SecureIS provides both detailed operational reports and summary management charts to support the information system security process. This document contains a small subset of the reports available in the system. The following provides insights into how SecureIS reports provide for the information needs of security personnel and their managers.

Security personnel must determine which security solutions are needed to satisfy each security requirement. This decision requires an explanation (rationale). The security officer must provide an explanation why the security solution does or does not satisfy the requirement. This process is repeated for every security requirement, attached to every information system component that has a security concern. An information system is secure when all information system components have been secured. The audit trail of security decisions provides the accountability and assigns the responsibility required by DCID 6/3. The reports produced by SecureIS show the status of the security project and provides many reports that can be used to manage the security effort.

How secure is your information system? The answer to that question is based on how well security solutions meet security requirements. This information is maintained in the SecureIS database. Graphically it would appear as follows.

Audit lists that show all the security requirements, their applicability and rationale, and the security solutions that satisfy the security requirements and their associated rationales will substantiate the information displayed above.

SecureIS provides a standard set of reports plus a facility for ad hoc report generation. It supplies a generalized report editor and print facility. All standard reports are placed into this facility where they can be modified (by changing colors, and fonts, and inserting images). The report editor and print facility also provides the capability to preview the report, add page breaks, and add report headers and footers. The reports can be printed or saved into the local file system. The ad hoc reporting system can also send its reports to this facility. The above display shows a report in the report editor and print facility window.

SecureIS organizes information, relevant to the security process, by a number of artifacts that stand for information system components and security solutions. The following user interface window shows the organizational structure used by the SecureIS system.

The tree structure on the left hand side of the window grows as information is input into the system. The major tree nodes (Item Templates, Projects, Users, Grouped Items, Identical Items, Connections, Compliance Items, and Requirements) show how SecureIS compartmentalizes information into various artifacts. The forms at the bottom of the window allow for data entry and data display. The right hand portion of the window displays tutorial information and various lists. Online help is available to describe system capabilities and how to perform the tasks required to implement security processes.

SecureIS provides facilities to import and export data into and from the SecureIS database. The import capability will minimize data entry requirements, if information system inventory is already defined in another database. Similarly, export of data from the SecureIS database can feed information to other applications.

A demonstration of the SecureIS system can be arranged by contacting George White via e-mail at