360 Security Model

Holistic Approach to Security

Security’s New Mantra“Security needs to be a business process”

Great strategic goal – but we will never get there under today’s approaches.

What Models Do We Have Today?Process oriented, (ISO9001:2000, BS7799-2:2002, CMMI,

ITIL/ITSM)Controls oriented (ISO13335-4, BSI-ITBPM)Product oriented (Common Criteria)Risk analysis oriented (Octave, Magerit)Best practice oriented (ISO/IEC 17799:2000, CobiT, ISF-SGP)

But how many business people understand

these and can implement them?

CobiT ExcerptsPrepare a risk management action plan to address the

most significant risks.Define and implement a security framework that

consists of standards, measures, practices and procedures. Develop clear policies and detailed guidelines, supported by a repetitive and assertive communications plan that reaches every employee.

Establish security baselines and rigorously monitor compliance.

The industry needs to know HOW to do these things, not JUST that they need to be done.

What are We Doing Today?

Sending staff to technical security coursesBringing in consultantsPurchasing productsUsing managed security services

IT and technologists

Department Managers

C-Level Individuals

CEO and

Board

Generic Technology Training

Consultants

Managed Services

Products

Security Consulting Issues

Why Is Our Current Model Dangerous? Relying too heavily on consultants Not making educated and informed decisions about;

• Purchasing security products and services• Employing managed services

Not knowing what to spend the security budget on• People, process, technology

Not understanding what level of protection the security budget is providing Not being able to report to the board members and share holders about the

company’s security protection level Wasting time, money, and effort without making enough progress

Level of Sophistication

We are currently here

We Need to Evolve We need a new model to empower organizations and allow

them to understand security in business terms We need a model that takes the theoretical best practices and

turns them into practical action items Companies need to be able to take ownership of their internal

security program

The current approach will continue to provide a gap between what we preach and what we practice

Holistic, integrated security, that is a business process

Where Is Your Company Today?Defined policies, but no security programSecurity program with no real structureSecurity program with certain pieces structuredStructured security program with no support from

business unitsStructured security program fought by cultural issues

Structure or Chaos – or In Between?

If you don’t know where you are, you can’t get to where you want to go.

It’s okay if your program looks at first like a big ball of mud, at least until you know better.

Security Programs…

Swamp guides become

more valuable than security architects

Who Needs To Know What?

IT and technologists

Department Managers

C-Level Individuals

CEO and

Board

Standardized security

understanding at this level

Standardized security

understanding at this level

Standardized security

understanding at this level

Standardized security

understanding at this level

- Government Regulations and Laws- Big picture of company risks- Personal liability issues- Big picture of company’s security posture

- Security program development- Security roles and delegation of responsibilities- Develop company’s security infrastructure and

business process- Mapping compliancy requirements to tactical and

strategic company goals

- Implementation of security program and infrastructure

- Compliancy checklists, auditing, monitoring- Tying technology solutions to business objectives

- Implementation of technology solutions

You Do Not Need to Understand Technology to Integrate Security

Securing from the Inside Out, Instead of Outside In

The model outlines the depth of each topic that the different corporation

levels need to understand.

Target Who Needs to Understand What

It should be a uniquely conceptual model in that it embodies eminently practical elements that can be applied alone or in sequence to define project activity deliverables.

Security Maturity Evolution

Security MetricsMeasure the efficiency, effectiveness, value, and continuous performance

improvement of the individual security process

Evolution

InitiateStakeholder

SecurityProgram

Stakeholder sponsored program with

responsibilities assigned

Security Architecture

Architecture principles and policies in place to define

core security functions

AssuranceAuditing, monitoring, and reporting processes and controls in place to

ensure they are meeting standards and that they are effective

Security Technical Framework

Establishment of standards and technologies to support stakeholder

interaction

Security Organizational

StructureIndividuals and organizations

assigned responsibility, accountability, and authority to

support the infrastructure

Documented Strategy, Principles,

and PolicyClearly defined set of

technology-independent policies developed from the

business strategy

Compliance and Certification

Establish compliance measurement and reporting system

Baseline Security Standards

Security controls defined to establish a consistent basis

for managing risk

Secu

rity

Cap

abili

ty

Defined

Integrated

Optimized

Level 1

Level 2

Level 3

Incrementally Improves All Security Areas

Quality Improvement Model: Capability Maturity“A conceptual framework to help organizations:

- Characterize the maturity of their process (AS IS)- Establish goals for process improvement (TO BE)- Set priorities for getting there (TRANSITION)- Manage & sustain change (STABLIZE)- And introduce change incrementally.”

1. INITIALAd hoc

2. REPEATABLEBasic management control

3. DEFINEDProcess definition

4. MANAGEDProcess measurement

5. OPTIMIZINGProcess control

Centralized Access to All

Necessary Information