Gain management acceptance for the security business within the Swiss Army…

11,876 views

Published on

Gain Management Acceptance for the Security Business within the Swiss Armed Forces with O-ISM3

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
11,876
On SlideShare
0
From Embeds
0
Number of Embeds
10,122
Actions
Shares
0
Downloads
15
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Gain management acceptance for the security business within the Swiss Army…

  1. 1. Swiss Armed Forces Armed Forces Command Support Organisation Lars Minth MBA, MSc. Info Sec Architectures & Security Chief Architect Using ISM3 togain Management Acceptance for the Security Business within the Swiss Armed Forces
  2. 2. INTERN Switzerland is neutralThe politics of each …andnation is based on complicated totradition and handle althoughhistory. necessaryNeutrality Rightdefines the rightsand obligations of aneutral nation.The internationalsituation definesthe freedom ofaction. Best case ofnarrowing thisfreedom was WWIIThe politics ofneutrality assuresthe effectivenessand credibility of theneutrality. It isdependent on theother three factors. Schweizer Armee 2 Führungsunterstützungsbasis
  3. 3. As-Is Situation „Sec Management“ INTERN (not only Swiss DoD) „We already have an ISMS“ Organisational Structure & Responsibility Dependency on other Frameworks Challenges Practical Business / IT Alignment Implementation Resources (money, personnel, …)Schweizer Armee Security Frameworks 3Führungsunterstützungsbasis Lars Minth
  4. 4. As-Is Situation „Sec Management“ INTERN (not only Swiss DoD) Patch Management Segmentation & WinSys Filtering CC BasisPatch Management Ein V Segmentation & Filtering Ein V Dependency on other Frameworks Segmentation &Patch Management Filtering OSS OSS Challenges Segmentation & Filtering CC Col Schweizer Armee Security Frameworks 4 Führungsunterstützungsbasis Lars Minth
  5. 5. INTERN As-Is (WAS) ISMS Swiss DoD IT-Strategie Bedrohungslage I1 IT-Sicherheits- Übergeordnete politik und -ziele Input für Ziel- Vorgaben managen setzungsprozess Controlling- Vorgaben bericht Input für rech- tliche Vorgaben Ziele I2 I3 I4 Datenschutz Übergeordnete Schutzobjekte Rechtserlasse Übergeordnete Input für Risk-Managment Vorgaben einstufen und BedrohungArchivierung (B AR) Vorgaben Schutzobjekte betreiben managen priorisieren drafted Siko since drafted Eingestufte 2005 since Übergeordnete Rechtserlasse 2005 Schutzobjekte I5 I6 Rechtliche drafted Sofortanforderungen since Schutzanforde- Input für Vorgaben drafted rungen zuweisen Risk-Mgmt sicherstellen 2005Verordnungen, Weisungen, HITS since 2005 Rechtliche Vorgaben Schutzvorgaben I7 I8 I9 Sicherheits- Umsetzungsbericht Überprüfung und Umsetzung organisation Verbesserung Zuständigkeiten managen Verbesserungen sicherstellen sicherstellen und Aufgaben drafted since drafted Beratung / 2005 since Schulung 2005 I10 Beratung und Input für die Sicherheits- Input für Beratung Schulung organisation und Schulung sicherstellen Schweizer Armee Security Frameworks 5 Führungsunterstützungsbasis Lars Minth
  6. 6. INTERN Where is the Security located? COI-Specific ServicesInformation SM&C Assurance Common COI Services Information and Integration Services (Core Enterprise Services) Discovery Repository Mediation Service Enterprise Composition Discovery Directory Services Services Services Inf ormation Metadata Translation Information Registry Services Service Discovery Assurance Services Management Services Services Services Infrastructure Interaction Application Messaging Transaction Services Services Services Storage Publish/ Collaboration Services Subscribe Services Services Network/Transport Services Schweizer Armee Security Frameworks 6 Führungsunterstützungsbasis Lars Minth
  7. 7. INTERN Where is the Security Management located ? Programboard Information Assurance PMGR BLSV PMGR PMGR IA V C4ISTAR Planning & Conception Program Office Program Team Concepts, Transport Information- Sec-Mgmt / Policies, Services Exchange Cyber Defense Architecture contains the contains the contains the contains the following projects following projects following projects following projects Secure Core Content Based ISMS Security Policies Networking Access Control E2E Transport Sec Mngment Security- Web Services IA Security Infrastructure Architecture Situation Security- Secure Routing Mil IEG Awareness Concepts E2E Information CNO (CNE, Security Secure QoS Security CNA, CND) ResearchSchweizer Armee Security Frameworks 7Führungsunterstützungsbasis Lars Minth
  8. 8. INTERN It`s all about Views and Roles! So what kind of Security Management do you want to have?Schweizer Armee Security Frameworks 8Führungsunterstützungsbasis Lars Minth
