Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks <ul><li>Michael Smith ...
Laws, Sausages, and Frameworks? <ul><li>Top-down: regulation->policy->procedures ->technical </li></ul><ul><li>Organic gro...
The Part Where Mike Gets Meta <ul><li>“ The nature of all security frameworks is to devolve into a checklist” --Rybolov </...
Framework Scorecard $$$$$ Small, Medium, Large Organizations
Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability
Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability Completen...
Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability Completen...
SWAG Reactions: ISO 27002 $$ Reasonably large  Some Guidelines Reasonably Complete OK Robust, some audit burden and rework
SWAG Reactions: PCI-DSS Relatively Small Mostly Tactical Bollocks for Sustainable Has “Policy” Robustness as a function of...
SWAG Reactions: NIST RMF Much Cost Prescribed but not the focus due to abstraction The Whole Hawg of Completeness Horribly...
Uses <ul><li>Conscious design of security, compliance, regulation, risk, etc frameworks </li></ul><ul><li>Prioritization o...
OMG What Have I done? <ul><li>Have I built a better GRC and should I be hanged from the neck until I am dead? </li></ul><u...
<ul><li>Questions, Comments, or War Stories? </li></ul><ul><li>http://www.guerilla-ciso.com/   </li></ul><ul><li>rybolov(a...
Upcoming SlideShare
Loading in …5
×

Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

1,873 views

Published on

A presentation I did for Metricon 5, trying to build a bridge between public policy and security metrics.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,873
On SlideShare
0
From Embeds
0
Number of Embeds
335
Actions
Shares
0
Downloads
13
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • If you would like us to speak for your event or group, please ask. If you would like to learn more and to keep up-to-date on groundbreaking Government security news, subscribe to the guerilla-ciso blog feed. Presentation released under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License. More information available at http://creativecommons.org/licenses/by-nc-sa/3.0/
  • Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

    1. 1. Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks <ul><li>Michael Smith </li></ul><ul><li>Metricon 5.0 08/10/2010 </li></ul>Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks
    2. 2. Laws, Sausages, and Frameworks? <ul><li>Top-down: regulation->policy->procedures ->technical </li></ul><ul><li>Organic growth: tech->architecture->policy </li></ul><ul><li>Throw in the kitchen sink, built a checklist, rinse, repeat </li></ul><ul><li>Lessons learned: Company X got pwned so you have to pay for their crimes </li></ul><ul><li>Years of analysis: extended PhD thesis </li></ul><ul><li>The Gray-Hair approach, I know better than you </li></ul>
    3. 3. The Part Where Mike Gets Meta <ul><li>“ The nature of all security frameworks is to devolve into a checklist” --Rybolov </li></ul><ul><li>All frameworks suck, the one you’re using sucks the worst </li></ul><ul><li>Management by inclusion v/s exclusion </li></ul><ul><li>Build a rational way to judge frameworks </li></ul>
    4. 4. Framework Scorecard $$$$$ Small, Medium, Large Organizations
    5. 5. Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability
    6. 6. Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability Completeness Sustainable Program
    7. 7. Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability Completeness Sustainable Program ?Robustness? Shelfware-Resistance Low-Maintenance Atomicity v/s Dependence
    8. 8. SWAG Reactions: ISO 27002 $$ Reasonably large Some Guidelines Reasonably Complete OK Robust, some audit burden and rework
    9. 9. SWAG Reactions: PCI-DSS Relatively Small Mostly Tactical Bollocks for Sustainable Has “Policy” Robustness as a function of small size
    10. 10. SWAG Reactions: NIST RMF Much Cost Prescribed but not the focus due to abstraction The Whole Hawg of Completeness Horribly fragile, this adds significantly to the cost
    11. 11. Uses <ul><li>Conscious design of security, compliance, regulation, risk, etc frameworks </li></ul><ul><li>Prioritization of effort </li></ul><ul><li>Split-horizon assessment/audit </li></ul><ul><li>Maturity models </li></ul><ul><li>Ending “Legislation Amateur Hour” </li></ul>
    12. 12. OMG What Have I done? <ul><li>Have I built a better GRC and should I be hanged from the neck until I am dead? </li></ul><ul><li>Is an abstract of an abstract leading to a divide-by-zero error that will end the world? </li></ul><ul><li>Have I lost my bloody mind? </li></ul>
    13. 13. <ul><li>Questions, Comments, or War Stories? </li></ul><ul><li>http://www.guerilla-ciso.com/ </li></ul><ul><li>rybolov(a)ryzhe.ath.cx </li></ul>16

    ×