Vicente Aceituno
Boston, July 2010
© ISM3 Consortium 2010
A Revolution in Security:
ISM evolution with ISM3
Mike Jerbic
Edward Stansfeld
Anthony Nelson
Anup Narayanan
Ian Dobson
Jim Hietala
2002
2010
Scientific
Method
•Confidenciality
•Integrity
•Availability
•Non-Repudiation
•Authorization
•Authentication
•Audit
•Privacy
•Secrecy
•Intell...
Feedback Loop
Modeling
Quality
Management
A Maturity
Model
For Security
Management?
Evolution
+
+
+
Revolution
One-size-fits-all
Security Investment, Maturity Level & Risk
M
axim
um
Risk/N
o
Investm
entM
axim
um
RO
SI
M
inim
um
R
isk/M
axim
um
Investm...
Business and
context fit
Doorman
Mentality
Manager
Mentality
Threats
Deliverables
Incidents =
Failure
Incidents =
Opportunity for
Improvement
(But…
Don’t make the same
mistake twice.
& Learn from the
mistakes of others)
Preventing
policy
violations
Providing value
Contrarian view of
business and security
Security seen as
part of the
business.
Destination:
Compliance
Origin:
Compliance
Risk
Management
Techniques
+Continuous
Improvement
Techniques
Invulnerability
Return on
Investment
Protect the asset
Protect business
objectives
Confidentiality
Integrity
Availability
…Non-Repudiation
…Authorization
…Authentication
…Audit
…Privacy
…Secrecy
…Intellect...
Operational definitions
of security objectives
and business objectives
Business Objectives
Access for
Authorized Users
…where and when
necessary.
Unathorized user
access denial
Responsibility
Secrets
Privacy
Intellectual Property
Information available
for as long as
necessary…
…but not after it has
expired.
Comply with laws
and regulations
Keep systems protected
Improvement using
lagging indicators.
Test &
Audit
Certification
Improvement using
leading indicators
Metrics
Management
Practices
Continuous
Improvement
Capability Level Basic Defined Managed Controlled Optimized
Management Practices
Enabled
Audit,
Certify Test Monitor Plann...
Management
Practices
Planning
Test
Monitor
Assessment
Assessment
Improvement
Benefits
Realization
Value
Metrics
Activity
Scope
Unavailability
Effectiveness
Efficiency
Load
Quality
Metrics
80
Measurement
81
Interpretation
Representation
Representation
84
Investigation
Capability Level Basic Defined Managed Controlled Optimized
Management Practices
Enabled
Audit,
Certify Test Monitor Plann...
Information Security that makes Business Sense
inovement.es/oism3
Web www.inovement.es
Video Blog youtube.com/user/vaceitu...
A Revolution in Information Security: ISM Evolution with O-ISM3
A Revolution in Information Security: ISM Evolution with O-ISM3
A Revolution in Information Security: ISM Evolution with O-ISM3
A Revolution in Information Security: ISM Evolution with O-ISM3
A Revolution in Information Security: ISM Evolution with O-ISM3
A Revolution in Information Security: ISM Evolution with O-ISM3
Upcoming SlideShare
Loading in …5
×

A Revolution in Information Security: ISM Evolution with O-ISM3

1,757 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,757
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
89
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • About me: Logo ISM3, ISSA, Libro, Blog,
  • From 2002, when Brazil won the World Cup,
  • … to 2010, when World Cup was won who guess who…
  • What is Wrong with InfoSec
  • Karl Popper
  • I wondered what he would have thought of the definition of information security…
  • Macroscope
  • Manage what you can control
  • Manage what you can control
  • Use of services and physical and logical access to repositories and systems is restricted to authorized users; Who are the users of the system? Do they need to be specifically authorized? From whom do we want to protect the system's information? Will any part of the system be located in publicly accessible locations?
  • Availability of repositories, services and channels exceeds Customer needs; Reliability and performance of services and channels exceeds Customer needs; Volatility of services and channels within Customer needs; When should the system be performing normally (8x5, e.g)? How many interruptions are acceptable? What would be the longest acceptable interruption? What is the maximum amount of transactions that can be lost because of an interruption? These questions help understand the data and system backup, high availability and business continuity needs. For how long will the system's data be archived? If the data needs to be deleted, when should this happen? These questions help understand the long term archival and safe deletion needs. What is the maximum acceptable percentage of records with wrong information? What is the maximum percentage of records that can be missing? These questions help understand the data quality control needs
  • Users are accountable for the repositories and messages they create or modify; Users are accountable for their acceptance of contracts and agreements. Users are accountable for their use of services.