  9. 9. INTERN It`s all about Views and Roles! So what kind of Security Management do you want to have?Schweizer Armee Security Frameworks 9Führungsunterstützungsbasis Lars Minth
  10. 10. INTERN It`s all about Views and Roles! …and what about Security as a Service? Do we need Security? So what kind of Security Management Do we see Security? do you want to have? Who pays for Security? Is ROSI around? Do we know what Security means from our viewpoint?Schweizer Armee Security Frameworks 10Führungsunterstützungsbasis Lars Minth
  11. 11. INTERN Security (Service) Management Infrastructure Communication- Services Users & Threats Managers Server Core Applications Enterprise Services Security Management Security Service Interface Infrastructure / Service Integrated Security Service Management Cyber Management Security Network Architecture Control & Coordination Defense Interface ITIL-Processes v3 Operational COMPLIANCE: (inter)national Computer Management Instructions, Civil Security Network Rules, Policies Federation Defense &Change Cap. Other Situational Mgmt Mgmt Pro- Awarenes cesses Schweizer Armee Security Frameworks 11 Führungsunterstützungsbasis Lars Minth
  12. 12. INTERN Guiding Principles for SMI•Support Federated Operations – SMI will be structured to operate across multiple autonomous CISconfigurations.• Be Transparent to End Users – SMI exists to provide the security services that end users need. SMIwill be designed to minimize demands upon end users. To the extent feasible, these services will operate“behind the scenes” virtually transparent to end users.• Facilitate Flexible Deployment – limited bandwidth, disconnected and otherwise austere missionenvironments.• Incorporate a Service Oriented Paradigm – SMI services will be structured with standard interfacesand intuitive interactions.• Embrace a Commercial Strategy – SMI will use best-of-breed commercial products as a baseline andwork with industry leaders to implement needed enhancements.• Employ a Standards-Based Approach – SMI will adopt a standards-based system design andimplementation. The Swiss DoD SMI should work within commercial and international standards bodies toaddress or refine SMI-related standards to align with good IA practices. Schweizer Armee Security Frameworks 12 Führungsunterstützungsbasis Lars Minth
  13. 13. INTERN Roadmap for the SMI• Establishing the current baseline• Improving the processes• Progressively integrating• Improving on the collaboration of the servicesSchweizer Armee Security Frameworks 13Führungsunterstützungsbasis Lars Minth
  14. 14. INTERN Research Study with the ISG-RHULSchweizer Armee Security Frameworks 14Führungsunterstützungsbasis Lars Minth
  15. 15. INTERN Criteria for an ISMSmaturity levels certification organizational model link between business distribution of goals and information security aims, input, outcomeresponsibilities selection of security metrics capability processes PDCA & paradigms Schweizer Armee Security Frameworks 15 Führungsunterstützungsbasis Lars Minth
  16. 16. INTERN ISMS Framework-Decision BS7799/ISO 27 Familie OCTAVE Management Frameworks Common Criteria strategic -- tactical -- Operational NISTCoBIT Le Moigne`s Three-dimensional ThinkingSSE-CMM ISM3/ISO27 Security Governance Information Security Forum FISMA ISM3 ITIL version 3 Schweizer Armee Security Frameworks 16 Führungsunterstützungsbasis Lars Minth
  17. 17. INTERN ISM3ManagementInformation ISM3 Security MaturityManagement Security Information Maturity Model concepts forprocesses, capability, security in context process model maturity risk assessment, outsourcing, definitions Schweizer Armee Security Frameworks 17 Führungsunterstützungsbasis Lars Minth
  18. 18. INTERN ISM3 Building Blocks ISO 27k Information ITILv3 Security Management Maturity ISO 31000 Model ISO 900x concepts for security in ISM process risk assessment processes, context model outsourcing, capability, defs maturity contains the contains the following content following content Process Business General Tasks ISM3-RA Definition Objectives Security Process Metrics Strategic Tasks Outsourcing Objectives Feedback on Security- Security Targets Tactical Tasks Mgmt Concepts Aligning all Security Operation Operating Tasks above ResearchSchweizer Armee Security Frameworks 18Führungsunterstützungsbasis Lars Minth
