho o o tira Parties 2 o 1 o oiii2 oi oro o a o s oto i s o sho o o obo oto oo Dev Partners 4 o 3 o o ita o s opo 1 e o s oto i eo epo o o 2ho 2 5o o o Organisation 16 o fref ofofo iet o s o Poo i o iz o o oio o ooo os ho s opoo tira Parties 10 o jo o oo ioo po o foo eo eo to o e oebo o o sho sho o o Dei Partners 2 o o o o 2 i oo opo rii o s otojo s o spo o o rho rio o o Organisation 6 o o o o opato ejoro o s o s ojojo s o s o o o 2ho a opo o Save Table as Image Save Table to Excel Close L Classification Settings To aid the entry of the bulk of the Classification defaults you can set the default classification to be used on items that have not yet been answered To access this feature press the Properties button and use the dropdown choices as appropriate Classification Settings Please select the default Classification For answers This will apply to all newly created questions and will not affect those that already exist UNCLASSIFIED x l y Please select whether you wish to use the new classification scheme Use new scheme Please note
30. urity Risk Management Overview SRMO potentially as the means to form part of the annual Governance Statement must read the appropriate guidance available from the Government Security Secretariat e g annualreport cabinet office x gsi gov uk When using the IAMM as a basis for the SRMO return this can be assisted by a previously produced supported self assessment guide which was available as a download from the CESG Internet website www cesg gov uk The SPF states the mandatory aspects for Departments and Agencies and where appropriate the extension of these aspects to organisations working on behalf of HMG Government The SRMO applies to various organisations and the Government Security Secretariat guidance on the SRMO provides more details Ill DOWNLOADING THE TOOL The tool can be downloaded from the CESG Internet website www cesg gov uk It comes in the form of a zip file that comprises two sub files a java executable jar file and the question set xml file It is assumed that assessment teams or their Software Asset Management SMA team will download the Tool and load it to a standalone e g not connected to a network laptop for use Ill SETTING UP THE TOOL To avoid confusion it is advised to keep the tool in a directory of its own for example C CIAMM Both files should be kept within the same directory i e the executable jar and the question set XML file In order to run a jar file
31. your scores in the Graph tab view Once complete reset the MMM Threshold to 95 P Manage Answers You can compare up to 4 other answer sets with the currently loaded answer set and the tool is in compare mode when this occurs This is done via the Manage Answers button For example when 2 other answer sets are loaded the Answer Manager screen can look like the below t Answer Manager Loaded Answer Set ID ASET11550266290 Export Selected Answers Answers in set Import and Compare AnswerSet 188 e 2 2 Please note that the colours for the additional answer sets e g comments evidence and even the comparative score pointers can be set using the Pallet button to the right of the Remove button i e can be set for each answer set In summary in the button options against each answer set you can then Merge Remove or change the colour of the icons representing that answer set in the main IAMM Tool screen e g a small triangle indicating the score against that question for the comparative answer set In the above Answer Manager screen the colour of the first comparative set was set to blue and the second was set to pink The overlay colours on the scores indicate all GREEN some AMBER or none RED matching Page 17 of 22 This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK information legislation Refer any FOIA queries to
Download Pdf Manuals
Related Search