SlideShare ist ein Scribd-Unternehmen logo

standards1.pdf

K
Karthick Panneerselvam

This document provides terminology definitions and overviews of models, frameworks, methodologies, standards, and security concepts. It defines the differences between models and frameworks. It also describes methodology components like the PDCA approach and COBIT principles. Security standards, policies, and models like ISO 27001, SSE-CMM, and IAM/IEM are summarized. The document is intended to provide a comprehensive reference of key information security terms and concepts.

Ingenieurwesen
1 von 50
Downloaden Sie, um offline zu lesen
UNIT 4
Terminology • Model is a high level construct representing processes, variables and relationships. Thus, model is an abstract, conceptual construct without providing specific guidance on or practices for implementation. • A framework is defined as a support structure in which another software project can be organized or developed. • While a model is abstract and conceptual, a framework is linked to demonstrable work. • Furthermore, frameworks set assumptions and practices that are designed to directly impact implementations. In contrast, models provide the general guidance for achieving the goals, but without getting into the details of practice and procedures.
Methodology • A methodology is a codified set of recommended practices, sometimes accompanied by training materials, formal educational programs, worksheets and diagramming tools.
Standards • A standard is a published document that contains a technical specification or other precise criterion designed to be used consistently as a rule, guideline or definition. • Standards help to make life simpler and to increase the reliability and effectiveness of many goods and services that we use. • They are the summary of best practices and are created by bringing together the experiences and expertise of all interested parties- the producers, sellers, buyers, users and regulators of a particular material, product, process or service. • An important point to note is that standards are designed for voluntary use and do not impose any regulations. • However, laws and regulations may refer to certain standards, and make compliance with them compulsory.
Standard • A security standard is like any other standard within any other industry.  • A standard is “a published specification that establishes a common language, and contains a technical specification or other precise criteria and is designed to be used consistently, as a rule, a guideline, or a definition”. Further, according to ISO, standards “contribute to making life simpler, and to increasing the reliability and effectiveness of the goods and services we use”. • In essence a STANDARD is a common set of rules, definitions and agreed “regulations” that all parties can refer to for common reference.  
Security Policy • SECURITY POLICY is a set of policies issued by an organization to ensure that all information technology users within the domain of the organization or its networks comply with rules and guidelines related to the security of the information stored digitally at any point in the network or within the organization's boundaries of authority.
ISO 27001 • ISO 27001 (formally known as ISO/IEC 17799:2005) is a specification for an information security management system (ISMS). • An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. • According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."
ISO27001 • It is an ISM standard. • Its purpose is to help organizations to establish and maintain the ISMS. • It is the set of requirements that must be met if you want your ISMS to be formally certified. • Being ISO 27001 approved is a certification which shows that the business has defined and implemented effective security process.
• ISO 27001 uses a topdown, risk-based approach and is technology-neutral. • The specification defines a six-part planning process:  Define a security policy.  Define the scope of the ISMS.  Conduct a risk assessment.  Manage identified risks.  Select control objectives and controls to be implemented.  Prepare a statement of applicability.
PDCA Approach
1. PLAN-Establish content • Define ISMS scope • Define policy • Identify risks • Assess risks • Select control objectives
2. DO-Implement and operate • Implement risk treatment plan • Deploy controls
3. CHECK- Monitor and review • Monitor processes • Regular reviews • Internal audits
` 4. ACT-Maintain and improve • Implement improvements • Corrective actions • Preventive actions • Communicate with stakeholders
Implementation context of PDCA cycle in ISO 270001
• ISO 27001 is designed to help organizations establish and maintain effective information security controls through continual improvements. • Developed in october, 2005 by International standards Organization, ISO 27001 implements principles of the Organization for Economic Cooperation and Development(OECD) on governing the security of information and networks. • The standard creates a road map for the secure design, implementation, management and maintenance of IT processes in the organization.
COBIT • COBIT stands for Control Objectives for Information and related technology. • COBIT  is a framework for developing, implementing, monitoring and improving information technology (IT) governance and management practices. • The COBIT framework is published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). • The goal of the framework is to provide a common language for business executives to communicate with each other about goals, objectives and results.
• The original version, published in 1996, focused largely on auditing. The latest version, published in 2013, emphasizes the value that information governance can provide to a business' success. • It also provides quite a bit of advice about enterprise risk management. • Supports managers and allows balancing technical issues, business risks and control requirements. • Ensures quality, control and reliability of information systems in organization
