SlideShare a Scribd company logo

Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

Download as PPT, PDF
Michael Smith
Michael Smith

This document proposes building a scorecard for evaluating security management and control frameworks. It discusses issues with existing frameworks becoming checklists over time and proposes a rational way to judge frameworks based on factors like efficacy, completeness, robustness, and cost for organizations of different sizes. The document shares initial reactions to frameworks like ISO 27002 and PCI-DSS. It aims to prioritize effort, allow split-horizon assessment/audit, and end "Legislation Amateur Hour" through conscious design of security frameworks. The author questions if they have proposed something better for governance, risk, and compliance (GRC) or gone too far.

Technology
1 of 13
Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks ,[object Object],[object Object],Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks
Laws, Sausages, and Frameworks? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Part Where Mike Gets Meta ,[object Object],[object Object],[object Object],[object Object]
Framework Scorecard $$$$$ Small, Medium, Large Organizations
Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability
Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability Completeness Sustainable Program
Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability Completeness Sustainable Program ?Robustness? Shelfware-Resistance Low-Maintenance Atomicity v/s Dependence
SWAG Reactions: ISO 27002 $$ Reasonably large Some Guidelines Reasonably Complete OK Robust, some audit burden and rework
SWAG Reactions: PCI-DSS Relatively Small Mostly Tactical Bollocks for Sustainable Has “Policy” Robustness as a function of small size
SWAG Reactions: NIST RMF Much Cost Prescribed but not the focus due to abstraction The Whole Hawg of Completeness Horribly fragile, this adds significantly to the cost
Uses ,[object Object],[object Object],[object Object],[object Object],[object Object]
OMG What Have I done? ,[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],16

Recommended

Why Benchmark Application Security - Veracode
Why Benchmark Application Security - VeracodeWhy Benchmark Application Security - Veracode
Why Benchmark Application Security - Veracode
Veracode
 
Crisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksCrisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber Attacks
PECB
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management II
zapp0
 
Decluttering Health & Safety
Decluttering Health & SafetyDecluttering Health & Safety
Decluttering Health & Safety
Australian Institute of Health & Safety
 
Stop the Blame, Find the Cause
Stop the Blame, Find the CauseStop the Blame, Find the Cause
Stop the Blame, Find the Cause
Medgate Inc.
 
Is Your Safety Inbox a Black Hole?
Is Your Safety Inbox a Black Hole?Is Your Safety Inbox a Black Hole?
Is Your Safety Inbox a Black Hole?
November Research Group
 
Ron perris compliance-v-security - atlseccon2011
Ron perris compliance-v-security - atlseccon2011Ron perris compliance-v-security - atlseccon2011
Ron perris compliance-v-security - atlseccon2011
Atlantic Security Conference
 
Using PRIMO Mobile to Collect Adverse Events in the Field
Using PRIMO Mobile to Collect Adverse Events in the FieldUsing PRIMO Mobile to Collect Adverse Events in the Field
Using PRIMO Mobile to Collect Adverse Events in the Field
November Research Group
 

Recommended

Why Benchmark Application Security - Veracode
Why Benchmark Application Security - VeracodeWhy Benchmark Application Security - Veracode
Why Benchmark Application Security - Veracode
Veracode
 
Crisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksCrisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber Attacks
PECB
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management II
zapp0
 
Decluttering Health & Safety
Decluttering Health & SafetyDecluttering Health & Safety
Decluttering Health & Safety
Australian Institute of Health & Safety
 
Stop the Blame, Find the Cause
Stop the Blame, Find the CauseStop the Blame, Find the Cause
Stop the Blame, Find the Cause
Medgate Inc.
 
Is Your Safety Inbox a Black Hole?
Is Your Safety Inbox a Black Hole?Is Your Safety Inbox a Black Hole?
Is Your Safety Inbox a Black Hole?
November Research Group
 
Ron perris compliance-v-security - atlseccon2011
Ron perris compliance-v-security - atlseccon2011Ron perris compliance-v-security - atlseccon2011
Ron perris compliance-v-security - atlseccon2011
Atlantic Security Conference
 
Using PRIMO Mobile to Collect Adverse Events in the Field
Using PRIMO Mobile to Collect Adverse Events in the FieldUsing PRIMO Mobile to Collect Adverse Events in the Field
Using PRIMO Mobile to Collect Adverse Events in the Field
November Research Group
 
NCET Tech
NCET Tech NCET Tech
NCET Tech Archersan
 
Ri cyber-security-for-your-small-business
Ri cyber-security-for-your-small-businessRi cyber-security-for-your-small-business
Ri cyber-security-for-your-small-business
Meg Weber
 
Cyber-attacks
Cyber-attacksCyber-attacks
Cyber-attacks
The Economist Media Businesses
 
PERUMIN 31: Bow-tie Risk Analysis
PERUMIN 31: Bow-tie Risk AnalysisPERUMIN 31: Bow-tie Risk Analysis
PERUMIN 31: Bow-tie Risk Analysis
PERUMIN - Convención Minera
 
CV-SMB-infographic-small
CV-SMB-infographic-smallCV-SMB-infographic-small
CV-SMB-infographic-smallJeff Geissler
 
FEI Brisbane Lunch: Cybersecurity and the CFO
FEI Brisbane Lunch: Cybersecurity and the CFOFEI Brisbane Lunch: Cybersecurity and the CFO
FEI Brisbane Lunch: Cybersecurity and the CFO
Kate Mills
 
Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...
Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...
Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...Lean Startup Co.
 