  • Secrets (industrial, trade) are accessible to authorized users only;
  • Respect the Privacy of… Personal information of clients and employees is accessible for a valid purpose to authorized users only, preserves their anonymity if necessary, and is held for no longer than required. Will the system handle personal information of clients, potential clients, stockholders or employees? What are the different locations subject to diverse regulations in terms of handling of personal information and data breach disclosure where parts of the system will be located? Personal information completeness must be proportional to its use. Personal information can't be kept for longer than needed. Tax records must be kept for a minimum number of years. Personal information must be protected using certain security measures depending on the type of personal information. The owner of Personal information must agree for it to be collected and he has the right to check it, fix it and approve how it will be used or ceded. Repositories with Personal information have to be registered with a Data Protection agency. Third party services and repositories need to be appropriately licensed. Encryption must be used under legal limitations. Secrets must be kept according to the terms of agreed Non Disclosure Agreements. The owner of Personal information will be given notice when his data is being collected, including who is collecting the data. Personal information must be used for the purpose agreed with the information owner.. Personal information must not be disclosed without the agreement of the information owner.. Personal information owners will have means to make data collectors accountable for their use of his personal information.
  • Intellectual property (licensed, copyrighted, patented and trademarks) is accessible to authorized users only; Third party services and repositories are appropriately licensed and accessible only to authorized users; Will the system use licensed information from third parties? What are the different locations subject to diverse regulations in terms of licensed information where parts of the system will be located? Will the system handle intellectual property? What are the different locations subject to diverse regulations in terms of intellectual property where parts of the system will be located? These questions help understand the inventory, DRM, watermarking, obfuscation and compliance needs.
  • Repositories are retained at least as long as Customer requirements; Expired or end of life-cycle repositories are permanently destroyed; Expired information is one problem Metadata is another
  • Manage what you can control
  • Audit. Whether the process inputs, activities and results match their documentation. Auditoria - ¿Estamos haciendo lo que decimos que hacemos?
  • Certify: Whether the process inputs, process documentation, activities and results comply with a pre-defined standard, law or regulation. Certificación - ¿Estamos haciendo lo que dice el estándar?
  • Manage what you can control
  • Manage what you control (different measurement, different action) Concentrate on making changes that improve the contribution to Business Goals and Obligations, or reduce the use of resources. Detect significant anomalies in processes and inform decisions to fix or improve processes. Use Risk Assessment and Audits as long as they help Continuous Improvement. Improvements in the metric meaningfully enhance the contribution of the process towards the goals of the management system.
  • Planning. Organizing and forecasting the amount, assignment and milestones of tasks, resources, budget, deliverables and performance of a process. Planificación - ¿Qué vamos a hacer, qué recursos necesitamos?
  • Testing: Assessment of whether process outputs are as expected when test data is put in. Pruebas - ¿Funciona?
  • Monitoring: Checking whether the outputs of the process and the resources used are within normal range. Monitorización - ¿Está funcionando? ¿mejora o empeora? ¿vale o no vale? ¿es mejor o peor que otros?
  • Assessment. How well the process matches the organization's needs and compliance goals. Racionalización - ¿Cómo explicamos porque hacemos esto? Evaluación - ¿Estamos haciendo lo que necesita la organización?
  • Assessment. How well the process matches the organization's needs and compliance goals
  • The Solution: Concentrate on making changes that improve the contribution to Business Goals and Obligations, or reduce the use of resources=Continuous Improvement (Test, Monitor, Benefits Realization, Planning, Improvements). Use Risk Assessment and Audits as long as they help Continuous Improvement. Detect significant anomalies in processes and inform decisions to fix or improve processes. Improvements in the metric meaningfully enhance the contribution of the process towards the goals of the management system.
  • Benefits realization: Show how achieving security objectives contributes to achieving business objectives. How to communicate their value to management (Metrics need to be interpreted and communicated in order to be useful (Kip) )
  • How many viruses where cleaned, quarantined, detected? How many antivirus clients have been updated (signatures, engines)? How often are antivirus clients updated? How often are viruses found? How long does it take for a virus to be detected?
  • Percentage of all client computers protected with antivirus
  • Number of interruptions in the normal operation. Frequency of interruptions in normal operation.
  • Percentage of executable items that are tested for malware presence.
  • Dollars or Man/hours per executable item tested. Dollars or Man/hours per virus found. Percentage of computing resources in client computers consumed.
