RE: Process Improvement for Security

We are using OCTAVE as our internal risk assessment method (step 1
starts next week).  The catalog of practices is a useful tool, but as
with most of the best practices out there, it needs to be supplemented
by some of the other models, and consideration needs to be given for
any unique situations or controls that exist within your enterprise.
Of course, the OCTAVE method is freely available, so that may make a
difference  for those who are dealing with significant budget
constraints.  

-Brad Bemis, CISSP, CISA
    

-----Original Message-----
From: Mcanyana, Wandile [mailto:Wandile.Mcanyana@firstrandbank.co.za] 
Sent: Thursday, February 09, 2006 10:36 PM
To: Mark Curphey; Brad Bemis; thomas.jones@hushmail.com;
psrc@securityfocus.com; security-management@securityfocus.com
Subject: RE: Process Improvement for Security

Mark et al

The OCTAVE methodology has a set of processes/practices that they
suggest for use.  Attached is the document with the suggested
processes/practices.  

Wandile  

-----Original Message-----
From: Mark Curphey [mailto:mark@curphey.com]
Sent: 09 February 2006 08:44 AM
To: 'Brad Bemis'; thomas.jones@hushmail.com; psrc@securityfocus.com;
security-management@securityfocus.com
Subject: RE: Process Improvement for Security

Brad

Interesting links, thanks.  In my experience very few corporate
security functions have even defined what their processes are in a way
that then can be measured with any scheme like Six Sigma or otherwise
so while an interesting idea proposed it seems the first step is to
document / diagram the various processes. I would be interested if
anyone has a good list of the core processes they think are needed in
a commercial sec dept such as vuln management, continuity planning,
risk assessment, security monitoring etc? Maybe ISO17799 is sufficient
(I don't think so but) ...... 

-----Original Message-----
From: Brad Bemis [mailto:bradleyb@bradleyb.net]
Sent: Monday, February 06, 2006 9:07 PM
To: thomas.jones@hushmail.com; psrc@securityfocus.com;
security-management@securityfocus.com
Subject: RE: Process Improvement for Security

I just went through a week long Greenbelt training class on Lean
Six-Sigma.


I can see some real potential in the process improvements steps, and
since my organization is adopting Lean Six-Sigma as its primary
process improvement/quality management model, it can also function as
a common language between IT and the Business.  It isn't really
anything new beyond general TQM, good business practices, and the
like, but it does do a good job of encapsulating everything.  The
measurements, metrics, and ability to represent data in charts,
graphs, and more are really quite impressive.  

In terms of usefulness, I am still somewhat unconvinced that it is a
'silver bullet' solution  - everything comes down to having good data
- meaningful data that can be used to serve a purpose.  The metrics
and measurements for information security have certainly come a long
way over the last few years, but a lot of the people and
process-oriented aspects of a security program (often the ones that
have the most significant impact) can be somewhat difficult to measure
in a meaningful way.      

A local company has been doing presentations on 'Security Kaizen' that
have also been pretty interesting - a quick google search should get
you pointed in the right direction.  It provides some interesting
ideas on metrics, measurements, process improvement, and security
program development.  Used in conjunction with the NIST Pub on
security metrics for technology systems, and a few other odds and ends
(like COBIT, ITIL, CMMI, ISO 17799, and the FFIEC IT Examiners
Handbook to name a few) you can probably put together a very nice data
collection method.  I've also come across a few pretty good articles
during my own google searching.      

                              

> -----Original Message-----
> From: thomas.jones@hushmail.com [mailto:thomas.jones@hushmail.com]
> Sent: Monday, January 30, 2006 10:58 AM
> To: psrc@securityfocus.com
> Subject: Process Improvement for Security
>
> In line with my last post can anyone point me to a resource or does 
> anyone have any opinions on applying Six Sigma, balanced scorecards
or 
> other business process techniques to information security ?
>
>
>
> Concerned about your privacy? Instantly send FREE secure email, no
account
> required
> http://www.hushmail.com/send?lH0
>
> Get the best prices on SSL certificates from Hushmail
> https://www.hushssl.com?lH5




______________________________________________________________________
_____________________________

The information contained in this e-mail is confidential and may
contain proprietary information.
 It is meant solely for the intended recipient. Access to this e-mail
by anyone else  is unauthorised. If you are not the intended
recipient, any disclosure, copying,  distribution or any action taken
or omitted in reliance on this, is prohibited and  may be unlawful .No
liability or responsibility is accepted if information or data is,
for whatever reason corrupted or does not reach its intended
recipient. No warranty is  given that this e-mail is free of viruses.
The views expressed in this e-mail are, unless  otherwise stated,
those of the author and not those of FirstRand Bank Limited or its
management.
 FirstRand Bank Limited reserves the right to monitor, intercept and
block e-mails addressed  to its users or take any other action in
accordance with its e-mail use policy.
 Licensed divisions of FirstRand Bank Limited are authorised financial
service providers  in terms of the Financial Advisory and Intermediary
Services Act 37 of 2002.

______________________________________________________________________
_____________________________