CMGT 582 Entire Course NEW
CMGT 582 Entire Course NEWCMGT 582 Entire Course NEW
CMGT 582 Entire Course NEW
shyamuopuop
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017
zapp0
 
Best Practices for Rating and Policy Administration System Replacement
Best Practices for Rating and Policy Administration System ReplacementBest Practices for Rating and Policy Administration System Replacement
Best Practices for Rating and Policy Administration System Replacement
Edgewater
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
Priyanka Aash
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
PECB
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive Team
John D. Johnson
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
Vladimir Jirasek
 
High lntegrity Services
High lntegrity ServicesHigh lntegrity Services
High lntegrity Servicesianthm
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010
prevalentnetworks
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessment
pchronis
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
Priyanka Aash
 
Value Stories - 3rd issue - April 2019
Value Stories - 3rd issue - April 2019Value Stories - 3rd issue - April 2019
Value Stories - 3rd issue - April 2019
Redington Value Distribution
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?
John D. Johnson
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
Michael Nickle
 

More Related Content

What's hot

Ri cyber-security-for-your-small-business
Ri cyber-security-for-your-small-businessRi cyber-security-for-your-small-business
Ri cyber-security-for-your-small-business
Meg Weber
 
Cyber-attacks
Cyber-attacksCyber-attacks
Cyber-attacks
The Economist Media Businesses
 
PERUMIN 31: Bow-tie Risk Analysis
PERUMIN 31: Bow-tie Risk AnalysisPERUMIN 31: Bow-tie Risk Analysis
PERUMIN 31: Bow-tie Risk Analysis
PERUMIN - Convención Minera
 
CV-SMB-infographic-small
CV-SMB-infographic-smallCV-SMB-infographic-small
CV-SMB-infographic-smallJeff Geissler
 
FEI Brisbane Lunch: Cybersecurity and the CFO
FEI Brisbane Lunch: Cybersecurity and the CFOFEI Brisbane Lunch: Cybersecurity and the CFO
FEI Brisbane Lunch: Cybersecurity and the CFO
Kate Mills
 
Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...
Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...
Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...Lean Startup Co.
 

What's hot (7)

NCET Tech
NCET Tech NCET Tech
NCET Tech
 
Ri cyber-security-for-your-small-business
Ri cyber-security-for-your-small-businessRi cyber-security-for-your-small-business
Ri cyber-security-for-your-small-business
 
Cyber-attacks
Cyber-attacksCyber-attacks
Cyber-attacks
 
PERUMIN 31: Bow-tie Risk Analysis
PERUMIN 31: Bow-tie Risk AnalysisPERUMIN 31: Bow-tie Risk Analysis
PERUMIN 31: Bow-tie Risk Analysis
 
CV-SMB-infographic-small
CV-SMB-infographic-smallCV-SMB-infographic-small
CV-SMB-infographic-small
 
FEI Brisbane Lunch: Cybersecurity and the CFO
FEI Brisbane Lunch: Cybersecurity and the CFOFEI Brisbane Lunch: Cybersecurity and the CFO
FEI Brisbane Lunch: Cybersecurity and the CFO
 
Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...
Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...
Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...
 

Similar to Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

CMGT 582 Entire Course NEW
CMGT 582 Entire Course NEWCMGT 582 Entire Course NEW
CMGT 582 Entire Course NEW
shyamuopuop
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017
zapp0
 
Best Practices for Rating and Policy Administration System Replacement
Best Practices for Rating and Policy Administration System ReplacementBest Practices for Rating and Policy Administration System Replacement
Best Practices for Rating and Policy Administration System Replacement
Edgewater
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
Priyanka Aash
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
PECB
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive Team
John D. Johnson
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
Vladimir Jirasek
 
High lntegrity Services
High lntegrity ServicesHigh lntegrity Services
High lntegrity Servicesianthm
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010
prevalentnetworks
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessment
pchronis
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
Priyanka Aash
 
Value Stories - 3rd issue - April 2019
Value Stories - 3rd issue - April 2019Value Stories - 3rd issue - April 2019
Value Stories - 3rd issue - April 2019
Redington Value Distribution
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?
John D. Johnson
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
Michael Nickle
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Business Mashups, or Mashup Business?
Business Mashups, or Mashup Business?Business Mashups, or Mashup Business?
Business Mashups, or Mashup Business?
guestc65425
 
