Date post: | 26-Jan-2015 |
Category: |
Technology |
Upload: | vicente-aceituno |
View: | 288 times |
Download: | 0 times |
1
2
Index
1. Problem Statement2. Solutions: Portfolio
3
Index
1. Problem Statement2. Solutions: Portfolio
4
Complexity
5
P Solutions
Cost
Risk
Imp
act
Probability
I - So
lutions
Usability
Man
agea
bili
ty
Complexity
6
Organizationand
Environment
7
Changes (Organization)
and moreChanges
(Environment)
8
Incomplete Information
9
Levels of detail
10
Limited Resources
11
Limited Influence
12
“Negative” Results
13
Trust
14
Activity and Results are
Weakly Linked
15
Misunderstanding
16
It can be difficult to tell the Good…
17
…from the Lucky
18
From Doorman Mentality…
19
…To Manager Mentality
20
From Invulnerability...
21
...To Return on Investment
22
FromIncidents = Failure…
23
…ToIncidents =
Opportunity for Improvement
24
From Protect the asset...
25
...To Protect business bjectives
26
FromThreats…
27
…To Results
28
FromPreventing policy violations...
29
...To Providing value
30
Level of Commitment
Goals Obligations
Success What we want to What we have to
Quality As well as we want to
As well as we have to
Security As reliably as we want to
As reliably as we have to
Providing value: Governance Playground
31
Providing value: Security PlayGround
Level of Commitment
Goals Obligations
Success What we have to
Quality
Security As reliably as we want to
32
From Contrarian view of business and security....
33
...To Security seen as part of the
business.
34
Continuous Improvement
35
“We want to prevent attacks from succeeding”. With this approach, to be secure means to be invulnerable.
An incident is any loss of confidentiality, integrity or availability.
You look at a piece of data and think: Is it confidential, has it got integrity, is it available?
Traditional approach to security:
36
“We want to guarantee that our business objectives are met”. With this approach, to be secure means to be reliable, despite attacks, accidents and errors.
An incident is a failure to meet a security objective resulting from accidents, errors or attacks.
You look at a piece of data and think: What properties of this data must be protected for it to have business value?
Inovement style Approach:
37
Use case – Malware Management
Use case – Traditional management Motivation: Clean viruses or your business will sink. Objective: No system should get a virus ever Activity: Install antivirus on personal computers, servers, mail
servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.
Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.
Success criterion: When no system gets ever a virus. Continuous improvement: Add more antimalware controls
(Tripwire, CORE, etc)
38
Use Case – Inovement-style management Motivation: Unfortunately systems, specially Windows and malware prone.
We should invest proportionally to the damage they can make. Goal: Systems should accomplish their business role with or without
malware. Activity: Install antimalware in vulnerable systems. Measure activity, scope,
update and availability of antimalware. Consider other measures, like using less malware prone systems.
Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.
Success criterion: When protected system play their business role without interruption or degradation.
Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI.
Use case – Malware Management
39
Index
1. Problem Statement2. Solutions: Portfolio
40
Portfolio
Communication ServicesKnowledge Management ServicesProcess Orientation
Education ServicesConsulting
41
Communication Services - Problem
Both users and IT find it difficult to explain what they need in terms of security (Symptom: They never ask for anything)
Security finds it difficult to understand what the business needs (Symptom: Users and IT avoid meetings with security, difficulties getting budget for projects, lack of collaboration or even conflicts with other departments)
Security feels they don’t have enough power in the organization to get things done.
42
Communication Services - Solution
Learn a new language, “O-ISM3”, including:Security Objectives, which remove ambiguity
and streamline communication.Security Targets, which simplify risk
assessment, and make it easy to relate investment and results.
Processes, which make obvious what is the value provided to the organization.
43
Communication Services - Benefits
Streamline Communication.Improve the alignment of efforts and business
needs.Enable Benefits Realization.Make cristal clear who is responsible for what.Gain influence in the organization.
44
Knowledge Management - Problem
Every task is performed differently depending on who performs it.
When an improvement is identified it is slow to spread among the team, or even lost.
High dependency on the supplier, making the cost of switching very high.
Replacing resources of the team is difficult, requires a high level of effort or it is even risky.
Holidays, attending events and courses, sick leave, become stressing events for the team to be avoided.
Audits are highly disruptive, as there nothing is documented or archived.
45
Knowledge Management - Solution
Identification and archival of all outputs of the activities of the team.
Formal structure and framework for documentation.
Switch from Word documents to Wiki.Clear distribution of knowledge management
responsibilities.Knowledge management integrates seamlessly
with day to day operations.
46
Knowledge Management - Benefits
Every task is performed consistently.Improvement are identified and implemented
quickly and uniformly across the team.No depedency on suppliers.Replacing resources becomes a non-event.More freedom for the work team, improving
motivation and performance, lowering rotation.Audits become painless.
47
Process Management - Problem
There are literally hundreds of activities.Activities are assigned depending on skills.The main driver for activities are compliance with
standards, rather than business needs.Priorities change too frequently.When new activities are created, older activities
become abandoned rather than cancelled.There are activities that don’t show up on the
Follow-up Reports.There are few metrics that infrequently drive
decisions.There is no schedule for activities, or the deadlines
are failed with few exceptions.
48
Process Management - Solution
Switch from activities to processes.Switch from “doing things” to “making deliverables”Group activities with common goals in processes.Prioritize activities depending on business value.Report everything the process performs.Distribute supervisory, audit, operation
responsibilities.Use Activity, Scope, Availability, Load, Quality,
Effectiveness and Efficiency Metrics.
49
Process Management - Benefits
Improve the value for the business.Make better use of resources.Reach higher levels of capability and maturity.Continuous improvement becomes possible.Interface better with other process based methods,
like ITIL.Maintain compliance with standards painlessly.
50
Portfolio
Communication ServicesKnowledge ManagementProcess Orientation
Education ServicesConsulting