Components of COBIT5 • Framework: The main framework of COBIT guides organizations through best practices and standardization surrounding IT processes and infrastructure. The goal is to align IT with the overall business goals by getting IT on the same page as the rest of the company and to help other executives and senior managers better understand IT objectives. • Process descriptions: COBIT includes language that anyone in the organization will understand — so that CEOs, CFOs, CIOs and other key players will easily understand terminology, processes and descriptions. It can help establish a solid ground for communication between IT and outside departments. • Control objectives: This section offers an overview of high-level requirements that can help develop and improve every IT process, allowing businesses to adapt these to their own needs and goals.
• Management guidelines: The COBIT guide offers best practices for establishing objectives, process and assigning task items or responsibilities across the organization. It also gives guidance on measuring performance and how the framework can integrate with other IT management frameworks. • Maturity models: COBIT maturity models help businesses assess the maturity of their organization, understand how the process will grow with the organization and identify any potential problems that might arise down the line.
• The name COBIT originally stood for "Control Objectives for Information and Related Technology," but the spelled-out version of the name was dropped in favor of the acronym in the fifth iteration of the framework. • COBIT 5 is based on five key principles for governance and management of enterprise IT:   Principle 1: Meeting Stakeholder Needs    Principle 2: Covering the Enterprise End-to-End    Principle 3: Applying a Single, Integrated Framework    Principle 4: Enabling a Holistic Approach    Principle 5: Separating Governance From Management
COBIT 5 Principles 28 Source:  COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.
SSE-CMM (Systems Security Engineering and Capability Maturity Model)
Overview • The SSE-CMM describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering. • It is developed based on the premise that if you can guarantee the quality of the processes that are used by the organization, then you can guarantee the quality of the products and services generated by the processes. • SSE-CMM focus on process definition and improvement as a core value. • SSE-CMM looks at the occurrence of security defects or incidents, and seeks to identify the flaw in the related process so as to remediate the flaw, thus removing the overall defect.
Basic Concepts • Process Process is a sequence of steps performed for a given purpose. It is the system of tasks, supporting tools, and people involved in the production and evolution of some end result (e.g., product, system, or service). • Base Practices (BP) & Generic Practices (GP) Base practices are practices that collectively define security engineering. Examples of BPs are Identify Natural Threats, Assess Threat Likelihood, Capture Security View of System Operation, etc. Generic practices are basically process management practices. Examples of GPs are Planning Performance, Tracking Performance, Ensure Training, etc. • Process Area Process areas are groups of practices, when taken together, achieve a common purpose.
• Process Capability  • Process capability refers to an organization's potential. • It is a range within which an organization is expected to perform. For example, in a software development project, one statistical metric to measure the process capability is to collect the # of software defects and plot the percentage of defects per thousand lines of source code. If you use the same team of developers and repeat roughly the same set of processes in your software development, your next project will have a comparable process capability, ie, in this case, the percentage of defects per thousand lines of source code will fall within a similar range of variation. • Process Maturity Process maturity indicates the extent to which a specific process is explicitly defined, managed, measured, controlled, and effective. Process maturity indicates the potential for growth in process capability.
Capability Maturity Model  • A CMM is a framework for evolving an engineering organization from an ad hoc, less organized, less effective state to a highly structured and highly effective state. • Use of such a model is a means for organizations to bring their practices under statistical process control in order to increase their process capability with regard to cost, productivity, schedule, and quality.
Benefits of adopting the CMM framework 1. Improving Predictability The first improvement expected as an organization matures is predictability. For instance, Level 1 organizations often miss their originally scheduled delivery dates by a wide margin, whereas organizations at a higher CMM level should be able to predict the outcome of cost and schedule of a project with higher accuracy. 2. Improving Control The second improvement expected as an organization matures is control. As an organization’s CMM level increases, the organization will be able to establish revised targets more accurately. For example, if the business has asked for some new features and functions for a software application, the software development team will be able to more accurately determine how many more days of work will be needed. 3. Improving Process Effectiveness The third improvement expected as an organization matures is process effectiveness. As an organization matures, costs decrease, development time becomes shorter, and productivity and quality increase. In a Level 1 organization, development time can be quite long because of the amount of rework that must be performed to correct mistakes. In contrast, organizations at a higher maturity level can obtain shortened overall development times via increased process effectiveness and reduction of costly rework.
