Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Vicente Aceituno
Boston, July 2010
© ISM3 Consortium 2010
A Revolution in Security:
ISM evolution with ISM3
Mike Jerbic
Edward Stansfeld
Anthony Nelson
Anup Narayanan
Ian Dobson
Jim Hietala
2002
2010
Scientific
Method
•Confidenciality
•Integrity
•Availability
•Non-Repudiation
•Authorization
•Authentication
•Audit
•Privacy
•Secrecy
•Intell...
Feedback Loop
Modeling
Quality
Management
A Maturity
Model
For Security
Management?
Evolution
+
+
+
Revolution
One-size-fits-all
Security Investment, Maturity Level & Risk
M
axim
um
Risk/N
o
Investm
entM
axim
um
RO
SI
M
inim
um
R
isk/M
axim
um
Investm...
Business and
context fit
Doorman
Mentality
Manager
Mentality
Threats
Deliverables
Incidents =
Failure
Incidents =
Opportunity for
Improvement
(But…
Don’t make the same
mistake twice.
& Learn from the
mistakes of others)
Preventing
policy
violations
Providing value
Contrarian view of
business and security
Security seen as
part of the
business.
Destination:
Compliance
Origin:
Compliance
Risk
Management
Techniques
+Continuous
Improvement
Techniques
Invulnerability
Return on
Investment
Protect the asset
Protect business
objectives
Confidentiality
Integrity
Availability
…Non-Repudiation
…Authorization
…Authentication
…Audit
…Privacy
…Secrecy
…Intellect...
Operational definitions
of security objectives
and business objectives
Business Objectives
Access for
Authorized Users
…where and when
necessary.
Unathorized user
access denial
Responsibility
Secrets
Privacy
Intellectual Property
Information available
for as long as
necessary…
…but not after it has
expired.
Comply with laws
and regulations
Keep systems protected
Improvement using
lagging indicators.
Test &
Audit
Certification
Improvement using
leading indicators
Metrics
Management
Practices
Continuous
Improvement
Capability Level Basic Defined Managed Controlled Optimized
Management Practices
Enabled
Audit,
Certify Test Monitor Plann...
Management
Practices
Planning
Test
Monitor
Assessment
Assessment
Improvement
Benefits
Realization
Value
Metrics
Activity
Scope
Unavailability
Effectiveness
Efficiency
Load
Quality
Metrics
80
Measurement
81
Interpretation
Representation
Representation
84
Investigation
Capability Level Basic Defined Managed Controlled Optimized
Management Practices
Enabled
Audit,
Certify Test Monitor Plann...
Information Security that makes Business Sense
inovement.es/oism3
Web www.inovement.es
Video Blog youtube.com/user/vaceitu...
A Revolution in Information Security: ISM Evolution with O-ISM3
A Revolution in Information Security: ISM Evolution with O-ISM3
A Revolution in Information Security: ISM Evolution with O-ISM3
A Revolution in Information Security: ISM Evolution with O-ISM3
A Revolution in Information Security: ISM Evolution with O-ISM3
A Revolution in Information Security: ISM Evolution with O-ISM3
Upcoming SlideShare
Loading in …5
×

A Revolution in Information Security: ISM Evolution with O-ISM3

4,612 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

A Revolution in Information Security: ISM Evolution with O-ISM3

  1. 1. Vicente Aceituno Boston, July 2010 © ISM3 Consortium 2010 A Revolution in Security: ISM evolution with ISM3
  2. 2. Mike Jerbic Edward Stansfeld Anthony Nelson Anup Narayanan Ian Dobson Jim Hietala
  3. 3. 2002
  4. 4. 2010
  5. 5. Scientific Method
  6. 6. •Confidenciality •Integrity •Availability •Non-Repudiation •Authorization •Authentication •Audit •Privacy •Secrecy •Intellectual Property
  7. 7. Feedback Loop
  8. 8. Modeling
  9. 9. Quality Management
  10. 10. A Maturity Model For Security Management?
  11. 11. Evolution
  12. 12. + + +
  13. 13. Revolution
  14. 14. One-size-fits-all
  15. 15. Security Investment, Maturity Level & Risk M axim um Risk/N o Investm entM axim um RO SI M inim um R isk/M axim um Investm ent Security Investment Risk Risk Reduction/ Additional Security Investment
  16. 16. Business and context fit
  17. 17. Doorman Mentality
  18. 18. Manager Mentality
  19. 19. Threats
  20. 20. Deliverables
  21. 21. Incidents = Failure
  22. 22. Incidents = Opportunity for Improvement
  23. 23. (But… Don’t make the same mistake twice. & Learn from the mistakes of others)
  24. 24. Preventing policy violations
  25. 25. Providing value
  26. 26. Contrarian view of business and security
  27. 27. Security seen as part of the business.
  28. 28. Destination: Compliance
  29. 29. Origin: Compliance
  30. 30. Risk Management Techniques +Continuous Improvement Techniques
  31. 31. Invulnerability
  32. 32. Return on Investment
  33. 33. Protect the asset
  34. 34. Protect business objectives
  35. 35. Confidentiality Integrity Availability …Non-Repudiation …Authorization …Authentication …Audit …Privacy …Secrecy …Intellectual Property
  36. 36. Operational definitions of security objectives and business objectives
  37. 37. Business Objectives
  38. 38. Access for Authorized Users
  39. 39. …where and when necessary.
  40. 40. Unathorized user access denial
  41. 41. Responsibility
  42. 42. Secrets
  43. 43. Privacy
  44. 44. Intellectual Property
  45. 45. Information available for as long as necessary… …but not after it has expired.
  46. 46. Comply with laws and regulations
  47. 47. Keep systems protected
  48. 48. Improvement using lagging indicators.
  49. 49. Test & Audit
  50. 50. Certification
  51. 51. Improvement using leading indicators
  52. 52. Metrics
  53. 53. Management Practices
  54. 54. Continuous Improvement
  55. 55. Capability Level Basic Defined Managed Controlled Optimized Management Practices Enabled Audit, Certify Test Monitor Planning Benefits Realization Assessment Optimization Documentation * * * * * * * MetricType Activity * * * * * * Scope * * * * * * Unavailability * * * * * * Effectiveness * * * * * * Load * * * * * Quality * * Efficiency *
  56. 56. Management Practices
  57. 57. Planning
  58. 58. Test
  59. 59. Monitor
  60. 60. Assessment
  61. 61. Assessment
  62. 62. Improvement
  63. 63. Benefits Realization
  64. 64. Value
  65. 65. Metrics
  66. 66. Activity
  67. 67. Scope
  68. 68. Unavailability
  69. 69. Effectiveness
  70. 70. Efficiency
  71. 71. Load
  72. 72. Quality
  73. 73. Metrics
  74. 74. 80 Measurement
  75. 75. 81 Interpretation
  76. 76. Representation
  77. 77. Representation
  78. 78. 84 Investigation
  79. 79. Capability Level Basic Defined Managed Controlled Optimized Management Practices Enabled Audit, Certify Test Monitor Planning Benefits Realization Assessment Optimization Documentation * * * * * * * MetricType Activity * * * * * * Scope * * * * * * Unavailability * * * * * * Effectiveness * * * * * * Load * * * * * Quality * * Efficiency *
  80. 80. Information Security that makes Business Sense inovement.es/oism3 Web www.inovement.es Video Blog youtube.com/user/vaceituno Blog ism3.com Twitter twitter.com/vaceituno Presentations slideshare.net/vaceituno/presentations Articles slideshare.net/vaceituno/documents

×