Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks <ul><li>Michael Smith ...
Laws, Sausages, and Frameworks? <ul><li>Top-down: regulation->policy->procedures ->technical </li></ul><ul><li>Organic gro...
The Part Where Mike Gets Meta <ul><li>“ The nature of all security frameworks is to devolve into a checklist” --Rybolov </...
Framework Scorecard $$$$$ Small, Medium, Large Organizations
Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability
Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability Completen...
Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability Completen...
SWAG Reactions: ISO 27002 $$ Reasonably large  Some Guidelines Reasonably Complete OK Robust, some audit burden and rework
SWAG Reactions: PCI-DSS Relatively Small Mostly Tactical Bollocks for Sustainable Has “Policy” Robustness as a function of...
SWAG Reactions: NIST RMF Much Cost Prescribed but not the focus due to abstraction The Whole Hawg of Completeness Horribly...
Uses <ul><li>Conscious design of security, compliance, regulation, risk, etc frameworks </li></ul><ul><li>Prioritization o...
OMG What Have I done? <ul><li>Have I built a better GRC and should I be hanged from the neck until I am dead? </li></ul><u...
<ul><li>Questions, Comments, or War Stories? </li></ul><ul><li>http://www.guerilla-ciso.com/   </li></ul><ul><li>rybolov(a...
Upcoming SlideShare
Loading in …5
×

Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

2,054 views

Published on

A presentation I did for Metricon 5, trying to build a bridge between public policy and security metrics.

Published in: Technology
  • Be the first to comment

Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

  1. 1. Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks <ul><li>Michael Smith </li></ul><ul><li>Metricon 5.0 08/10/2010 </li></ul>Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks
  2. 2. Laws, Sausages, and Frameworks? <ul><li>Top-down: regulation->policy->procedures ->technical </li></ul><ul><li>Organic growth: tech->architecture->policy </li></ul><ul><li>Throw in the kitchen sink, built a checklist, rinse, repeat </li></ul><ul><li>Lessons learned: Company X got pwned so you have to pay for their crimes </li></ul><ul><li>Years of analysis: extended PhD thesis </li></ul><ul><li>The Gray-Hair approach, I know better than you </li></ul>
  3. 3. The Part Where Mike Gets Meta <ul><li>“ The nature of all security frameworks is to devolve into a checklist” --Rybolov </li></ul><ul><li>All frameworks suck, the one you’re using sucks the worst </li></ul><ul><li>Management by inclusion v/s exclusion </li></ul><ul><li>Build a rational way to judge frameworks </li></ul>
  4. 4. Framework Scorecard $$$$$ Small, Medium, Large Organizations
  5. 5. Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability
  6. 6. Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability Completeness Sustainable Program
  7. 7. Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability Completeness Sustainable Program ?Robustness? Shelfware-Resistance Low-Maintenance Atomicity v/s Dependence
  8. 8. SWAG Reactions: ISO 27002 $$ Reasonably large Some Guidelines Reasonably Complete OK Robust, some audit burden and rework
  9. 9. SWAG Reactions: PCI-DSS Relatively Small Mostly Tactical Bollocks for Sustainable Has “Policy” Robustness as a function of small size
  10. 10. SWAG Reactions: NIST RMF Much Cost Prescribed but not the focus due to abstraction The Whole Hawg of Completeness Horribly fragile, this adds significantly to the cost
  11. 11. Uses <ul><li>Conscious design of security, compliance, regulation, risk, etc frameworks </li></ul><ul><li>Prioritization of effort </li></ul><ul><li>Split-horizon assessment/audit </li></ul><ul><li>Maturity models </li></ul><ul><li>Ending “Legislation Amateur Hour” </li></ul>
  12. 12. OMG What Have I done? <ul><li>Have I built a better GRC and should I be hanged from the neck until I am dead? </li></ul><ul><li>Is an abstract of an abstract leading to a divide-by-zero error that will end the world? </li></ul><ul><li>Have I lost my bloody mind? </li></ul>
  13. 13. <ul><li>Questions, Comments, or War Stories? </li></ul><ul><li>http://www.guerilla-ciso.com/ </li></ul><ul><li>rybolov(a)ryzhe.ath.cx </li></ul>16

×