SSE-CMM Levels Capability Level 1 – Initial-Performed Informally • Base practices of the process area are generally performed. • The performance of these base practices may not be rigorously planned and tracked. • Performance depends on individual knowledge and effort. • Work products of the process area testify to their performance. • Individuals within the organization recognize that an action should be performed, and there is general agreement that this action is performed as and when required. • There are identifiable work products for the process.
• Capability Level 2 – Repeatable-Planned and Tracked • Performance of the base practices in the process area is planned and tracked. • Performance according to specified procedures is verified. • Work products conform to specified standards and requirements. • Measurement is used to track process area performance, thus enabling the organization to manage its activities based on actual performance. • The primary distinction from Level 1, Performed Informally, is that the performance of the process is planned and managed.
Capability Level 3 – Well Defined • Base practices are performed according to a well- defined process using approved, tailored versions of standard, documented processes. • The primary distinction from Level 2, Planned and Tracked, is that the process is planned and managed using an organization-wide standard process. • Capability Level 4 – Managed- Quantitatively Controlled • Detailed measures of performance are collected and analyzed. • This leads to a quantitative understanding of process capability and an improved ability to predict performance. • Performance is objectively managed, and the quality of work products is quantitatively known. • The primary distinction from the Well Defined level is that the defined process is quantitatively understood and controlled.
• Capability Level 5 – Optimizing-Continuously Improving • Quantitative performance goals (targets) for process effectiveness and efficiency are established, based on the business goals of the organization. • Continuous process improvement against these goals is enabled by quantitative feedback from performing the defined processes and from piloting innovative ideas and technologies. • The primary distinction from the quantitatively controlled level is that the defined process and the standard process undergo continuous refinement and improvement, based on a quantitative understanding of the impact of changes to these processes.
Methodologies • IAM • IEM • SIPES
IAM • Information Security (INFOSEC) Assessment Methodology (IAM) is a detailed and systematic method for examining security vulnerabilities from an organizational perspective as opposed to a only a technical perspective. • Often overlooked are the processes, procedures, documentation, and informal activities that directly impact an organization’s overall security posture but that might not necessarily be technical in nature.
• The main motive of IAM is to give organizations that provide INFOSEC assessments a repeatable framework for conducting organizational types of assessments as well as provide assessment consumers , appropriate information on what to look for in an assessment provider. • The IAM is also intended to raise awareness of the need for organizational types of assessment versus the purely technical type of assessment. • Three phases: – Pre-assessment – On-site activities – Post assessment
Pre-Assessment – Determine and manage the customer’s expectations – Gain an understanding of the organization’s information criticality – Determine customer’s goals and objectives – Determine the system boundaries – Coordinate with customer – Request documentation • It concludes with a written assessment plan
On-Site Assessment • This phase represents primary thrust of IAM in that it takes the results of pre-assessment phase, validate those results and perform additional data gathering and validation. • Conduct opening meeting • Gather and validate system information (via interview, system demonstration, and document review) • Analyze assessment information • Develop initial recommendations • The result of this phase is a report of initial analysis
Post assessment phase • It concludes the IAM by pulling together all details from previous two phases, combining them into final analysis and report . • Additional review of documentation • Additional expertise (get help understanding what you learned) • Report coordination (and writing)
IEM(INFOSEC Evaluation Methodology) • The IEM is a follow-on methodology to the IAM. • It provides the technical evaluation processes that were intentionally missing from the IAM. • The IEM is a hands-on methodology, meaning you'll be actively interacting with the customer's technical environment. • Whereas the IAM provides us with an understanding of organizational security as it relates to policies and procedures, the IEM offers a comprehensive look into the actual technical security at the organization.
IEM • Three phases: – Pre evaluation – On-site evaluation – Post evaluation
Pre evaluation • Takes IAM pre assessment report as input and then coordinate the rules of engagement for conducting a technical evaluation of systems • Pull information from IAM Pre-Assessment • Coordination with the customer to determine acceptable Rules of Engagement (ROE) • Give the team an understanding of the perceived system components • Define customer expectations • Define customer constraints or concerns • Legal Requirements • Develop the Technical Evaluation Plan (TEP) • Concludes with a technical evaluation plan.
On site evaluation • Represents bulk of hands-on technical work, performing various discoveries, scans and evaluations. • All findings are manually validated to ensure accuracy. Post-evaluation • Concludes the methodology in a manner similar to IAM by pulling together all data generated , putting them into a final report that details findings, recommendations and a security road map.
Security Incident Policy Enforcement System (SIPES) • Its purpose is to offer a methodology for defining and executing a Security Incident Policy Enforcement Systems. • This methodology is planned for completeness. • The Security Incident Policy Enforcement System (SIPES) draft displays a relatively abstract method to addressing the difficulty of incident response management.

