How does Octvae support or divert from COBIT?
Best Regards,
Joe Rezendes
Security Compliance Officer
Global Information Security
Franklin Templeton Investments
Office: 727-299-4376
Cell: 813-924-6537
Fax: 727-299-3437
Mail Station: 140-3
Email: jrezend@templeton.com
This message may contain information that is legally privileged or
confidential. If you received this transmission in error, please notify the
sender by reply email, and delete the message and any attachments. This
transmission is believed to be defect free; however, no responsibility is
accepted by the sender for damage arising from its receipt.
-----Original Message-----
From: Brad Bemis [mailto:bradleyb@bradleyb.net]
Sent: Friday, February 10, 2006 11:04 AM
To: 'Mcanyana, Wandile'; 'Mark Curphey'; thomas.jones@hushmail.com;
psrc@securityfocus.com; security-management@securityfocus.com
Subject: RE: Process Improvement for Security
We are using OCTAVE as our internal risk assessment method (step 1
starts next week). The catalog of practices is a useful tool, but as
with most of the best practices out there, it needs to be supplemented
by some of the other models, and consideration needs to be given for
any unique situations or controls that exist within your enterprise.
Of course, the OCTAVE method is freely available, so that may make a
difference for those who are dealing with significant budget
constraints.
-Brad Bemis, CISSP, CISA
-----Original Message-----
From: Mcanyana, Wandile [mailto:Wandile.Mcanyana@firstrandbank.co.za]
Sent: Thursday, February 09, 2006 10:36 PM
To: Mark Curphey; Brad Bemis; thomas.jones@hushmail.com;
psrc@securityfocus.com; security-management@securityfocus.com
Subject: RE: Process Improvement for Security
Mark et al
The OCTAVE methodology has a set of processes/practices that they
suggest for use. Attached is the document with the suggested
processes/practices.
Wandile
-----Original Message-----
From: Mark Curphey [mailto:mark@curphey.com]
Sent: 09 February 2006 08:44 AM
To: 'Brad Bemis'; thomas.jones@hushmail.com; psrc@securityfocus.com;
security-management@securityfocus.com
Subject: RE: Process Improvement for Security
Brad
Interesting links, thanks. In my experience very few corporate
security functions have even defined what their processes are in a way
that then can be measured with any scheme like Six Sigma or otherwise
so while an interesting idea proposed it seems the first step is to
document / diagram the various processes. I would be interested if
anyone has a good list of the core processes they think are needed in
a commercial sec dept such as vuln management, continuity planning,
risk assessment, security monitoring etc? Maybe ISO17799 is sufficient
(I don't think so but) ......
-----Original Message-----
From: Brad Bemis [mailto:bradleyb@bradleyb.net]
Sent: Monday, February 06, 2006 9:07 PM
To: thomas.jones@hushmail.com; psrc@securityfocus.com;
security-management@securityfocus.com
Subject: RE: Process Improvement for Security
I just went through a week long Greenbelt training class on Lean
Six-Sigma.
I can see some real potential in the process improvements steps, and
since my organization is adopting Lean Six-Sigma as its primary
process improvement/quality management model, it can also function as
a common language between IT and the Business. It isn't really
anything new beyond general TQM, good business practices, and the
like, but it does do a good job of encapsulating everything. The
measurements, metrics, and ability to represent data in charts,
graphs, and more are really quite impressive.
In terms of usefulness, I am still somewhat unconvinced that it is a
'silver bullet' solution - everything comes down to having good data
- meaningful data that can be used to serve a purpose. The metrics
and measurements for information security have certainly come a long
way over the last few years, but a lot of the people and
process-oriented aspects of a security program (often the ones that
have the most significant impact) can be somewhat difficult to measure
in a meaningful way.
A local company has been doing presentations on 'Security Kaizen' that
have also been pretty interesting - a quick google search should get
you pointed in the right direction. It provides some interesting
ideas on metrics, measurements, process improvement, and security
program development. Used in conjunction with the NIST Pub on
security metrics for technology systems, and a few other odds and ends
(like COBIT, ITIL, CMMI, ISO 17799, and the FFIEC IT Examiners
Handbook to name a few) you can probably put together a very nice data
collection method. I've also come across a few pretty good articles
during my own google searching.
-----Original Message-----
From: thomas.jones@hushmail.com [mailto:thomas.jones@hushmail.com]
Sent: Monday, January 30, 2006 10:58 AM
To: psrc@securityfocus.com
Subject: Process Improvement for Security
In line with my last post can anyone point me to a resource or does
anyone have any opinions on applying Six Sigma, balanced scorecards
or
other business process techniques to information security ?
Concerned about your privacy? Instantly send FREE secure email, no
account
required
http://www.hushmail.com/send?lH0
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?lH5
______________________________________________________________________
_____________________________
�The information contained in this e-mail is confidential and may
contain proprietary information.
It is meant solely for the intended recipient. Access to this e-mail
by anyone else is unauthorised. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken
or omitted in reliance on this, is prohibited and may be unlawful .No
liability or responsibility is accepted if information or data is,
for whatever reason corrupted or does not reach its intended
recipient. No warranty is given that this e-mail is free of viruses.
The views expressed in this e-mail are, unless otherwise stated,
those of the author and not those of FirstRand Bank Limited or its
management.
FirstRand Bank Limited reserves the right to monitor, intercept and
block e-mails addressed to its users or take any other action in
accordance with its e-mail use policy.
Licensed divisions of FirstRand Bank Limited are authorised financial
service providers in terms of the Financial Advisory and Intermediary
Services Act 37 of 2002.�
______________________________________________________________________
_____________________________
Notice: All email and instant messages (including attachments) sent to
or from Franklin Templeton Investments (FTI) personnel may be retained,
monitored and/or reviewed by FTI and its agents, or authorized
law enforcement personnel, without further notice or consent.
