Mark et al
The OCTAVE methodology has a set of processes/practices that they suggest
for use. Attached is the document with the suggested processes/practices.
Wandile
-----Original Message-----
From: Mark Curphey [mailto:mark@curphey.com]
Sent: 09 February 2006 08:44 AM
To: 'Brad Bemis'; thomas.jones@hushmail.com; psrc@securityfocus.com;
security-management@securityfocus.com
Subject: RE: Process Improvement for Security
Brad
Interesting links, thanks. In my experience very few corporate security
functions have even defined what their processes are in a way that then can
be measured with any scheme like Six Sigma or otherwise so while an
interesting idea proposed it seems the first step is to document / diagram
the various processes. I would be interested if anyone has a good list of
the core processes they think are needed in a commercial sec dept such as
vuln management, continuity planning, risk assessment, security monitoring
etc? Maybe ISO17799 is sufficient (I don't think so but) ......
-----Original Message-----
From: Brad Bemis [mailto:bradleyb@bradleyb.net]
Sent: Monday, February 06, 2006 9:07 PM
To: thomas.jones@hushmail.com; psrc@securityfocus.com;
security-management@securityfocus.com
Subject: RE: Process Improvement for Security
I just went through a week long Greenbelt training class on Lean Six-Sigma.
I can see some real potential in the process improvements steps, and since
my organization is adopting Lean Six-Sigma as its primary process
improvement/quality management model, it can also function as a common
language between IT and the Business. It isn't really anything new beyond
general TQM, good business practices, and the like, but it does do a good
job of encapsulating everything. The measurements, metrics, and ability to
represent data in charts, graphs, and more are really quite impressive.
In terms of usefulness, I am still somewhat unconvinced that it is a 'silver
bullet' solution - everything comes down to having good data
- meaningful data that can be used to serve a purpose. The metrics and
measurements for information security have certainly come a long way over
the last few years, but a lot of the people and process-oriented aspects of
a security program (often the ones that have the most significant impact)
can be somewhat difficult to measure
in a meaningful way.
A local company has been doing presentations on 'Security Kaizen' that have
also been pretty interesting - a quick google search should get you pointed
in the right direction. It provides some interesting ideas on metrics,
measurements, process improvement, and security program development. Used
in conjunction with the NIST Pub on security metrics for technology systems,
and a few other odds and ends (like COBIT, ITIL, CMMI, ISO 17799, and the
FFIEC IT Examiners Handbook to name a few) you can probably put together a
very nice data collection method. I've also come across a few pretty good
articles
during my own google searching.
-----Original Message-----
From: thomas.jones@hushmail.com [mailto:thomas.jones@hushmail.com]
Sent: Monday, January 30, 2006 10:58 AM
To: psrc@securityfocus.com
Subject: Process Improvement for Security
In line with my last post can anyone point me to a resource or does
anyone have any opinions on applying Six Sigma, balanced scorecards
or
other business process techniques to information security ?
Concerned about your privacy? Instantly send FREE secure email, no
account
required
http://www.hushmail.com/send?lH0
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?lH5
___________________________________________________________________________________________________
?The information contained in this e-mail is confidential and may contain
proprietary information.
It is meant solely for the intended recipient. Access to this e-mail by anyone
else
is unauthorised. If you are not the intended recipient, any disclosure,
copying,
distribution or any action taken or omitted in reliance on this, is prohibited
and
may be unlawful .No liability or responsibility is accepted if information or
data is,
for whatever reason corrupted or does not reach its intended recipient. No
warranty is
given that this e-mail is free of viruses. The views expressed in this e-mail
are, unless
otherwise stated, those of the author and not those of FirstRand Bank Limited
or its management.
FirstRand Bank Limited reserves the right to monitor, intercept and block
e-mails addressed
to its users or take any other action in accordance with its e-mail use policy.
Licensed divisions of FirstRand Bank Limited are authorised financial service
providers
in terms of the Financial Advisory and Intermediary Services Act 37 of 2002.?
___________________________________________________________________________________________________
OCTAVESM Catalog of Practices Version 2.0.pdf
Description: Adobe PDF document
smime.p7s
Description: S/MIME cryptographic signature