Empfohlen

ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxjojo82637
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
Course Tech 2013, Dan Shoemaker & Ken Sigler, Engineering a More Secure Softw...
Course Tech 2013, Dan Shoemaker & Ken Sigler, Engineering a More Secure Softw...Course Tech 2013, Dan Shoemaker & Ken Sigler, Engineering a More Secure Softw...
Course Tech 2013, Dan Shoemaker & Ken Sigler, Engineering a More Secure Softw...Cengage Learning
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachPrincipal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachMohammad Reda Katby
 
Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Meghna Verma
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
COBIT
COBITCOBIT
COBITAi Lun Wu
 

Empfohlen

ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxjojo82637
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
Course Tech 2013, Dan Shoemaker & Ken Sigler, Engineering a More Secure Softw...
Course Tech 2013, Dan Shoemaker & Ken Sigler, Engineering a More Secure Softw...Course Tech 2013, Dan Shoemaker & Ken Sigler, Engineering a More Secure Softw...
Course Tech 2013, Dan Shoemaker & Ken Sigler, Engineering a More Secure Softw...Cengage Learning
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachPrincipal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachMohammad Reda Katby
 
Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Meghna Verma
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
COBIT
COBITCOBIT
COBITAi Lun Wu
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxCELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxDandzaPraditya
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
 
01 integrated management system telkom 2016 opening
01 integrated management system telkom 2016 opening01 integrated management system telkom 2016 opening
01 integrated management system telkom 2016 openingwisnu wardhana, i nyoman
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and ismsSeptafiansyah P
 
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceJohn Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceitSMF UK
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.pptClashWithGROUDON
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)Sam Mandebvu
 
ERP for IT
ERP for ITERP for IT
ERP for ITAcetech Informtion Systems Pvt Ltd
 
Cobit 4.1 indri
Cobit 4.1 indriCobit 4.1 indri
Cobit 4.1 indridwiza indri
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.pptKhalilIdhman
 
Syzygal cobit5-brc
Syzygal cobit5-brcSyzygal cobit5-brc
Syzygal cobit5-brcSyzygal
 
Software quality system - Quality Engineering
Software quality system - Quality EngineeringSoftware quality system - Quality Engineering
Software quality system - Quality EngineeringYash Trivedi
 
Intro to ISO
Intro to ISOIntro to ISO
Intro to ISOAdrian Hall
 
New trends in the revised iso 9001:2015
New trends in the revised iso 9001:2015New trends in the revised iso 9001:2015
New trends in the revised iso 9001:2015PMILebanonChapter
 
Key considerations for an appropriate scope for all management systems
Key considerations for an appropriate scope for all management systemsKey considerations for an appropriate scope for all management systems
Key considerations for an appropriate scope for all management systemsPECB
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
SOFTWARE RELIABILITY AND QUALITY ASSURANCE
SOFTWARE RELIABILITY AND QUALITY ASSURANCESOFTWARE RELIABILITY AND QUALITY ASSURANCE
SOFTWARE RELIABILITY AND QUALITY ASSURANCEAmity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Cursors.ppt
Cursors.pptCursors.ppt
Cursors.pptKarthick Panneerselvam
 
Concurrent Transactions.ppt
Concurrent Transactions.pptConcurrent Transactions.ppt
Concurrent Transactions.pptKarthick Panneerselvam
 

