Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia
The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.
Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way.
Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.
We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales.
Key takeaways:
-- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
-> Security strategic planning
-> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
-> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia
The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.
Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way.
Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.
We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales.
Key takeaways:
-- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
-> Security strategic planning
-> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
-> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture
Enterprise Security Architecture: From access to auditBob Rhubart
Paul Andres' presentation from OTN Architect Day in Pasadena, July 9, 2009.
Find an OTN Architect Day event near you: http://www.oracle.com/technology/architect/archday.html
Interact with Architect Day presenters and participants on Oracle Mix: https://mix.oracle.com/groups/15511
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
The importance of role management in information security. In today's world, information security and management of information security is an important aspect. Therefore, it is very important to understand the importance of role assignment and role management while considering the implementation of security policies and standards.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
It does not have an ISO standard. NIST barely mentions it. Despite hundreds of publications, no dedicated book is in sight. Enterprise Risk Management frameworks barely touch on it - if they even do. A chapter in Tipton's book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet - and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don't like thinking about Information Security risks anyway. Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises - but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with an actionable material you can start using tomorrow.
Learning Objectives:
- Understand information security risks and threats connected with merger and acquisition activities, which include months of often precarious IT migrations, a Cloud mess, and legacy services left exposed for months or years.
- Understand how Cloud Computing affects information security risks and threats during a merger and acquisition activities, as well as the positive opportunities they can offer.
- Why it is important that Information Security is involved in the early phases of due diligence, including during the phases in which the deal is structured and evaluated, and the acquisition model is defined.
- Walk home with a simple framework and actionable material they can start using the day after.
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
The Tripwire Enterprise solution provides organizations with powerful configuration control through its configuration assessment and change auditing capabilities. In this white paper, learn how with Tripwire Enterprise, organizations can quickly achieve IT configuration integrity by proactively assessing how their current configurations measure up to specifications as given in ISO 27001. This provides immediate visibility into the state of their systems, and through automating the process, saves time and effort over a manual efforts.
White Paper here: http://www.tripwire.com/register/effective-security-with-a-continuous-approach-to-iso-27001-compliance/
Security architecture analyses brief 21 april 2015Bill Ross
This brief defines problems with security architecture development, security architecture methodologies, and how to implement a security architecture briefing. This brief was created to define the themes stated in the INFOSECFORCE llc paper called the "Inviible Person ... the Security Architect"
IT Security and Management - Prelim Lessons by Mark John LadoMark John Lado, MIT
Learning topics:
1. ACCESS CONTROL
2. ASSET MANAGEMENT
3. BUSINESS CONTINUITY
--------------------------------------------------
By the end of this chapter, learners will be able to;
Know about access control.
Differentiate the physical and logical access control.
Engage with different examples of access control.
Apply the role of access control in their future projects.
Recognize about asset management.
Distinguish the three goals of an asset management program.
Engage with different types of IT asset Management.
Elaborate about business continuity.
Engage with the types of business continuity.
Know about the steps for building and executing of business continuity.
Familiarize the business continuity strategy.
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...Hansa Edirisinghe
This report discuses the employment of ethical hacking through a disciplined, systematic analysis as a way of reviewing and strengthening the security of information systems. The preliminary objective of this study is therefore to understand the concept of Ethical Hacking. - By Hansa Edirisinghe
Attacks on the enterprise are getting increasingly sophisticated. Current solutions available do not seem to be adequate given the innovativeness, precision and persistence of these attacks in different forms and of different dimensions. Organisations thus want to increase the sophistication of their employees and also of the solutions to be deployed given this backdrop.
Enterprise Security Architecture: From access to auditBob Rhubart
Paul Andres' presentation from OTN Architect Day in Pasadena, July 9, 2009.
Find an OTN Architect Day event near you: http://www.oracle.com/technology/architect/archday.html
Interact with Architect Day presenters and participants on Oracle Mix: https://mix.oracle.com/groups/15511
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
The importance of role management in information security. In today's world, information security and management of information security is an important aspect. Therefore, it is very important to understand the importance of role assignment and role management while considering the implementation of security policies and standards.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
It does not have an ISO standard. NIST barely mentions it. Despite hundreds of publications, no dedicated book is in sight. Enterprise Risk Management frameworks barely touch on it - if they even do. A chapter in Tipton's book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet - and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don't like thinking about Information Security risks anyway. Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises - but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with an actionable material you can start using tomorrow.
