Presentation is loading. Please wait.

Presentation is loading. Please wait.

Holistic Approach to Security

Published byMartina Stone Modified over 9 years ago

Similar presentations

Presentation on theme: "Holistic Approach to Security"— Presentation transcript:

1 Holistic Approach to Security
360 Security Model Holistic Approach to Security

2 “Security needs to be a business process”
Security’s New Mantra “Security needs to be a business process” Great strategic goal – but we will never get there under today’s approaches.

3 What Models Do We Have Today?
Process oriented, (ISO9001:2000, BS7799-2:2002, CMMI, ITIL/ITSM) Controls oriented (ISO , BSI-ITBPM) Product oriented (Common Criteria) Risk analysis oriented (Octave, Magerit) Best practice oriented (ISO/IEC 17799:2000, CobiT, ISF-SGP) But how many business people understand these and can implement them?

4 CobiT Excerpts Prepare a risk management action plan to address the most significant risks. Define and implement a security framework that consists of standards, measures, practices and procedures. Develop clear policies and detailed guidelines, supported by a repetitive and assertive communications plan that reaches every employee. Establish security baselines and rigorously monitor compliance. The industry needs to know HOW to do these things, not JUST that they need to be done.

5 What are We Doing Today? Sending staff to technical security courses
Bringing in consultants Purchasing products Using managed security services IT and technologists Department Managers C-Level Individuals CEO and Board Generic Technology Training Consultants Managed Services Products

6 Security Consulting Issues

7 Why Is Our Current Model Dangerous?
Relying too heavily on consultants Not making educated and informed decisions about; Purchasing security products and services Employing managed services Not knowing what to spend the security budget on People, process, technology Not understanding what level of protection the security budget is providing Not being able to report to the board members and share holders about the company’s security protection level Wasting time, money, and effort without making enough progress

8 Level of Sophistication
We are currently here

9 Holistic, integrated security, that is a business process
We Need to Evolve We need a new model to empower organizations and allow them to understand security in business terms We need a model that takes the theoretical best practices and turns them into practical action items Companies need to be able to take ownership of their internal security program The current approach will continue to provide a gap between what we preach and what we practice Holistic, integrated security, that is a business process

10 Where Is Your Company Today?
Defined policies, but no security program Security program with no real structure Security program with certain pieces structured Structured security program with no support from business units Structured security program fought by cultural issues

11 Structure or Chaos – or In Between?
Security Programs… Structure or Chaos – or In Between? Swamp guides become more valuable than security architects If you don’t know where you are, you can’t get to where you want to go. It’s okay if your program looks at first like a big ball of mud, at least until you know better.

12 Standardized security understanding at this level
Who Needs To Know What? IT and technologists Department Managers C-Level Individuals CEO and Board Standardized security understanding at this level Government Regulations and Laws Big picture of company risks Personal liability issues Big picture of company’s security posture Security program development Security roles and delegation of responsibilities Develop company’s security infrastructure and business process Mapping compliancy requirements to tactical and strategic company goals Implementation of security program and infrastructure Compliancy checklists, auditing, monitoring Tying technology solutions to business objectives Implementation of technology solutions

13 You Do Not Need to Understand Technology to Integrate Security

14 Securing from the Inside Out, Instead of Outside In

15 Target Who Needs to Understand What
The model outlines the depth of each topic that the different corporation levels need to understand.

16 It should be a uniquely conceptual model in that it embodies eminently practical elements that
can be applied alone or in sequence to define project activity deliverables.

17 Security Maturity Evolution
Security Metrics Measure the efficiency, effectiveness, value, and continuous performance improvement of the individual security process Evolution Initiate Stakeholder Security Program Stakeholder sponsored program with responsibilities assigned Security Architecture Architecture principles and policies in place to define core security functions Assurance Auditing, monitoring, and reporting processes and controls in place to ensure they are meeting standards and that they are effective Security Technical Framework Establishment of standards and technologies to support stakeholder interaction Security Organizational Structure Individuals and organizations assigned responsibility, accountability, and authority to support the infrastructure Documented Strategy, Principles, and Policy Clearly defined set of technology-independent policies developed from the business strategy Compliance and Certification Establish compliance measurement and reporting system Baseline Security Standards Security controls defined to establish a consistent basis for managing risk Security Capability Defined Integrated Optimized Level 1 Level 2 Level 3

18

19 Incrementally Improves All Security Areas
Quality Improvement Model: Capability Maturity “A conceptual framework to help organizations: Characterize the maturity of their process (AS IS) Establish goals for process improvement (TO BE) Set priorities for getting there (TRANSITION) Manage & sustain change (STABLIZE) And introduce change incrementally.” 1. INITIAL Ad hoc 5. OPTIMIZING Process control 4. MANAGED Process measurement 3. DEFINED Process definition 2. REPEATABLE Basic management control

20 Centralized Access to All Necessary Information

Download ppt "Holistic Approach to Security"

Similar presentations

What is Business Architecture?. Overview Agility matters today more than yesterday Previous methods for managing change were designed for the needs of.

What is Business Architecture?. Overview Agility matters today more than yesterday Previous methods for managing change were designed for the needs of.
Internal Audit Capability Model (IA-CM) for the Public Sector

Internal Audit Capability Model (IA-CM) for the Public Sector
Microsoft Operations Framework (MOF) 4.0

Microsoft Operations Framework (MOF) 4.0
Alignment of COBIT to Botswana IT Audit Methodology

Alignment of COBIT to Botswana IT Audit Methodology
IT Governance Infocom India Presentation December 6, 2006.

IT Governance Infocom India Presentation December 6, 2006.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Www.isaca-malta.org Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.

Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
Aust. AM Collaborative Group (AAMCOG) An introduction to ISO 55000 “What to do” guide 20th October 2014.

Aust. AM Collaborative Group (AAMCOG) An introduction to ISO “What to do” guide 20th October 2014.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
The 10 Deadly Sins of Information Security Management

The 10 Deadly Sins of Information Security Management
CMMI Overview Quality Frameworks.

CMMI Overview Quality Frameworks.
The Evaluation of the role of Human Resource Department Alex.

The Evaluation of the role of Human Resource Department Alex.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
How can projects be controlled?

How can projects be controlled?
Opportunities & Implications for Turkish Organisations & Projects

Opportunities & Implications for Turkish Organisations & Projects

Similar presentations

Ads by Google