Weitere ähnliche Inhalte

Ähnlich wie standards1.pdf

Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxCELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxDandzaPraditya
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
 
01 integrated management system telkom 2016 opening
01 integrated management system telkom 2016 opening01 integrated management system telkom 2016 opening
01 integrated management system telkom 2016 openingwisnu wardhana, i nyoman
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and ismsSeptafiansyah P
 
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceJohn Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceitSMF UK
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)Sam Mandebvu
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.pptKhalilIdhman
 
Syzygal cobit5-brc
Syzygal cobit5-brcSyzygal cobit5-brc
Syzygal cobit5-brcSyzygal
 
Software quality system - Quality Engineering
Software quality system - Quality EngineeringSoftware quality system - Quality Engineering
Software quality system - Quality EngineeringYash Trivedi
 
New trends in the revised iso 9001:2015
New trends in the revised iso 9001:2015New trends in the revised iso 9001:2015
New trends in the revised iso 9001:2015PMILebanonChapter
 
Key considerations for an appropriate scope for all management systems
Key considerations for an appropriate scope for all management systemsKey considerations for an appropriate scope for all management systems
Key considerations for an appropriate scope for all management systemsPECB
 

Ähnlich wie standards1.pdf (20)

Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxCELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
 
01 integrated management system telkom 2016 opening
01 integrated management system telkom 2016 opening01 integrated management system telkom 2016 opening
01 integrated management system telkom 2016 opening
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and isms
 
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceJohn Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
 
ERP for IT
ERP for ITERP for IT
ERP for IT
 
Cobit 4.1 indri
Cobit 4.1 indriCobit 4.1 indri
Cobit 4.1 indri
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.ppt
 
Syzygal cobit5-brc
Syzygal cobit5-brcSyzygal cobit5-brc
Syzygal cobit5-brc
 
Software quality system - Quality Engineering
Software quality system - Quality EngineeringSoftware quality system - Quality Engineering
Software quality system - Quality Engineering
 
Intro to ISO
Intro to ISOIntro to ISO
Intro to ISO
 
New trends in the revised iso 9001:2015
New trends in the revised iso 9001:2015New trends in the revised iso 9001:2015
New trends in the revised iso 9001:2015
 
Key considerations for an appropriate scope for all management systems
Key considerations for an appropriate scope for all management systemsKey considerations for an appropriate scope for all management systems
Key considerations for an appropriate scope for all management systems
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
SOFTWARE RELIABILITY AND QUALITY ASSURANCE
SOFTWARE RELIABILITY AND QUALITY ASSURANCESOFTWARE RELIABILITY AND QUALITY ASSURANCE
SOFTWARE RELIABILITY AND QUALITY ASSURANCE
 

Mehr von Karthick Panneerselvam

Mehr von Karthick Panneerselvam (6)

Cursors.ppt
Cursors.pptCursors.ppt
Cursors.ppt
 
Concurrent Transactions.ppt
Concurrent Transactions.pptConcurrent Transactions.ppt
Concurrent Transactions.ppt
 
Risk Analysis.pptx
Risk Analysis.pptxRisk Analysis.pptx
Risk Analysis.pptx
 
DDL and DML statements.pptx
DDL and DML statements.pptxDDL and DML statements.pptx
DDL and DML statements.pptx
 
Security.pdf
Security.pdfSecurity.pdf
Security.pdf
 
computer Network
computer Networkcomputer Network
computer Network
 

Kürzlich hochgeladen

UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 

Kürzlich hochgeladen (20)

UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 

standards1.pdf

  • 2. Terminology • Model is a high level construct representing processes, variables and relationships. Thus, model is an abstract, conceptual construct without providing specific guidance on or practices for implementation. • A framework is defined as a support structure in which another software project can be organized or developed. • While a model is abstract and conceptual, a framework is linked to demonstrable work. • Furthermore, frameworks set assumptions and practices that are designed to directly impact implementations. In contrast, models provide the general guidance for achieving the goals, but without getting into the details of practice and procedures.
  • 3. Methodology • A methodology is a codified set of recommended practices, sometimes accompanied by training materials, formal educational programs, worksheets and diagramming tools.
  • 4. Standards • A standard is a published document that contains a technical specification or other precise criterion designed to be used consistently as a rule, guideline or definition. • Standards help to make life simpler and to increase the reliability and effectiveness of many goods and services that we use. • They are the summary of best practices and are created by bringing together the experiences and expertise of all interested parties- the producers, sellers, buyers, users and regulators of a particular material, product, process or service. • An important point to note is that standards are designed for voluntary use and do not impose any regulations. • However, laws and regulations may refer to certain standards, and make compliance with them compulsory.
  • 5. Standard • A security standard is like any other standard within any other industry.  • A standard is “a published specification that establishes a common language, and contains a technical specification or other precise criteria and is designed to be used consistently, as a rule, a guideline, or a definition”. Further, according to ISO, standards “contribute to making life simpler, and to increasing the reliability and effectiveness of the goods and services we use”. • In essence a STANDARD is a common set of rules, definitions and agreed “regulations” that all parties can refer to for common reference.  
  • 6. Security Policy • SECURITY POLICY is a set of policies issued by an organization to ensure that all information technology users within the domain of the organization or its networks comply with rules and guidelines related to the security of the information stored digitally at any point in the network or within the organization's boundaries of authority.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13. ISO 27001 • ISO 27001 (formally known as ISO/IEC 17799:2005) is a specification for an information security management system (ISMS). • An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. • According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."
  • 14. ISO27001 • It is an ISM standard. • Its purpose is to help organizations to establish and maintain the ISMS. • It is the set of requirements that must be met if you want your ISMS to be formally certified. • Being ISO 27001 approved is a certification which shows that the business has defined and implemented effective security process.
  • 15. • ISO 27001 uses a topdown, risk-based approach and is technology-neutral. • The specification defines a six-part planning process:  Define a security policy.  Define the scope of the ISMS.  Conduct a risk assessment.  Manage identified risks.  Select control objectives and controls to be implemented.  Prepare a statement of applicability.
  • 17. 1. PLAN-Establish content • Define ISMS scope • Define policy • Identify risks • Assess risks • Select control objectives
  • 18. 2. DO-Implement and operate • Implement risk treatment plan • Deploy controls
  • 19. 3. CHECK- Monitor and review • Monitor processes • Regular reviews • Internal audits
  • 20. ` 4. ACT-Maintain and improve • Implement improvements • Corrective actions • Preventive actions • Communicate with stakeholders
  • 21. Implementation context of PDCA cycle in ISO 270001
  • 22. • ISO 27001 is designed to help organizations establish and maintain effective information security controls through continual improvements. • Developed in october, 2005 by International standards Organization, ISO 27001 implements principles of the Organization for Economic Cooperation and Development(OECD) on governing the security of information and networks. • The standard creates a road map for the secure design, implementation, management and maintenance of IT processes in the organization.
  • 23. COBIT • COBIT stands for Control Objectives for Information and related technology. • COBIT  is a framework for developing, implementing, monitoring and improving information technology (IT) governance and management practices. • The COBIT framework is published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). • The goal of the framework is to provide a common language for business executives to communicate with each other about goals, objectives and results.
  • 24. • The original version, published in 1996, focused largely on auditing. The latest version, published in 2013, emphasizes the value that information governance can provide to a business' success. • It also provides quite a bit of advice about enterprise risk management. • Supports managers and allows balancing technical issues, business risks and control requirements. • Ensures quality, control and reliability of information systems in organization