Missing the Iceberg – avoiding project failure through killing or redefining ...
Missing the Iceberg – avoiding project failure through killing or redefining ...Missing the Iceberg – avoiding project failure through killing or redefining ...
Missing the Iceberg – avoiding project failure through killing or redefining ...
Association for Project Management
 
ALM and DevOps in the health industry
ALM and DevOps in the health industryALM and DevOps in the health industry
ALM and DevOps in the health industry
Agile Partner S.A.
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 

Similar to Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks (20)

CMGT 582 Entire Course NEW
CMGT 582 Entire Course NEWCMGT 582 Entire Course NEW
CMGT 582 Entire Course NEW
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017
 
Best Practices for Rating and Policy Administration System Replacement
Best Practices for Rating and Policy Administration System ReplacementBest Practices for Rating and Policy Administration System Replacement
Best Practices for Rating and Policy Administration System Replacement
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive Team
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
High lntegrity Services
High lntegrity ServicesHigh lntegrity Services
High lntegrity Services
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
 
Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessment
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
Value Stories - 3rd issue - April 2019
Value Stories - 3rd issue - April 2019Value Stories - 3rd issue - April 2019
Value Stories - 3rd issue - April 2019
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Business Mashups, or Mashup Business?
Business Mashups, or Mashup Business?Business Mashups, or Mashup Business?
Business Mashups, or Mashup Business?
 
Missing the Iceberg – avoiding project failure through killing or redefining ...
Missing the Iceberg – avoiding project failure through killing or redefining ...Missing the Iceberg – avoiding project failure through killing or redefining ...
Missing the Iceberg – avoiding project failure through killing or redefining ...
 
ALM and DevOps in the health industry
ALM and DevOps in the health industryALM and DevOps in the health industry
ALM and DevOps in the health industry
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 

More from Michael Smith

Barcodes
BarcodesBarcodes
Barcodes
Michael Smith
 
Building A Modern Security Policy For Social Media and Government
Building A Modern Security Policy For Social Media and GovernmentBuilding A Modern Security Policy For Social Media and Government
Building A Modern Security Policy For Social Media and Government
Michael Smith
 
Dojo Con 09
Dojo Con 09Dojo Con 09
Dojo Con 09
Michael Smith
 
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Michael Smith
 
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application SecuritySecurity Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Michael Smith
 
The Authorizing Official And The Accreditation Decision
The Authorizing Official And The Accreditation DecisionThe Authorizing Official And The Accreditation Decision
The Authorizing Official And The Accreditation Decision
Michael Smith
 
Backtrack 3 USB
Backtrack 3 USBBacktrack 3 USB
Backtrack 3 USB
Michael Smith
 
Why Care About Government Security
Why Care About Government SecurityWhy Care About Government Security
Why Care About Government Security
Michael Smith
 

More from Michael Smith (8)

Barcodes
BarcodesBarcodes
Barcodes
 
Building A Modern Security Policy For Social Media and Government
Building A Modern Security Policy For Social Media and GovernmentBuilding A Modern Security Policy For Social Media and Government
Building A Modern Security Policy For Social Media and Government
 
Dojo Con 09
Dojo Con 09Dojo Con 09
Dojo Con 09
 
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
 
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application SecuritySecurity Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
 
The Authorizing Official And The Accreditation Decision
The Authorizing Official And The Accreditation DecisionThe Authorizing Official And The Accreditation Decision
The Authorizing Official And The Accreditation Decision
 
Backtrack 3 USB
Backtrack 3 USBBacktrack 3 USB
Backtrack 3 USB
 
Why Care About Government Security
Why Care About Government SecurityWhy Care About Government Security
Why Care About Government Security
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 

Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

  • 1.
  • 2.
  • 3.
  • 4. Framework Scorecard $$$$$ Small, Medium, Large Organizations
  • 5. Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability
  • 6. Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability Completeness Sustainable Program
  • 7. Framework Scorecard $$$$$ Small, Medium, Large Organizations Efficacy Tactical/Technical Patch and Vulnerability Completeness Sustainable Program ?Robustness? Shelfware-Resistance Low-Maintenance Atomicity v/s Dependence
  • 8. SWAG Reactions: ISO 27002 $$ Reasonably large Some Guidelines Reasonably Complete OK Robust, some audit burden and rework
  • 9. SWAG Reactions: PCI-DSS Relatively Small Mostly Tactical Bollocks for Sustainable Has “Policy” Robustness as a function of small size
  • 10. SWAG Reactions: NIST RMF Much Cost Prescribed but not the focus due to abstraction The Whole Hawg of Completeness Horribly fragile, this adds significantly to the cost
  • 11.
  • 12.
  • 13.

Editor's Notes

  1. If you would like us to speak for your event or group, please ask. If you would like to learn more and to keep up-to-date on groundbreaking Government security news, subscribe to the guerilla-ciso blog feed. Presentation released under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License. More information available at http://creativecommons.org/licenses/by-nc-sa/3.0/