What is SeCube?
SeCube GRC is a security, risk, compliance, audit, and business continuity management software that can be modularly integrated in a single framework. Its purpose is to provide the integrated support of the security-related analysis, design, and maintenance processes in the company’s various divisions, thus creating a solution for the transparent and reportable management of security in the organization.
The SeCube GRC system, developed by Kürt Zrt., expressly supports the development and operation of the following activities:
- The development and maintenance of the company asset component and dependency operation model.
- Resources, services, data asset, business processes needed for organizational operation, and a comprehensible structure defining their relation.
- Information security and business risk analysis and management with comprehensive business impact analysis (with confidentiality, integrity, and availability as separate factors for examination).
- Support for Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) and testing
- Assessment and monitoring of compliance with international standards and Hungarian legislation, the cost-effective maintenance of compliance, express use cases:
- Laws on information security and vital systems and facilities
- ISO standards (e.g. ISO27001)
- Risk-analysis and risk management, BCP and DRP planning as well as audit & compliance in one single system, thus providing real potential for the development and maintenance of risk-proportionate security.
- Support of investment decisions, resource and cost optimization.
- Contribution to the cooperation of several groups, making use of each other’s output in a unified and transparent way.
- Provision of up-to-date reports and plans
SeCube’s target users include IT operations, the parties responsible for security and business processes, and the experts and managers in the fields of internal control and compliance. SeCube is safely able to manage the security-related activities involving the entirety of users in various professional fields.
Structure of the SeCube framework
The software supports multitenant control:
- SeCube is a service provider framework. It allows the management of user access rights and supports the development of custom eligibility roles and the launching of projects as independent tenants and copies. Each project/tenant can handle one company (live, ad hoc, sandbox, training, subsidiary, etc.).
- Enabled modules provide functionality in the projects/tenants. The compilation of modules can be used to compile the desired number of business-purposed use cases within a tenant, and the modules cooperate with each other.
- The third level can be used to perform work in functions within the individual modules.
- Validation testing between and among the functions (business logic checks) helps ensure the integrity and consistency of results, that data are correct, and that results remain consistent and current.
- Certain functions are in execution dependencies (workflow). The effects of data changes in other functions are reported, and functions can even be locked to ensure that data are intact and results can be traced back.
SeCube framework special capabilities
- Numerous tenants/projects can be launched in the SeCube framework as independent companies (e.g. subsidiaries or member companies).
- Functional modules can be launched in the tenants, in line with user requirements.
- Thanks to the multitenant environment, the software functionality can be used on more than one occasion in line with business goals. Privilege management naturally determines the possible means of access to a SeCube project.
- Possible Use purposes:
- Live, test, archive company tenants
- Mapping parent company – subsidiary models
- Two or more different organizational units want to use the software’s functionality with different purposes, independently of each other.
- Ad-hoc one-off or project-type analyses (e.g. one-off risk analysis)
- Training projects and sandboxes
Modular function structure
- Modules may even operate individually, yet at the same time they use each other’s output in a controlled and transparent way. The self-contained modular structure enables the use of a partial license configuration containing only the selected modules needed to meet current business needs, according to the current objectives of the client.
Controlled and consistent results
- Expansive validation and consistency testing based on business logics to ensure data are correct and up to date.
- Creation of a common language for business areas and internal service providers (e.g. IT). Reducing key-person dependency, common knowledge base.
Developed analytical abilities
- Risk analysis reports, BCP and DRP plans or compliance or audit reports are no longer one-off results. Instead, they should rather be considered as up-to-date reports ready to be generated with the press of a button, offering a streamlined maintenance solution.
- Visual incident simulation abilities, the mapping of sensitive and single points of failure (SPoF), analysis of the spread of threats between system components and their consequences and effects on business.
- Continuously updated know-how based on international recommendations (threats, protective measures, vulnerabilities, etc.)
Real customizability, adaptability
- Records customizable down to the field level as well as flexibly customizable methodological settings support adaptation to existing company practices and requirements.
- The flexible, even field-level configurability decreases dependency on the supplier.
- Currently supported languages: English and Hungarian
Logging and restoring
- Transaction-level logging capabilities
- Full restoration function support for all logged events.
- Security log in RFC Syslog and Windows Event log formats
Authentication, user, and permission management
- Possibility for Active Directory integration (authentication, user management, authorization)
- Two-factor authentication
- Customizable roles. Role, task, and responsibility-based privilege management. Assignable assessment and result maintenance tasks with email notifications.
- The software license does not limit the number of user accounts! It limits only the number of permitted concurrent users.
Extensive data import and/or export capabilities
- MS Excel interface, CMDB api-s, MS AD interface, Webapi
- ETL: Extract – Transfer – Load module. Configurable and scheduleable connection of data sources.
- Both Hungarian and English
- Online multitenant framework, supporting multiple subsidiaries and member companies
- MS IIS + SQL
- Multi-node load balancing online architecture
- Role and responsibility-based permission management
- Transaction-level application logging
- Security logs in Windows Event log format
- Active Directory integration
- E-mail integration
- Two-factor authentication
- CMDB integration
- MS Excel add-in interface (import/export)
Short version history of SeCube
- The first main version (~2011) was created by Kürt to support its own information security projects (Risk and BCM), which is why the software can be so highly customized
- The purpose of the second main version (~2013) was to create a Risk and BCM dedicated software that can be delivered to customers.
- However, the objective with the third main version (~2015) was to develop an IT GRC software complete in terms of its functionality, concentrated on the continuous control of information security instead of one-off results.
- The aim of the fourth version (~2021) was to develop a complete, transparent, and reporting GRC software for company security with delegated tasks and responsibilities.