  • 25. Components of COBIT5 • Framework: The main framework of COBIT guides organizations through best practices and standardization surrounding IT processes and infrastructure. The goal is to align IT with the overall business goals by getting IT on the same page as the rest of the company and to help other executives and senior managers better understand IT objectives. • Process descriptions: COBIT includes language that anyone in the organization will understand — so that CEOs, CFOs, CIOs and other key players will easily understand terminology, processes and descriptions. It can help establish a solid ground for communication between IT and outside departments. • Control objectives: This section offers an overview of high-level requirements that can help develop and improve every IT process, allowing businesses to adapt these to their own needs and goals.
  • 26. • Management guidelines: The COBIT guide offers best practices for establishing objectives, process and assigning task items or responsibilities across the organization. It also gives guidance on measuring performance and how the framework can integrate with other IT management frameworks. • Maturity models: COBIT maturity models help businesses assess the maturity of their organization, understand how the process will grow with the organization and identify any potential problems that might arise down the line.
  • 27. • The name COBIT originally stood for "Control Objectives for Information and Related Technology," but the spelled-out version of the name was dropped in favor of the acronym in the fifth iteration of the framework. • COBIT 5 is based on five key principles for governance and management of enterprise IT:   Principle 1: Meeting Stakeholder Needs    Principle 2: Covering the Enterprise End-to-End    Principle 3: Applying a Single, Integrated Framework    Principle 4: Enabling a Holistic Approach    Principle 5: Separating Governance From Management
  • 28. COBIT 5 Principles 28 Source:  COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.
  • 29.
  • 31. Overview • The SSE-CMM describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering. • It is developed based on the premise that if you can guarantee the quality of the processes that are used by the organization, then you can guarantee the quality of the products and services generated by the processes. • SSE-CMM focus on process definition and improvement as a core value. • SSE-CMM looks at the occurrence of security defects or incidents, and seeks to identify the flaw in the related process so as to remediate the flaw, thus removing the overall defect.
  • 32. Basic Concepts • Process Process is a sequence of steps performed for a given purpose. It is the system of tasks, supporting tools, and people involved in the production and evolution of some end result (e.g., product, system, or service). • Base Practices (BP) & Generic Practices (GP) Base practices are practices that collectively define security engineering. Examples of BPs are Identify Natural Threats, Assess Threat Likelihood, Capture Security View of System Operation, etc. Generic practices are basically process management practices. Examples of GPs are Planning Performance, Tracking Performance, Ensure Training, etc. • Process Area Process areas are groups of practices, when taken together, achieve a common purpose.
  • 33. • Process Capability  • Process capability refers to an organization's potential. • It is a range within which an organization is expected to perform. For example, in a software development project, one statistical metric to measure the process capability is to collect the # of software defects and plot the percentage of defects per thousand lines of source code. If you use the same team of developers and repeat roughly the same set of processes in your software development, your next project will have a comparable process capability, ie, in this case, the percentage of defects per thousand lines of source code will fall within a similar range of variation. • Process Maturity Process maturity indicates the extent to which a specific process is explicitly defined, managed, measured, controlled, and effective. Process maturity indicates the potential for growth in process capability.
  • 34. Capability Maturity Model  • A CMM is a framework for evolving an engineering organization from an ad hoc, less organized, less effective state to a highly structured and highly effective state. • Use of such a model is a means for organizations to bring their practices under statistical process control in order to increase their process capability with regard to cost, productivity, schedule, and quality.
  • 35. Benefits of adopting the CMM framework 1. Improving Predictability The first improvement expected as an organization matures is predictability. For instance, Level 1 organizations often miss their originally scheduled delivery dates by a wide margin, whereas organizations at a higher CMM level should be able to predict the outcome of cost and schedule of a project with higher accuracy. 2. Improving Control The second improvement expected as an organization matures is control. As an organization’s CMM level increases, the organization will be able to establish revised targets more accurately. For example, if the business has asked for some new features and functions for a software application, the software development team will be able to more accurately determine how many more days of work will be needed. 3. Improving Process Effectiveness The third improvement expected as an organization matures is process effectiveness. As an organization matures, costs decrease, development time becomes shorter, and productivity and quality increase. In a Level 1 organization, development time can be quite long because of the amount of rework that must be performed to correct mistakes. In contrast, organizations at a higher maturity level can obtain shortened overall development times via increased process effectiveness and reduction of costly rework.
  • 36. SSE-CMM Levels Capability Level 1 – Initial-Performed Informally • Base practices of the process area are generally performed. • The performance of these base practices may not be rigorously planned and tracked. • Performance depends on individual knowledge and effort. • Work products of the process area testify to their performance. • Individuals within the organization recognize that an action should be performed, and there is general agreement that this action is performed as and when required. • There are identifiable work products for the process.
