TISLA manual

Although the TISLA tool is made as intuitive as possible  this is a short manual about how to use the tool.

First of all TISLA is built in Excel and the main file: “00_Assessment__TISLA.xlsm” contains VBA code, so you’ll have to allow marco’s when opening the file to make itt work properly. You can however disable macro’s if you want to. The Excel file will still calculate all results correctly, bu all automated functions like the assisted “Workflow” are not available anymore.

//

Table of Contents

//

License and credits

The first tab of the Excel File contains the credits for people that contributed to the tool and a BSD license. Please read the license before using the tool. The use of the TISLA tool is free of charge, but you must meet the licensing terms.

  1. Credits for the creator and contriburors to this tool
  2. The URL to this site
  3. The BSD license terms & conditions
//

About the tool

This section in the Excel file contains the same information as on this site under the “Introduction” menue.

Please note that there is a button there to load sample data into the  Import files. It is the same data that is in the tool when is downloaded from the site. You can always recoverand reload this sample data if you need to demonstrate the working of this app. The sample data is random data and is not related to any real life situation, it’s just for your convenience if you need some samples.

//

The main assessment resultspage

The “Scores” tab contains the central part of the tool. Here are the results presented , and here there are several buttons that represent the workflow for using the tool. If you want the macros’to be blocked for security reasons you still can use the tool. Calculation of the results does not depend on it, but you will lose all “automated” functionality.

//

The final result

Here you can find the final result and an interpretation of the residual risk in your technical security infrastructure. The risk is related to your companies risk profile that you determined in the “Risk Profile” section.

//

The results section

This section is thepart where all the results from all the main categories and technologies are summarised. You can see the assessment results as a starred ratingfor each technology, for each category and finally the overann result (previous paragraph).

//

Explanation of risk and associated colours

This section shows:

  • Your companies Risk Profile as entered in the Risk tab.
  • Scored stars: these are actually the thresholds of the residual risk levels (in relation to your Risk Profile)
  • Residual Risk: indicator of risk as: “low”, “moderate” or “high”.
  • Stoplight Indicator: the coloured cirkles presented at category and overall level.
//

The workflow buttons

If you follow these buttons top-down you’ll work through the entire file and towards the result.

  • The top button checks wether you have “real time colaboration” switched on OneDrive. If so, Excel will not be able to call the local path and pass the paths to files in a way Excel VBA cannot handle. If this is the case you’ll have to specify the local path to the directory where your files reside in the red box with the “puzzle symbol” in order to have the tool work properly. The button will tell tou if this is necessary or not.
  • The next group of buttons anables you to reset (empty) all scores and all import files. Remember: you can always get the sample data back with the button in the “Introduction” tab. And, if you keep a backup of the import files you can always reload your previous results.
  •  At the start of the assessment you will always need to set / evaluate your companies risk profile. This profile can be derived from formal risk assessments or you can use your own risk estimate.
  • After that you will be redirected to all the categories. You don’t have to fill them in in this file. You can distribute all the import files to the relevant subject matter experts, have them complete all the questions and then use the import button on the category pages to import these results.
  • Once you have completed all categories you will be able to see the overall result.
//

The information section

The above part speaks for itself. We have built the tool in such a way that the results can be printed, exported to PDF or selected and copied into a presentation or other document. Please be aware that pasting the copy as a picture will give the best result in most cases.

The above section is about the OneDrive real time colaboration issue explained in te “Workflow buttons” section. Please enter the local path to the assessment files if clicking this button reports this OneDrive issue.

//

Risk Assessment

To get a risk indication related to your companies risk profileyou’ll have to indicate your companies risc profile here.

  1. Choose which risk model you want to use. It can either be the ISO 2700X or the BIR/BIO which only complies for Dutch government.
  2. Section 1: ISO 2700X risk profile. If you chose ISO 2700X in te previous bullet you will have to st your risk profile here. (The BIR/BIO part will be disabled.)
  3. Section 2: BBN level (Dutch Government specific BIO framework). If you chose this in bullet 1 you will have to st your risk profile here. (The ISO 2700X part will be disabled.)
//

The categories tabs

Each of the six categories has it’s own tab. Each tab has several buttons amongst which is the import button to import files completed by subject matter experts.

  1. Each category tab has mutliple subcategories for each technology. In this case “1.1 Web Application Firewall (WAF)”.
  2. This is an example of the next subcategory: “1.2 Secure Software Development (SSD)”.
  3. Almost all questions are “Yes / No / Don’t know” questions. A very small part needs a percentage, like the topone on this example.
  4. At the bottom you will find all the main category tabs.
  5. At the top you’ll find several buttons to make life easier:
    1. “Go back to scores” will take you right back to the scores tab.
    2. “Reset answers” will reset all the answers on this tab to their defaults (i.e. “No” and/or “0%”).
    3. “Import Answers” will import answers from the import files that you had completed by your subject matter experts.
    4. “Reset Import file” will reset all the answers in the import file to their defaults (i.e. “No” and/or “0%”).
//

The relationship between all the files of this tool

The files of the TISLA tool are to be specified as follows.

Tha central TISLA file with all data, results and automation buttons is:

  • 00_Assessment__TISLA.xlsm

The following files are the questionaires you can send to the subject matter experts:

  • 01_Application_Security__TISLA.xlsx
  • 02_Perimeter_Security__TISLA.xlsx
  • 03_Detection_Response__TISLA.xlsx
  • 04_Identity_Access_Privileges__TISLA.xlsx
  • 05_EndPoint_Protection__TISLA.xlsx
  • 06_Data_Security__TISLA.xlsx
  • 07_General_Technical_security__TISLA.xlsx

The above files can be imported by clicking the “Import Answers” button in th corresponding tab in the main file.