Project Description

New AssessmentKRM developed the ENTISAS© (Enterprise Information Security Assessment System) program successfully for the DOD (Department of Defense) TMA (TriCare Management Activity). This program was delivered on May 31, 2007. ENTISAS© is an Enterprise-wide Information Security repository useful for analyzing security risks, threats and vulnerabilities as well as mitigation plans and protections profiles and other information security elements across multiple organizations and organizational elements.

Based on the Risk Database system originally developed for the OCTAVESM (Operationally Critical Threat, Asset, and Vulnerability EvaluationSM) method originated at Carnegie Mellon University, KRM has also developed a web-enabled front-end and enhanced security for the ENTISAS© repository. Additionally, KRM has modified the product to accept data feeds from various vulnerability scanning systems.

ENTISAS diagram 2

Based on Oracle and utilizes Coldfusion for data analysis, graphing and reporting, ENTISAS© combines inputs from multiple risk assessments that can be performed by various collection tools or entered directly into ENTISAS©.

  • Common threat and vulnerability analysis and reduction in duplication.
  • Common Asset identification and reduction in inconsistent risk mitigation plans.
  • Establishing baseline for current security practices.
  • Analysis of Mitigation Plans and Protection Strategies across organizations.
  • Comparison of Action Items and possibility of sharing lessons learned among facilities.
  • Central location for tracking Risk Assessment performance for organization and encouraging completion, providing guidance and support.
  • Data analysis can lead to improvement in catalog of good practices.
  • Possibility of tailoring catalog of good practices for specific applications based on comprehensive data (e.g. HIPAA).
  • Central Risk Data Base can lead to improved data analysis by supplementing data collection tool by providing additional tables for data analysis (e.g. Asset Class).
  • Standardization of fields/concepts within data repository will lead to more consistent security practices.
  • Data repository will encourage Assessment completion by various facilities as a requisite to share data.
  • Historical storage of RISK ASSESSMENT data can streamline performance of future Risk Assessments.


Clean roadmapThe ENTISAS©-Tailored option streamlines the risk assessment process for smaller organizations and shorter timelines.  ENTISAS©-Tailored is an OCTAVESM  consistent approach tailored specifically to address the unique needs of Information Security teams conducting risk assessments at healthcare facilites.


  • A step-by-step input process
  • Some data elements are pre-populated for convenience
  • All fields may be customized
  • Flexible input options
  • Accepts existing data from a variety of sources
  • Modular design
  • Only do what you need to do
  • Dynamic interface
  • Responds to previous inputs when offering path options
  • Doesn’t allow you to overlook critical issues
  • Integral review/release cycle
  • Inputs validated for completeness and accuracy prior to being added to the database
  • Web-enabled architecture
  • Minimal footprint on local system
  • Secure server storage of collected data


  • Self-directed by the organizational team members.
  • Multiple levels of ownership – Senior Managers, Operational Managers, and IT team members.
  • Builds a community of long term, on-site expertise.
  • Builds consensus, even across different organizational and disciplinary perspectives.
  • Focuses attention on risk resulting from current business processes.
  • Application serves as the baseline comparison for business process change management.
  • Re-usable, repeatable process, backed up by a secure database.
  • Provides organizational risk assessment that is part of compliance for many legislative mandates.

DITSCAP (DoD Information Technology Security Certification and Accreditation Process) certified