On Feb 9, 2006, at 7:08 AM, Mark Curphey wrote:
Good stuff but a few questions.
1. I don't see (and I maybe missing this due to IE7 rendering and
mature
eyes) key processes like ensuring organizations revue log files,
ensuring
background checks are done on new staff starters etc. Are your
processes at
a higher level than that?
This is the high-level picture. The details are provided in the CISO
toolKit that this abstracts. Background checks are called out as part
of HR requirements under personnel for example. To get the drill-down
at a few levels more depth, go to the linked page and read the
detailed table of contents of the book in the toolkit. They are far
closer to the detailed specifications you are asking about.
2. I don't think there are any COTS systems to do the workflow yet
(?) so I
imagine this is indeed a significant cost involved in codifying
IS017799.
Have you heard about any sort of cost / time / benefit analysis?
Several COST systems are starting down this line - Elemental security
- Skybox are two of the growing candidates.
3. If you cant measure the direct and indirect cost today (which is
what you
imply or at least the way I am reading it) how can you make a call
on the
fact you will get greater costs? Maybe the whole BPM market is
really a BS
market but there are some impressive ROI models being brandished
around on
BPM for other sectors and I struggle to think they don't apply to
security.
We like to think we are *different* but we really aren't IMHO.
The security metrics book provides many thousands of things you can
measure that are meaningful in terms of process, and comparisons to
others, but this is only of limited value because measurement costs
too. Security architecture is intended to address these issues by
codifying things that we know work and that dramatically reduce the
attack graphs,
The ROI models just don't work, and ROI is the wrong approach to
security analysis. I can show an ROI every day like:
No security: you are out of business now and forever.
Add gobs of security: you are not out of business now and forever.
ROI is huge - you pay back the entire value of the enterprise every
day. But this is not the issue. The issue is more along the lines of
rational behavior.
FC
-----Original Message-----
From: Fred Cohen [mailto:fred.cohen@all.net]
Sent: Thursday, February 09, 2006 5:31 AM
To: Mark Curphey
Cc: 'Brad Bemis'; thomas.jones@hushmail.com; psrc@securityfocus.com;
security-management@securityfocus.com
Subject: Re: Process Improvement for Security
PRocess controls are increasingly being put in place through workflow
systems and these systems are starting to move toward codifying
things like
ISO17799 but the level of customization required for an enterprise
is very
substantial. It takes years of effort to get to this point.
Certainly some
enterprises have achieved this. The core processes are reasonably
described
in the "Enterprise Security Architecture" picture with drill-down
on the
all.net Web site. But as you drive this into the detailed level,
you find
that there are thousands of things to measure (and do) that go largely
unmeasured (and not done) today. The problem with getting security
really
tied down like this is that the cost is prohibitive and that, while
you will
get great security in terms of reduction in harmful incidents, you
will also
get great costs. The goal of an enterprise is presumably to
minimize (cost +
loss) associated with security issues.
Thus rather than get to a gold-plated security program, acceptance
of small
risks is far less expensive than a process that leaves no holes.
That's
where risk management has to come into play, and risk management
seems to
say that doing security with a six-sigma approach leads to higher cost
without all that much lower loss.
FC
On Feb 8, 2006, at 10:44 PM, Mark Curphey wrote:
Brad
Interesting links, thanks. In my experience very few corporate
security functions have even defined what their processes are in a
way
that then can be measured with any scheme like Six Sigma or otherwise
so while an interesting idea proposed it seems the first step is to
document / diagram the various processes. I would be interested if
anyone has a good list of the core processes they think are needed in
a commercial sec dept such as vuln management, continuity planning,
risk assessment, security monitoring etc? Maybe ISO17799 is
sufficient
(I don't think so but) ......
-----Original Message-----
From: Brad Bemis [mailto:bradleyb@bradleyb.net]
Sent: Monday, February 06, 2006 9:07 PM
To: thomas.jones@hushmail.com; psrc@securityfocus.com;
security-management@securityfocus.com
Subject: RE: Process Improvement for Security
I just went through a week long Greenbelt training class on Lean
Six-Sigma.
I can see some real potential in the process improvements steps, and
since my organization is adopting Lean Six-Sigma as its primary
process improvement/quality management model, it can also function as
a common language between IT and the Business. It isn't really
anything new beyond general TQM, good business practices, and the
like, but it does do a good job of encapsulating everything. The
measurements, metrics, and ability to represent data in charts,
graphs, and more are really quite impressive.
In terms of usefulness, I am still somewhat unconvinced that it is a
'silver bullet' solution - everything comes down to having good data
- meaningful data that can be used to serve a purpose. The metrics
and measurements for information security have certainly come a long
way over the last few years, but a lot of the people and
process-oriented aspects of a security program (often the ones that
have the most significant
impact)
can be somewhat difficult to measure
in a meaningful way.
A local company has been doing presentations on 'Security Kaizen'
that have
also been pretty interesting - a quick google search should get you
pointed in the right direction. It provides some interesting
ideas on
metrics, measurements, process improvement, and security program
development. Used in conjunction with the NIST Pub on security
metrics for technology systems, and a few other odds and ends (like
COBIT, ITIL, CMMI, ISO 17799, and the FFIEC IT Examiners Handbook to
name a few) you can probably put together a very nice data collection
method. I've also come across a few pretty good articles during my
own google searching.
-----Original Message-----
From: thomas.jones@hushmail.com [mailto:thomas.jones@hushmail.com]
Sent: Monday, January 30, 2006 10:58 AM
To: psrc@securityfocus.com
Subject: Process Improvement for Security
In line with my last post can anyone point me to a resource or does
anyone have any opinions on applying Six Sigma, balanced scorecards
or
other business process techniques to information security ?
Concerned about your privacy? Instantly send FREE secure email, no
account
required
http://www.hushmail.com/send?lH0
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?lH5
-- This communication is confidential to the parties it is intended
to serve
--
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
ASP Press asp-presss.com Livermore, CA 94550
-- This communication is confidential to the parties it is intended
to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
ASP Press asp-presss.com Livermore, CA 94550
