Upload
vicente-aceituno
View
1.289
Download
5
Embed Size (px)
DESCRIPTION
Citation preview
Vicente AceitunoBoston, July 2010
© ISM3 Consortium 2010
A Revolution in Security: ISM evolution with ISM3
Mike Jerbic
Edward Stansfeld
Anthony Nelson
Anup Narayanan
Ian Dobson
Jim Hietala
2002
2010
ScientificMethod
•Confidenciality•Integrity•Availability•Non-Repudiation•Authorization•Authentication•Audit•Privacy•Secrecy•Intellectual Property
Feedback Loop
Modeling
QualityManagement
A Maturity Model
For Security Management?
Evolution
+
+
+
Revolution
One-size-fits-all
Security Investment, Maturity Level & Risk
Security Investment
Risk
Risk Reduction/Additional SecurityInvestment
Business and context fit
Doorman Mentality
Manager Mentality
Threats
Deliverables
Incidents = Failure
Incidents = Opportunity for Improvement
(But…
Don’t make the same mistake twice.
& Learn from the mistakes of others)
Preventing policy violations
Providing value
Contrarian view of business and security
Security seen as part of the business.
Destination: Compliance
Origin:Compliance
Risk Management Techniques
+Continuous ImprovementTechniques
Invulnerability
Return on Investment
Protect the asset
Protect business objectives
ConfidentialityIntegrityAvailability
…Non-Repudiation…Authorization
…Authentication…Audit
…Privacy…Secrecy
…Intellectual Property
Operational definitions of security objectivesand business objectives
Business Objectives
Access for Authorized Users
…where and when necessary.
Unathorized user access denial
Responsibility
Secrets
Privacy
Intellectual Property
Information available for as long as necessary…
…but not after it has expired.
Comply with laws and regulations
Keep systems protected
Improvement using lagging indicators.
Test & Audit
Certification
Improvement using leading indicators
Metrics
Management Practices
Continuous Improvement
Capability Level Basic Defined Managed Controlled Optimized
Management Practices Enabled
Audit, Certify Test Monitor Planning
Benefits Realization Assessment Optimization
Documentation * * * * * * *
Met
ric
Typ
e
Activity * * * * * *
Scope * * * * * *
Unavailability * * * * * *
Effectiveness * * * * * *
Load * * * * *
Quality * *
Efficiency *
Management Practices
Planning
Test
Monitor
Assessment
Assessment
Improvement
Benefits Realization
Value
Metrics
Activity
Scope
Unavailability
Effectiveness
Efficiency
Load
Quality
Metrics
79
Measurement
80
Interpretation
Representation
Representation
83
Investigation
Capability Level Basic Defined Managed Controlled Optimized
Management Practices Enabled
Audit, Certify Test Monitor Planning
Benefits Realization Assessment Optimization
Documentation * * * * * * *
Met
ric
Typ
e
Activity * * * * * *
Scope * * * * * *
Unavailability * * * * * *
Effectiveness * * * * * *
Load * * * * *
Quality * *
Efficiency *