Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Process Improvement for Security

from [Kim Sassaman] Network Security [Permanent Link]
Subject: RE: Process Improvement for Security
Date: Fri, 10 Feb 2006 20:10:23 -0700 
It supports COBIT and also can be leveraged initially to perform the risk
assessment required by ISO27001 by identifying the scope, identifying
critical assets, qualifying and quantifying risks, creating controls to
mitigate or accept that risk.  You can then utilize cobit to enble the
controls that are listed in ANNEX A of the ISO standard as well and wrap
your IT Security Strategy up with a Risk Assessment Approach (OCTAVE) and a
internal controls model (COBIT) and map them to the international x7799
standard. 

Kim Sassaman, CISSP
Senior Consultant
Information Protection & Assurance
HotSkills, Inc.
2438 East King Ave.
Saint Paul, MN 55119
Ph: (602)791 4271
Fax: (651) 730-0474

Confidentiality Warning: This message and any attachments are intended only
for the use of the intended recipient(s), are confidential, and may be
privileged.  If you are not the intended recipient, you are hereby notified
that any review, retransmission, or conversion to hard copy, copying,
circulation or other use of this message and any attachments is strictly
prohibited.  If you are not the intended recipient, please notify the sender
immediately by return email, and delete this message and any attachments
from your system.  Thank you.

-----Original Message-----
From: Rezendes, Joseph [mailto:JRezend@templeton.com] 
Sent: Friday, February 10, 2006 12:29 PM
To: Brad Bemis; Mcanyana, Wandile; Mark Curphey; thomas.jones@hushmail.com;
psrc@securityfocus.com; security-management@securityfocus.com
Subject: RE: Process Improvement for Security

How does Octvae support or divert from COBIT?

Best Regards,

Joe Rezendes
Security Compliance Officer
Global Information Security
Franklin Templeton Investments
Office: 727-299-4376
Cell: 813-924-6537
Fax: 727-299-3437
Mail Station: 140-3
Email: jrezend@templeton.com


This message may contain information that is legally privileged or

confidential.  If you received this transmission in error, please notify the
sender by reply email, and delete the message and any attachments. This
transmission is believed to be defect free; however, no responsibility is
accepted by the sender for damage arising from its receipt.





-----Original Message-----
From: Brad Bemis [mailto:bradleyb@bradleyb.net]
Sent: Friday, February 10, 2006 11:04 AM
To: 'Mcanyana, Wandile'; 'Mark Curphey'; thomas.jones@hushmail.com;
psrc@securityfocus.com; security-management@securityfocus.com
Subject: RE: Process Improvement for Security


We are using OCTAVE as our internal risk assessment method (step 1
starts next week).  The catalog of practices is a useful tool, but as
with most of the best practices out there, it needs to be supplemented
by some of the other models, and consideration needs to be given for
any unique situations or controls that exist within your enterprise.
Of course, the OCTAVE method is freely available, so that may make a
difference  for those who are dealing with significant budget
constraints.  

-Brad Bemis, CISSP, CISA
    

-----Original Message-----
From: Mcanyana, Wandile [mailto:Wandile.Mcanyana@firstrandbank.co.za] 
Sent: Thursday, February 09, 2006 10:36 PM
To: Mark Curphey; Brad Bemis; thomas.jones@hushmail.com;
psrc@securityfocus.com; security-management@securityfocus.com
Subject: RE: Process Improvement for Security

Mark et al

The OCTAVE methodology has a set of processes/practices that they
suggest for use.  Attached is the document with the suggested
processes/practices.  

Wandile  

-----Original Message-----
From: Mark Curphey [mailto:mark@curphey.com]
Sent: 09 February 2006 08:44 AM
To: 'Brad Bemis'; thomas.jones@hushmail.com; psrc@securityfocus.com;
security-management@securityfocus.com
Subject: RE: Process Improvement for Security

Brad

Interesting links, thanks.  In my experience very few corporate
security functions have even defined what their processes are in a way
that then can be measured with any scheme like Six Sigma or otherwise
so while an interesting idea proposed it seems the first step is to
document / diagram the various processes. I would be interested if
anyone has a good list of the core processes they think are needed in
a commercial sec dept such as vuln management, continuity planning,
risk assessment, security monitoring etc? Maybe ISO17799 is sufficient
(I don't think so but) ...... 