  19. 19. INTERN Process BSP-5 Environment Patching (IT managed domain Patching) Description This process covers the on-going update of services to prevent incidents related to known weaknesses, enhancing the Reliability of the updated systems. Value Patching prevents incidents arising from the exploitation of known weaknesses in services.ISM3 Processes Documentation OSP-051-Services Update Level Report Template OSP-052-Services Patching Management Procedure Inputs Inventory of Assets (OSP-3) Outputs Up to date services in every IT managed domain. Services Update Level Report (OSP-4) Metrics Report (TSP-4) Quality Update level, calculated as follows: The update level for a specific information system is equal to the sum of the days outstanding for all pending security patches. The IT managed domain update level is equal to the sum of the individual update levels, divided by the number of information systems. The lower this metric, the better. This metric allows checking of the progress of the patching process, and comparison of the update level of different IT managed domains. Responsibilities Supervisor: TSP-14 Process Owner Process Owner: Information Systems Management Related Processes BSP-4 Change Control Informationsystem Environment BSP-9 Change Control Security Measures Related Methods Project Quant Schweizer Armee Security Frameworks 19 Führungsunterstützungsbasis Lars Minth
  20. 20. BSP-5 „IT managed Domain Patching“ INTERNroles/responsibilities in distinct processes Op. SecMgt Prozessowner responsible person in organisational unit Operational Security Management Schweizer Armee Security Frameworks 20 Führungsunterstützungsbasis Lars Minth
  21. 21. INTERNBusiness-Orientation of Sec-Processes Low Medium High Investment Investment InvestmentHigh OSP-12 User Registration OSP-14 Physical environment ProtectionOSP-4 Information Systems IT managed domain SSP-4 Define TPSRSR rules Management Change ControlBenef it TSP-6 Define IT managed domains and life-OSP-7 IT managed domain Hardening OSP-9 Security Measures Change Control cycles OSP-8 Software Development Life-cycleOSP-26 Enhanced Reliability and Availability GP-2 ISM System and Business Audit Control Management OSP-19 Internal Technical AuditMedium TSP-11 Security Awareness OSP-3 Inventory Management OSP-15 Operations Continuity Management TSP-8 Personnel Security OSP-2 Security Procurement OSP-20 Incident EmulationBenef it TS8P-9 Security Personnel Training OSP-6 IT managed domain Clearing OSP-27 Archiving ManagementLow TSP-10 Disciplinary Process OSP-22 Alerts Monitoring TSP-7 Background Checks TSP-13 Insurance Management OSP-28 External Events Detection andTSP-14 Information OperationsBenef it Analysis OSP-23 Internal Events Detection and Analysis OSP-24 Handling of incidents and near- incidents OSP-25 ForensicsSchweizer Armee Security Frameworks 21Führungsunterstützungsbasis Lars Minth
  22. 22. INTERN ISM3 Levels of Responsibility • (Direct and Provide) defines securityOperational-Strategic Tasks objectives , coordinates und provides resources ; • (Implement and Optimize): Designs and Tactical-Archi- tectural implements the ISM processes, defines Tasks security targets and manages the assigned resources; • (Perform and Report): fulfills the set Operating security/business processes performing the Tasks defined security processes Schweizer Armee Security Frameworks 22 Führungsunterstützungsbasis Lars Minth
  23. 23. INTERN Security in (Business) ContextSchweizer Armee Security Frameworks 23Führungsunterstützungsbasis Lars Minth
  24. 24. INTERN Management Acceptance1. Obtain and Maintain Executive Sponsorship and Commitment2. Encourage Company-Wide Support and Participation3. Use, Adopt and Align to Industry Standards4. Make it Easy for People to do the Right Thing5. Document, Publish and Refine your Processes6. Recognize that Training and Awareness is Key7. Manage Risk, not Security8. Manage with Facts and Numbers9. Avoid the Compliance Trap10. Leverage Corporate Business Initiatives Schweizer Armee Security Frameworks 24 Führungsunterstützungsbasis Lars Minth
  25. 25. INTERN Conclusion• understand the business roles (good investment)• dare to ask questions + act on results• transform security activities into services (not only ifyou want to be an ITIL service provider)• manage security services by business-provensecurity processes (ISM3)• establish a formal stakeholder management• develop a marketing strategy for security (Kotler isnot bad)• talk to all stakeholders and make security public • understand the benefits of security/risk (good investment) • don`t wait to ask if security activities seem to be strange to your business •demand security to provide understandable inputs, outputs, metrics and capabilities for its activities (ISM3) • talk to your security folks • give security space to explain Schweizer Armee Security Frameworks 25 Führungsunterstützungsbasis Lars Minth
  26. 26. INTERN• what was unclear? Please tell me later …• did you makeother experiences?• did you see/hearwhat you hadexpected? Schweizer Armee Security Frameworks 26 Führungsunterstützungsbasis Lars Minth
  27. 27. INTERN Thank`s for your time spent with meSchweizer Armee Security Frameworks 27Führungsunterstützungsbasis Lars Minth

×