Date post: | 26-Jan-2015 |
Category: |
Technology |
Upload: | vicente-aceituno |
View: | 334 times |
Download: | 1 times |
1
2
“We want to prevent attacks from succeeding”. With this approach, to be secure means to be invulnerable.
An incident is any loss of confidentiality, integrity or availability.
You look at a piece of data and think: Is it confidential, has it got integrity, is it available?
Traditional approach to security:
3
“We want to guarantee that our business objectives are met”. With this approach, to be secure means to be reliable, despite attacks, accidents and errors.
An incident is a failure to meet a security objective resulting from accidents, errors or attacks.
You look at a piece of data and think: What properties of this data must be protected for it to have business value?
Inovement style Approach:
4
Use case – Malware Management
Use case – Traditional management Motivation: Clean viruses or your business will sink. Objective: No system should get a virus ever Activity: Install antivirus on personal computers, servers, mail
servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.
Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.
Success criterion: When no system gets ever a virus. Continuous improvement: Add more antimalware controls
(Tripwire, CORE, etc)
5
Use Case – Inovement-style management Motivation: Unfortunately systems, specially Windows and malware prone.
We should invest proportionally to the damage they can make. Goal: Systems should accomplish their business role with or without
malware. Activity: Install antimalware in vulnerable systems. Measure activity, scope,
update and availability of antimalware. Consider other measures, like using less malware prone systems.
Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.
Success criterion: When protected system play their business role without interruption or degradation.
Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI.
Use case – Malware Management
6
Index
1. Problem Statement2. Solutions: Portfolio
7
Portfolio
Communication ServicesKnowledge Management ServicesProcess Orientation
Education ServicesConsulting
8
Communication Services - Problem
Both users and IT find it difficult to explain what they need in terms of security (Symptom: They never ask for anything)
Security finds it difficult to understand what the business needs (Symptom: Users and IT avoid meetings with security, difficulties getting budget for projects, lack of collaboration or even conflicts with other departments)
Security feels they don’t have enough power in the organization to get things done.
9
Communication Services - Solution
Learn a new language, “O-ISM3”, including:Security Objectives, which remove ambiguity
and streamline communication.Security Targets, which simplify risk
assessment, and make it easy to relate investment and results.
Processes, which make obvious what is the value provided to the organization.
10
Communication Services - Benefits
Streamline Communication.Improve the alignment of efforts and business
needs.Enable Benefits Realization.Make cristal clear who is responsible for what.Gain influence in the organization.
11
Knowledge Management - Problem
Every task is performed differently depending on who performs it.
When an improvement is identified it is slow to spread among the team, or even lost.
High dependency on the supplier, making the cost of switching very high.
Replacing resources of the team is difficult, requires a high level of effort or it is even risky.
Holidays, attending events and courses, sick leave, become stressing events for the team to be avoided.
Audits are highly disruptive, as there nothing is documented or archived.
12
Knowledge Management - Solution
Identification and archival of all outputs of the activities of the team.
Formal structure and framework for documentation.
Switch from Word documents to Wiki.Clear distribution of knowledge management
responsibilities.Knowledge management integrates seamlessly
with day to day operations.
13
Knowledge Management - Benefits
Every task is performed consistently.Improvement are identified and implemented
quickly and uniformly across the team.No depedency on suppliers.Replacing resources becomes a non-event.More freedom for the work team, improving
motivation and performance, lowering rotation.Audits become painless.
14
Process Management - Problem
There are literally hundreds of activities.Activities are assigned depending on skills.The main driver for activities are compliance with
standards, rather than business needs.Priorities change too frequently.When new activities are created, older activities
become abandoned rather than cancelled.There are activities that don’t show up on the Follow-
up Reports.There are few metrics that infrequently drive decisions.There is no schedule for activities, or the deadlines are
failed with few exceptions.
15
Process Management - Solution
Switch from activities to processes.Switch from “doing things” to “making deliverables”Group activities with common goals in processes.Prioritize activities depending on business value.Report everything the process performs.Distribute supervisory, audit, operation
responsibilities.Use Activity, Scope, Availability, Load, Quality,
Effectiveness and Efficiency Metrics.
16
Process Management - Benefits
Improve the value for the business.Make better use of resources.Reach higher levels of capability and maturity.Continuous improvement becomes possible.Interface better with other process based methods,
like ITIL.Maintain compliance with standards painlessly.
17
Portfolio
Communication ServicesKnowledge ManagementProcess Orientation
Education ServicesConsulting
18