Learning Objectives:
- Understand information security risks and threats connected with merger and acquisition activities, which include months of often precarious IT migrations, a Cloud mess, and legacy services left exposed for months or years.
- Understand how Cloud Computing affects information security risks and threats during a merger and acquisition activities, as well as the positive opportunities they can offer.
- Why it is important that Information Security is involved in the early phases of due diligence, including during the phases in which the deal is structured and evaluated, and the acquisition model is defined.
- Walk home with a simple framework and actionable material they can start using the day after.
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
The Tripwire Enterprise solution provides organizations with powerful configuration control through its configuration assessment and change auditing capabilities. In this white paper, learn how with Tripwire Enterprise, organizations can quickly achieve IT configuration integrity by proactively assessing how their current configurations measure up to specifications as given in ISO 27001. This provides immediate visibility into the state of their systems, and through automating the process, saves time and effort over a manual efforts.
White Paper here: http://www.tripwire.com/register/effective-security-with-a-continuous-approach-to-iso-27001-compliance/
Security architecture analyses brief 21 april 2015Bill Ross
This brief defines problems with security architecture development, security architecture methodologies, and how to implement a security architecture briefing. This brief was created to define the themes stated in the INFOSECFORCE llc paper called the "Inviible Person ... the Security Architect"
IT Security and Management - Prelim Lessons by Mark John LadoMark John Lado, MIT
Learning topics:
1. ACCESS CONTROL
2. ASSET MANAGEMENT
3. BUSINESS CONTINUITY
--------------------------------------------------
By the end of this chapter, learners will be able to;
Know about access control.
Differentiate the physical and logical access control.
Engage with different examples of access control.
Apply the role of access control in their future projects.
Recognize about asset management.
Distinguish the three goals of an asset management program.
Engage with different types of IT asset Management.
Elaborate about business continuity.
Engage with the types of business continuity.
Know about the steps for building and executing of business continuity.
Familiarize the business continuity strategy.
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...Hansa Edirisinghe
This report discuses the employment of ethical hacking through a disciplined, systematic analysis as a way of reviewing and strengthening the security of information systems. The preliminary objective of this study is therefore to understand the concept of Ethical Hacking. - By Hansa Edirisinghe
Attacks on the enterprise are getting increasingly sophisticated. Current solutions available do not seem to be adequate given the innovativeness, precision and persistence of these attacks in different forms and of different dimensions. Organisations thus want to increase the sophistication of their employees and also of the solutions to be deployed given this backdrop.
Assessing and Managing IT Security RisksChris Ross
Data privacy and protection has become the gold standard in IT. Scale Venture Partners and Wisegate share what they learned from over 100 IT professionals questioned about the risks and technology trends driving their security programs. Read about the move towards data centric security and the need for improvement in automated security controls and metrics reporting.
Current enterprise information security measures continue to fail us. Why is ...Livingstone Advisory
Conventional information security measures continue to fail our businesses in today’s rapidly changing world of cyber-risk. Adverse cyber-events manifest themselves as the usual suspects including data breaches, information theft, ransom- and malware, viruses, payment card fraud, DDOS attacks or physical loss – to name but a few.
Problem is, the tally of adverse events keeps mounting up. While headline adverse cyber incidents are now reported in the media with regularity, this represents the tip of the cyber-risk iceberg. Most known events are either unreported or hidden from public disclosure. Not helping, is the industry analysis suggesting that, on average, nearly half of all adverse cyber-risk events impacting organisations are self-inflicted and avoidable. No industry is untouched.
Delivered at the CIO Summit in Melbourne, Australia in November 2016, in this presentation, Rob offers valuable strategic insights into the problem and why it continues to be a problem.
He outlines some practical steps that will be helpful for CIOs and CISOs in reshaping their own organisation’s approach in building a more effective and resilient information security capability.
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
As businesses continue to adopt new cloud and mobile functionality rapidly, we find the
edges of the network even more blurred, and our definitions of data ownership and breach
responsibility continue to evolve. Staffing and training continue to be the foremost challenge
of the modern SOC. This is paving the way to hybrid staffing models and hybrid infrastructures
that require less in-house expertise. As a result, highly skilled security team members can then
be utilized for a more specialized hunt and analytics-focused work.