  • Percentage of packets processed in comparison to the maximum capacity.
  • Percentage of false positives Percentage of false negatives
  • A Revolution in Information Security: ISM Evolution with O-ISM3

    1. 1. Vicente Aceituno Boston, July 2010 © ISM3 Consortium 2010 A Revolution in Security: ISM evolution with ISM3
    2. 2. Mike Jerbic Edward Stansfeld Anthony Nelson Anup Narayanan Ian Dobson Jim Hietala
    3. 3. 2002
    4. 4. 2010
    5. 5. Scientific Method
    6. 6. •Confidenciality •Integrity •Availability •Non-Repudiation •Authorization •Authentication •Audit •Privacy •Secrecy •Intellectual Property
    7. 7. Feedback Loop
    8. 8. Modeling
    9. 9. Quality Management
    10. 10. A Maturity Model For Security Management?
    11. 11. Evolution
    12. 12. + + +
    13. 13. Revolution
    14. 14. One-size-fits-all
    15. 15. Security Investment, Maturity Level & Risk M axim um Risk/N o Investm entM axim um RO SI M inim um R isk/M axim um Investm ent Security Investment Risk Risk Reduction/ Additional Security Investment
    16. 16. Business and context fit
    17. 17. Doorman Mentality
    18. 18. Manager Mentality
    19. 19. Threats
    20. 20. Deliverables
    21. 21. Incidents = Failure
    22. 22. Incidents = Opportunity for Improvement
    23. 23. (But… Don’t make the same mistake twice. & Learn from the mistakes of others)
    24. 24. Preventing policy violations
    25. 25. Providing value
    26. 26. Contrarian view of business and security
    27. 27. Security seen as part of the business.
    28. 28. Destination: Compliance
    29. 29. Origin: Compliance
    30. 30. Risk Management Techniques +Continuous Improvement Techniques
    31. 31. Invulnerability
    32. 32. Return on Investment
    33. 33. Protect the asset
    34. 34. Protect business objectives
    35. 35. Confidentiality Integrity Availability …Non-Repudiation …Authorization …Authentication …Audit …Privacy …Secrecy …Intellectual Property
    36. 36. Operational definitions of security objectives and business objectives
    37. 37. Business Objectives
    38. 38. Access for Authorized Users
    39. 39. …where and when necessary.
    40. 40. Unathorized user access denial
    41. 41. Responsibility
    42. 42. Secrets
    43. 43. Privacy
    44. 44. Intellectual Property
    45. 45. Information available for as long as necessary… …but not after it has expired.
    46. 46. Comply with laws and regulations
    47. 47. Keep systems protected
    48. 48. Improvement using lagging indicators.
    49. 49. Test & Audit
    50. 50. Certification
    51. 51. Improvement using leading indicators
    52. 52. Metrics
    53. 53. Management Practices
    54. 54. Continuous Improvement
    55. 55. Capability Level Basic Defined Managed Controlled Optimized Management Practices Enabled Audit, Certify Test Monitor Planning Benefits Realization Assessment Optimization Documentation * * * * * * * MetricType Activity * * * * * * Scope * * * * * * Unavailability * * * * * * Effectiveness * * * * * * Load * * * * * Quality * * Efficiency *
    56. 56. Management Practices
    57. 57. Planning
    58. 58. Test
    59. 59. Monitor
    60. 60. Assessment
    61. 61. Assessment
    62. 62. Improvement
    63. 63. Benefits Realization
    64. 64. Value
    65. 65. Metrics
    66. 66. Activity
    67. 67. Scope
    68. 68. Unavailability
    69. 69. Effectiveness
    70. 70. Efficiency
    71. 71. Load
    72. 72. Quality
    73. 73. Metrics
    74. 74. 80 Measurement
    75. 75. 81 Interpretation
    76. 76. Representation
    77. 77. Representation
    78. 78. 84 Investigation
    79. 79. Capability Level Basic Defined Managed Controlled Optimized Management Practices Enabled Audit, Certify Test Monitor Planning Benefits Realization Assessment Optimization Documentation * * * * * * * MetricType Activity * * * * * * Scope * * * * * * Unavailability * * * * * * Effectiveness * * * * * * Load * * * * * Quality * * Efficiency *
    80. 80. Information Security that makes Business Sense inovement.es/oism3 Web www.inovement.es Video Blog youtube.com/user/vaceituno Blog ism3.com Twitter twitter.com/vaceituno Presentations slideshare.net/vaceituno/presentations Articles slideshare.net/vaceituno/documents

    ×