-----Original Message-----
From: Brad Bemis [mailto:bradleyb@bradleyb.net]
Sent: Monday, February 06, 2006 9:07 PM
To: thomas.jones@hushmail.com; psrc@securityfocus.com;
security-management@securityfocus.com
Subject: RE: Process Improvement for Security

I just went through a week long Greenbelt training class on Lean
Six-Sigma.


I can see some real potential in the process improvements steps, and
since my organization is adopting Lean Six-Sigma as its primary
process improvement/quality management model, it can also function as
a common language between IT and the Business.  It isn't really
anything new beyond general TQM, good business practices, and the
like, but it does do a good job of encapsulating everything.  The
measurements, metrics, and ability to represent data in charts,
graphs, and more are really quite impressive.  

In terms of usefulness, I am still somewhat unconvinced that it is a
'silver bullet' solution  - everything comes down to having good data
- meaningful data that can be used to serve a purpose.  The metrics
and measurements for information security have certainly come a long
way over the last few years, but a lot of the people and
process-oriented aspects of a security program (often the ones that
have the most significant impact) can be somewhat difficult to measure
in a meaningful way.      

A local company has been doing presentations on 'Security Kaizen' that
have also been pretty interesting - a quick google search should get
you pointed in the right direction.  It provides some interesting
ideas on metrics, measurements, process improvement, and security
program development.  Used in conjunction with the NIST Pub on
security metrics for technology systems, and a few other odds and ends
(like COBIT, ITIL, CMMI, ISO 17799, and the FFIEC IT Examiners
Handbook to name a few) you can probably put together a very nice data
collection method.  I've also come across a few pretty good articles
during my own google searching.      

                              


-----Original Message-----
From: thomas.jones@hushmail.com [mailto:thomas.jones@hushmail.com]
Sent: Monday, January 30, 2006 10:58 AM
To: psrc@securityfocus.com
Subject: Process Improvement for Security

In line with my last post can anyone point me to a resource or does 
anyone have any opinions on applying Six Sigma, balanced scorecards

or 

other business process techniques to information security ?



Concerned about your privacy? Instantly send FREE secure email, no

account

required
http://www.hushmail.com/send?lH0

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?lH5





______________________________________________________________________
_____________________________

The information contained in this e-mail is confidential and may
contain proprietary information.
 It is meant solely for the intended recipient. Access to this e-mail
by anyone else  is unauthorised. If you are not the intended
recipient, any disclosure, copying,  distribution or any action taken
or omitted in reliance on this, is prohibited and  may be unlawful .No
liability or responsibility is accepted if information or data is,
for whatever reason corrupted or does not reach its intended
recipient. No warranty is  given that this e-mail is free of viruses.
The views expressed in this e-mail are, unless  otherwise stated,
those of the author and not those of FirstRand Bank Limited or its
management.
 FirstRand Bank Limited reserves the right to monitor, intercept and
block e-mails addressed  to its users or take any other action in
accordance with its e-mail use policy.
 Licensed divisions of FirstRand Bank Limited are authorised financial
service providers  in terms of the Financial Advisory and Intermediary
Services Act 37 of 2002.

______________________________________________________________________
_____________________________

Notice:  All email and instant messages (including attachments) sent to
or from Franklin Templeton Investments (FTI) personnel may be retained,
monitored and/or reviewed by FTI and its agents, or authorized
law enforcement personnel, without further notice or consent.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Process Improvement for Security, Rezendes, Joseph
Next by Date:  Financial Institution Shared Assessments Program (FISAP), lists@infostruct.net
Previous by Thread:  RE: Process Improvement for Security, Rezendes, Joseph
Next by Thread:  Vendor connection, Casey DeBerry
Indexes:  [Date] [Thread] [Top] [All Lists]