360 Security Model
Holistic Approach to Security
Security’s New Mantra“Security needs to be a business process”
Great strategic goal – but we will never get there under today’s approaches.
What Models Do We Have Today?Process oriented, (ISO9001:2000, BS7799-2:2002, CMMI,
ITIL/ITSM)Controls oriented (ISO13335-4, BSI-ITBPM)Product oriented (Common Criteria)Risk analysis oriented (Octave, Magerit)Best practice oriented (ISO/IEC 17799:2000, CobiT, ISF-SGP)
But how many business people understand
these and can implement them?
CobiT ExcerptsPrepare a risk management action plan to address the
most significant risks.Define and implement a security framework that
consists of standards, measures, practices and procedures. Develop clear policies and detailed guidelines, supported by a repetitive and assertive communications plan that reaches every employee.
Establish security baselines and rigorously monitor compliance.
The industry needs to know HOW to do these things, not JUST that they need to be done.
What are We Doing Today?
Sending staff to technical security coursesBringing in consultantsPurchasing productsUsing managed security services
IT and technologists
Department Managers
C-Level Individuals
CEO and
Board
Generic Technology Training
Consultants
Managed Services
Products
Security Consulting Issues
Why Is Our Current Model Dangerous? Relying too heavily on consultants Not making educated and informed decisions about;
• Purchasing security products and services• Employing managed services
Not knowing what to spend the security budget on• People, process, technology
Not understanding what level of protection the security budget is providing Not being able to report to the board members and share holders about the
company’s security protection level Wasting time, money, and effort without making enough progress
Level of Sophistication
We are currently here
We Need to Evolve We need a new model to empower organizations and allow
them to understand security in business terms We need a model that takes the theoretical best practices and
turns them into practical action items Companies need to be able to take ownership of their internal
security program
The current approach will continue to provide a gap between what we preach and what we practice
Holistic, integrated security, that is a business process
Where Is Your Company Today?Defined policies, but no security programSecurity program with no real structureSecurity program with certain pieces structuredStructured security program with no support from
business unitsStructured security program fought by cultural issues
Structure or Chaos – or In Between?
If you don’t know where you are, you can’t get to where you want to go.
It’s okay if your program looks at first like a big ball of mud, at least until you know better.
Security Programs…
Swamp guides become
more valuable than security architects
Who Needs To Know What?
IT and technologists
Department Managers
C-Level Individuals
CEO and
Board
Standardized security
understanding at this level
Standardized security
understanding at this level
Standardized security
understanding at this level
Standardized security
understanding at this level
- Government Regulations and Laws- Big picture of company risks- Personal liability issues- Big picture of company’s security posture
- Security program development- Security roles and delegation of responsibilities- Develop company’s security infrastructure and
business process- Mapping compliancy requirements to tactical and
strategic company goals
- Implementation of security program and infrastructure
- Compliancy checklists, auditing, monitoring- Tying technology solutions to business objectives
- Implementation of technology solutions
You Do Not Need to Understand Technology to Integrate Security
Securing from the Inside Out, Instead of Outside In
The model outlines the depth of each topic that the different corporation
levels need to understand.
Target Who Needs to Understand What
It should be a uniquely conceptual model in that it embodies eminently practical elements that can be applied alone or in sequence to define project activity deliverables.
Security Maturity Evolution
Security MetricsMeasure the efficiency, effectiveness, value, and continuous performance
improvement of the individual security process
Evolution
InitiateStakeholder
SecurityProgram
Stakeholder sponsored program with
responsibilities assigned
Security Architecture
Architecture principles and policies in place to define
core security functions
AssuranceAuditing, monitoring, and reporting processes and controls in place to
ensure they are meeting standards and that they are effective
Security Technical Framework
Establishment of standards and technologies to support stakeholder
interaction
Security Organizational
StructureIndividuals and organizations
assigned responsibility, accountability, and authority to
support the infrastructure
Documented Strategy, Principles,
and PolicyClearly defined set of
technology-independent policies developed from the
business strategy
Compliance and Certification
Establish compliance measurement and reporting system
Baseline Security Standards
Security controls defined to establish a consistent basis
for managing risk
Secu
rity
Cap
abili
ty
Defined
Integrated
Optimized
Level 1
Level 2
Level 3
Incrementally Improves All Security Areas
Quality Improvement Model: Capability Maturity“A conceptual framework to help organizations:
- Characterize the maturity of their process (AS IS)- Establish goals for process improvement (TO BE)- Set priorities for getting there (TRANSITION)- Manage & sustain change (STABLIZE)- And introduce change incrementally.”
1. INITIALAd hoc
2. REPEATABLEBasic management control
3. DEFINEDProcess definition
4. MANAGEDProcess measurement
5. OPTIMIZINGProcess control
Centralized Access to All
Necessary Information