There is no question this year has been both an exciting and challenging time to be in the field
of cyber security. On one hand, it is disheartening to see the continued decline in the maturity
and effectiveness of security operations, while, on the other, I know that we are in the middle
of an exciting and transformative change in our field. You can feel it. We must go where the
data leads us, and we believe that is to widen our definition of security operations to leverage
analytics, data science, Big Data, and shared intelligence to become more effective in protecting
today’s digital enterprise.
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
Discussion 1
Recommend three countermeasures that could enhance the information security measures of an enterprise. Justify your recommendations.
1. Upon extensive review of existing IT EBK and what new measures needed to be taken, Homeland Security came to the conclusion that a comprehensive approach information security including the steps of manage, design, implement, and evaluate would best serve to safeguard against future threats. Manage: calls for the oversight of security programs to come from the highest levels of chains of command with constant focus on “ensuring its currency with changing risk and threat” (2007, p. 9). Design: calls for analyzing a program to assess what types of “procedures and processes” will best direct its successful execution. Implement: refers to how programs and policies are instituted within the company. Evaluate: this final step calls for a final critique of the new program or policy’s successful ability to [achieve] its purpose (2007, p. 9).
2. Homeland Security also recommended a “Competency and Functional Framework for IT Workplace Development” that placed strong emphasis on a clear chain of command and communication with clear job titles and IT employee roles being placed into a group of Executive, Functional or Corollary employees (2007, p. 17).
3. The report stressed the primary role of “the IT Security Compliance Professional is . . . overseeing, evaluating, and supporting compliance issues pertinent to the organization” (Homeland Security, 2007, p.16). Thus, the report logically concluded that IT professionals must know and be able to properly define terms such as evaluation, compliance and assessment in order to properly perform their duties (p. 14).
Propose three cybersecurity benefits that could be derived from the development of a strategic governance process. Select the benefit you find most important and explain why.
The National Computing Centre points out that there are numerous benefits to having a rigorous strategic governance process in place. Among them, increased transparency and accountability which leads to an “improved transparency of IT costs, IT process, [and] IT portfolio (2005, p. 6). This increased transparency and accountability also leads to an “improved understanding of overall IT costs and their input to ROI cases” which in turn often brings about “an increased return on investment/stakeholder value” (p. 6). Finally, the authors point to the fact that with increased transparency comes increased accountability and companies avoid “unnecessary expenditures” (p. 7).
Discussion 2
Categorize the roles described by the Information Technology Security Essential Body of Knowledge (EBK), in terms of executive, functional, and corollary competencies. Select two of these roles that you believe enhance the security countermeasures of an organization the most and justify your response.
As mentioned previously, Homeland Security’s 2007 report emphasized the importance of properly .
IT Service Management (ITSM) Model for Business & IT AlignementRick Lemieux
Today’s multi-faceted business world demands that Information Technology provide its services in the context of a fully integrated corporate strategic model. This transformation becomes possible when IT evolves from its technological heritage into a Business Technical Organization, or an “internal service provider.” This paper describes how the itSM Solutions reference model integrates five widely used service management domains to create a powerful model to guide IT in its journey into the business leadership circle.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
1. The Importance of ITIL to (Am I Reading This Right?) ... Security??
The workable, practical guide to Do IT Yourself
Page 1 of 3
Vol. 4.40 . October 7, 2008
The Importance of ITIL to (Am I Reading This Right?) ...
Security??
By Scott Crawford
Research Director - Enterprise Management Associates
W hat is one of the most important foundations of IT security management? Simple: it’s ITIL.
That’s probably not the answer you would expect from a security professional. When asked
this question, it seems people usually expect the answer to point to technologies for IT
defense, or—to the extent they are relevant at all—guidance such as security-specific ISO
or NIST standards, or compliance mandates such as the Payment Card Industry (PCI) Data
Security Standard.
But I don’t, because I have actually been a Chief Information Security Officer for an
international organization, and I know from experience that security is not just a process,
but one of the most contentious intersections of people and culture with technology.
So where does IT look for best practices in aligning people, process and technology? To the
principles of IT Service Management—and those who excel there do many of the same
things that are essential to assuring reliable security. The fact that neither IT managers nor
security professionals recognize this often enough is a direct cause of the poor state of
security in so many organizations worldwide.
In this article, we’ll take a look at some specific examples of how ITIL is critical to security—and yes, you read that
correctly.
But first, we’ll first have to explode an ITIL myth.
"ITIL doesn’t really speak to security…does it?"