  • 37. • Capability Level 2 – Repeatable-Planned and Tracked • Performance of the base practices in the process area is planned and tracked. • Performance according to specified procedures is verified. • Work products conform to specified standards and requirements. • Measurement is used to track process area performance, thus enabling the organization to manage its activities based on actual performance. • The primary distinction from Level 1, Performed Informally, is that the performance of the process is planned and managed.
  • 38. Capability Level 3 – Well Defined • Base practices are performed according to a well- defined process using approved, tailored versions of standard, documented processes. • The primary distinction from Level 2, Planned and Tracked, is that the process is planned and managed using an organization-wide standard process. • Capability Level 4 – Managed- Quantitatively Controlled • Detailed measures of performance are collected and analyzed. • This leads to a quantitative understanding of process capability and an improved ability to predict performance. • Performance is objectively managed, and the quality of work products is quantitatively known. • The primary distinction from the Well Defined level is that the defined process is quantitatively understood and controlled.
  • 39. • Capability Level 5 – Optimizing-Continuously Improving • Quantitative performance goals (targets) for process effectiveness and efficiency are established, based on the business goals of the organization. • Continuous process improvement against these goals is enabled by quantitative feedback from performing the defined processes and from piloting innovative ideas and technologies. • The primary distinction from the quantitatively controlled level is that the defined process and the standard process undergo continuous refinement and improvement, based on a quantitative understanding of the impact of changes to these processes.
  • 41. IAM • Information Security (INFOSEC) Assessment Methodology (IAM) is a detailed and systematic method for examining security vulnerabilities from an organizational perspective as opposed to a only a technical perspective. • Often overlooked are the processes, procedures, documentation, and informal activities that directly impact an organization’s overall security posture but that might not necessarily be technical in nature.
  • 42. • The main motive of IAM is to give organizations that provide INFOSEC assessments a repeatable framework for conducting organizational types of assessments as well as provide assessment consumers , appropriate information on what to look for in an assessment provider. • The IAM is also intended to raise awareness of the need for organizational types of assessment versus the purely technical type of assessment. • Three phases: – Pre-assessment – On-site activities – Post assessment
  • 43. Pre-Assessment – Determine and manage the customer’s expectations – Gain an understanding of the organization’s information criticality – Determine customer’s goals and objectives – Determine the system boundaries – Coordinate with customer – Request documentation • It concludes with a written assessment plan
  • 44. On-Site Assessment • This phase represents primary thrust of IAM in that it takes the results of pre-assessment phase, validate those results and perform additional data gathering and validation. • Conduct opening meeting • Gather and validate system information (via interview, system demonstration, and document review) • Analyze assessment information • Develop initial recommendations • The result of this phase is a report of initial analysis
  • 45. Post assessment phase • It concludes the IAM by pulling together all details from previous two phases, combining them into final analysis and report . • Additional review of documentation • Additional expertise (get help understanding what you learned) • Report coordination (and writing)
  • 46. IEM(INFOSEC Evaluation Methodology) • The IEM is a follow-on methodology to the IAM. • It provides the technical evaluation processes that were intentionally missing from the IAM. • The IEM is a hands-on methodology, meaning you'll be actively interacting with the customer's technical environment. • Whereas the IAM provides us with an understanding of organizational security as it relates to policies and procedures, the IEM offers a comprehensive look into the actual technical security at the organization.
  • 47. IEM • Three phases: – Pre evaluation – On-site evaluation – Post evaluation
  • 48. Pre evaluation • Takes IAM pre assessment report as input and then coordinate the rules of engagement for conducting a technical evaluation of systems • Pull information from IAM Pre-Assessment • Coordination with the customer to determine acceptable Rules of Engagement (ROE) • Give the team an understanding of the perceived system components • Define customer expectations • Define customer constraints or concerns • Legal Requirements • Develop the Technical Evaluation Plan (TEP) • Concludes with a technical evaluation plan.
  • 49. On site evaluation • Represents bulk of hands-on technical work, performing various discoveries, scans and evaluations. • All findings are manually validated to ensure accuracy. Post-evaluation • Concludes the methodology in a manner similar to IAM by pulling together all data generated , putting them into a final report that details findings, recommendations and a security road map.
  • 50. Security Incident Policy Enforcement System (SIPES) • Its purpose is to offer a methodology for defining and executing a Security Incident Policy Enforcement Systems. • This methodology is planned for completeness. • The Security Incident Policy Enforcement System (SIPES) draft displays a relatively abstract method to addressing the difficulty of incident response management.