RiskWatch for Information Systems™ is the most accurate, comprehensive way to conduct governance, compliance and risk assessments based on international standards including ISO 17799, ISO 27001, COBIT 4.0 and Sarbanes Oxley (SOX). The RiskWatch for Information Systems™ software includes a simple web-based questionnaire application. This can also be used on an internal server, or hosted, to facilitate the gathering of responses from management and IT system users. Respondents simply answer the questions, and their answers are imported for analysis. Combined with a full threat assessment, control analysis and patented algorithms. RiskWatch automatically analyzes all data, and creates management reports detailing compliance vs. non-compliance, backed up with a complete set of working papers. Return on Investment is calculated for each safeguard and a Case Summary Report is generated to show Compliance vs. Non-Compliance, Protection Levels, Annual Loss Expectancy Data by Asset Category, Threat or Loss Impact Category. The report demonstrates which security measures are most effective for your organization, and which ones give you the most bang for your buck. It can be installed on your desktop PC or network server and it eliminates 50%-70% of the work of doing a manual risk analysis. It includes an Asset Configuration Tool, based on a standard capital expenditures allocation, so that you can instantly populate asset information fields. Default data on threat frequencies, and the cost of applicable safeguards (controls) is included. Here\'s What a Major Software Analyst Firm had to Say: "RiskWatch is set apart by its focus on risk analysis for security management, its extensive knowledge base for all areas of security, its ability to handle large volumes of information, and the volume and flexibility of its customizable features. RiskWatch not only calculates risks through standards and universally accepted methodologies and technologies, but it also builds and provisions intelligent structures of enterprise policies, and regulatory and industry compliance for ongoing assessments and audits."

1. Software for Enterprise Risk Assessment RiskWatch ® Annapolis, Maryland

10. RISKWATCH ® Risk Assessment Process Automated Survey Management Process Management Data Aggregation & Analysis Content (Rules & Data) Risk Analysis Customization Reporting Respondents Analyst

11. RiskWatch Clients

14. RiskWatch Adds Business Continuity & Disaster Recovery Planning Integrating Risk and Recovery

16. Progress at a Glance – Tracks the Case

17. ELEMENTS OF A METRICS-BASED RISK ASSESSMENT APPROACH ASSETS THREATS VULNERABILITIES LOSSES SAFEGUARDS

19. Use Inventory Information or Asset Configuration Tool based on Standard Capital Expenditures Allocation Tables

21. THREAT TABLE IS FULLY CUSTOMIZABLE BY THE USER BASED ON INCIDENT DATA OR PEN TEST DATA

22. INCLUDES ALL RELEVANT VULNERABILITY AREAS

24. YOU CAN SELECT QUESTIONS THAT MAP EXACTLY TO THE ISO-17799 STANDARD OR ANY OTHER STANDARD

25. Each question uses actual security regulations as control standards and is linked to appropriate Functional Areas

27. Respondents Can Answer Questions over the Web or from an Internal Server with full ASP functionality

28. Respondents answer questions based on their job categories -- most surveys have 50-100 questions

29. Blue shading shows which questions have already been answered.

32. INCLUDES ALL RELEVANT IT CONTROL CATEGORIES

33. EACH POTENTIAL SAFEGUARD INCLUDES DEFAULT VALUES FOR COST, MAINTENANCE AND LIFE CYCLE

34. Data Aggregation & Analysis Financial Data Software Automatically Analyses Over 3 Million Linking Relationships Risk = Asset  Loss  Threat  Vulnerability Loss Delays & Denials Fines Disclosure Modification Direct Loss Asset Applications Database Financial Data Hardware System Software Threat Disclosure Hackers Fraud Viruses Network Attack Loss of Data Embezzlement Vulnerability Acceptable Use Disaster Recovery Authentication Network Controls No Security Plan Accountability Privacy Access Control Fines Disclosure Modification Fraud Loss of Data Acceptable Use Authentication Privacy Access Control

36. The Case Summary Report is a Word Document and is Pre-Written as a Management Report

37. EASY TO UNDERSTAND GRAPHS ILLUSTRATE OVERALL COMPLIANCE VS. NON-COMPLIANCE AGAINST A PUBLISHED OR INTERNAL STANDARD

38. Vulnerability Distribution Report Shows Percentage of Compliance by Requirement

39. Accompanying Spreadsheet Gives Complete Information about Answer Details Lists actual number of answers who indicated compliance or non-compliance.

40. Track Compliance by Role or by Name

41. Graphs and Spreadsheets also Detail Compliance by Standard

42. Reports Detail Asset Values for the Information Systems

43. ALE (Annual Loss Expectancy) reports include complete audit trails and powerful analysis tools to automatically analyze potential losses. Annual Loss Expectancy by Type of Loss

44. SAFEGUARD REPORT -- LISTS TOP TEN RECOMMENDED CONTROLS BY RETURN ON INVESTMENT

45. Return On Investment Graphs Link to Detailed Spreadsheets

46. Justifies the Security Budget by Demonstrating Cumulative Loss Reduction by Combinations of Controls

48. RiskWatch, Inc. [email_address] Caroline Hamilton 410-224-4773 x105 www.riskwatch.com