Anyone who says that ITIL is irrelevant to security because it is “light” on the subject, simply does not get it. The fact that
versions of ITIL (at least before v3) either gave a broad brush to security specifics or pointed instead toward other
guidance such as ISO 17799 and its descendants, is not relevant to the importance of ITIL and ITSM to security.
Rather, the fact that best practices in IT Service Management point the way to defining, implementing, monitoring and
assuring repeatable IT management objectives and processes is the key.
Consider for a moment the relevance of these ITIL domains to Security Management:
In Service Support:
Configuration and Change Management determine whether IT presents a solid defense against security
threats or vulnerabilities that expose the enterprise to today’s more sophisticated attacks. When vulnerabilities
are detected, Configuration and Change Management can assure the reliable and repeatable deployment of
remediation, and help identify the highest priority risks.
Release Management often centers on the deployment of reliable, quality-tested IT resources. Considering
how many of today’s attacks target application environments, the failure to incorporate security in the
development and release of IT applications and services can be a major gap in defense.
Incident and Problem Management are central not only to accurately identifying cases where security
issues are the root cause of an incident or problem, but effective response to security events. Reliable and
http://www.itsmsolutions.com/newsletters/DITYvol4iss40.htm
10/7/2008
2. The Importance of ITIL to (Am I Reading This Right?) ... Security??
Page 2 of 3
repeatable processes for incident response can mean the difference between a threat contained and mitigated,
or chaos that, in the worst cases, can lead to panic among business stakeholders and IT professionals alike.
Informed security incident response is also essential to collecting forensic critical to the success of a personnel
or legal action.
Service Desk and Service Request Management is not only a focus of IT Service Management, it is often a
nexus of one of the key process disciplines in IT security: identity and Access Management. Requests for user
provisioning are often referred to the Service Desk for action. Provisioning processes often include
management reviews and evaluations of appropriate entitlements. Once granted, access control becomes a first
line of defense in separating authorized access from threats.
Stating the core values of information security in the oft-quoted terms of Confidentiality, Integrity and Availability (CIA)
further highlights the relevance of security to Service Delivery domains of Capacity and Availability Management.
Organizations may also look to Service Level Agreements (particularly Operating Level Agreements with external
service providers) to define terms of acceptable security incident and event recognition and response, and may measure
Service Level Management performance in meeting these objectives as a key security metric.
The increasing importance of incorporating security throughout the lifecycle of IT services calls attention to security in
each of the four phases of Service Strategy, Design, Transition and Operation articulated by ITIL v3, while the
ongoing assessment and improvement of security plays a role in Continual Service Improvement. This has become
particularly pronounced in managing the increasing number of threats that target modern web applications, where
security throughout the Software Development Lifecycle (SDLC) has become essential to securing applications that are
often both unique and dynamic.
ITIL as IT Risk Management
Viewing security in this light-and, conversely, ITIL in the context of security-highlights that security is itself part of the
broad spectrum of IT risk management, where the definition of realistic objectives and repeatable management makes the
difference between success in IT management and inefficient chaos that is itself a primary risk factor.
Recent research conducted by EMA has borne this out. In 2008, EMA surveyed over 200 global organizations about their
IT security, risk and compliance management efforts. It asked them about the criticality of IT to their primary business
objectives, such as maintaining a competitive edge through access to new markets, or to processes such as product
manufacturing and supply chain optimization.
It asked them about their outcomes in terms of security events disruptive to IT performance, availability or information
resource integrity, as well as incidents resulting in a data security breach. And it asked them about the management
disciplines had the greatest impact on their outcomes.
What EMA found was that the highest performers consistently define management objectives and repeatable processes;
they actually implement them; they monitor the real-world factors that affect these priorities; and they respond
consistently to issues as they arise.
This becomes particularly evident in areas such as Configuration and Change Management. 94% of high performers
define IT change processes, actually implement those processes, monitor adherence in the IT environment through
technologies such as change audit and configuration management, and enforce consequences for deviations.
Not surprisingly these same high performers experienced about half the median number of disruptive security incidents
as both medium and low performers. They also experienced lower rates of unplanned IT work, high rates of successful IT
changes, greater numbers of IT projects delivered on time, within budget and with expected features, and high server-tosysadmin ratios.
In other words, these high performers are not only more secure, they are more efficient—a critical factor in today’s more
cost-sensitive environment. Just ask any military veteran: better discipline leads not only to better security, but to
improved reliability and greater efficiency as well.
http://www.itsmsolutions.com/newsletters/DITYvol4iss40.htm
10/7/2008