SlideShare verwendet Cookies, um die Funktionalität und Leistungsfähigkeit der Webseite zu verbessern und Ihnen relevante Werbung bereitzustellen. Wenn Sie diese Webseite weiter besuchen, erklären Sie sich mit der Verwendung von Cookies auf dieser Seite einverstanden. Lesen Sie bitte unsere Nutzervereinbarung und die Datenschutzrichtlinie.
SlideShare verwendet Cookies, um die Funktionalität und Leistungsfähigkeit der Webseite zu verbessern und Ihnen relevante Werbung bereitzustellen. Wenn Sie diese Webseite weiter besuchen, erklären Sie sich mit der Verwendung von Cookies auf dieser Seite einverstanden. Lesen Sie bitte unsere unsere Datenschutzrichtlinie und die Nutzervereinbarung.
I wondered what he would have thought of the definition of information security…
Manage what you can control
Manage what you can control
Use of services and physical and logical access to repositories and systems is restricted to authorized users; Who are the users of the system? Do they need to be specifically authorized? From whom do we want to protect the system's information? Will any part of the system be located in publicly accessible locations?
Availability of repositories, services and channels exceeds Customer needs; Reliability and performance of services and channels exceeds Customer needs; Volatility of services and channels within Customer needs; When should the system be performing normally (8x5, e.g)? How many interruptions are acceptable? What would be the longest acceptable interruption? What is the maximum amount of transactions that can be lost because of an interruption? These questions help understand the data and system backup, high availability and business continuity needs. For how long will the system's data be archived? If the data needs to be deleted, when should this happen? These questions help understand the long term archival and safe deletion needs. What is the maximum acceptable percentage of records with wrong information? What is the maximum percentage of records that can be missing? These questions help understand the data quality control needs
Users are accountable for the repositories and messages they create or modify; Users are accountable for their acceptance of contracts and agreements. Users are accountable for their use of services.
Secrets (industrial, trade) are accessible to authorized users only;
Respect the Privacy of… Personal information of clients and employees is accessible for a valid purpose to authorized users only, preserves their anonymity if necessary, and is held for no longer than required. Will the system handle personal information of clients, potential clients, stockholders or employees? What are the different locations subject to diverse regulations in terms of handling of personal information and data breach disclosure where parts of the system will be located? Personal information completeness must be proportional to its use. Personal information can't be kept for longer than needed. Tax records must be kept for a minimum number of years. Personal information must be protected using certain security measures depending on the type of personal information. The owner of Personal information must agree for it to be collected and he has the right to check it, fix it and approve how it will be used or ceded. Repositories with Personal information have to be registered with a Data Protection agency. Third party services and repositories need to be appropriately licensed. Encryption must be used under legal limitations. Secrets must be kept according to the terms of agreed Non Disclosure Agreements. The owner of Personal information will be given notice when his data is being collected, including who is collecting the data. Personal information must be used for the purpose agreed with the information owner.. Personal information must not be disclosed without the agreement of the information owner.. Personal information owners will have means to make data collectors accountable for their use of his personal information.
Intellectual property (licensed, copyrighted, patented and trademarks) is accessible to authorized users only; Third party services and repositories are appropriately licensed and accessible only to authorized users; Will the system use licensed information from third parties? What are the different locations subject to diverse regulations in terms of licensed information where parts of the system will be located? Will the system handle intellectual property? What are the different locations subject to diverse regulations in terms of intellectual property where parts of the system will be located? These questions help understand the inventory, DRM, watermarking, obfuscation and compliance needs.
Repositories are retained at least as long as Customer requirements; Expired or end of life-cycle repositories are permanently destroyed; Expired information is one problem Metadata is another
Manage what you can control
Audit. Whether the process inputs, activities and results match their documentation. Auditoria - ¿Estamos haciendo lo que decimos que hacemos?
Certify: Whether the process inputs, process documentation, activities and results comply with a pre-defined standard, law or regulation. Certificación - ¿Estamos haciendo lo que dice el estándar?
Manage what you can control
Manage what you control (different measurement, different action) Concentrate on making changes that improve the contribution to Business Goals and Obligations, or reduce the use of resources. Detect significant anomalies in processes and inform decisions to fix or improve processes. Use Risk Assessment and Audits as long as they help Continuous Improvement. Improvements in the metric meaningfully enhance the contribution of the process towards the goals of the management system.
Planning. Organizing and forecasting the amount, assignment and milestones of tasks, resources, budget, deliverables and performance of a process. Planificación - ¿Qué vamos a hacer, qué recursos necesitamos?
Testing: Assessment of whether process outputs are as expected when test data is put in. Pruebas - ¿Funciona?
Monitoring: Checking whether the outputs of the process and the resources used are within normal range. Monitorización - ¿Está funcionando? ¿mejora o empeora? ¿vale o no vale? ¿es mejor o peor que otros?
Assessment. How well the process matches the organization's needs and compliance goals. Racionalización - ¿Cómo explicamos porque hacemos esto? Evaluación - ¿Estamos haciendo lo que necesita la organización?
Assessment. How well the process matches the organization's needs and compliance goals
The Solution: Concentrate on making changes that improve the contribution to Business Goals and Obligations, or reduce the use of resources=Continuous Improvement (Test, Monitor, Benefits Realization, Planning, Improvements). Use Risk Assessment and Audits as long as they help Continuous Improvement. Detect significant anomalies in processes and inform decisions to fix or improve processes. Improvements in the metric meaningfully enhance the contribution of the process towards the goals of the management system.
Benefits realization: Show how achieving security objectives contributes to achieving business objectives. How to communicate their value to management (Metrics need to be interpreted and communicated in order to be useful (Kip) )
How many viruses where cleaned, quarantined, detected? How many antivirus clients have been updated (signatures, engines)? How often are antivirus clients updated? How often are viruses found? How long does it take for a virus to be detected?
Percentage of all client computers protected with antivirus
Number of interruptions in the normal operation. Frequency of interruptions in normal operation.
Percentage of executable items that are tested for malware presence.
Dollars or Man/hours per executable item tested. Dollars or Man/hours per virus found. Percentage of computing resources in client computers consumed.
Percentage of packets processed in comparison to the maximum capacity.
Percentage of false positives Percentage of false negatives
A Revolution in Information Security: ISM Evolution with O-ISM3
Security Investment, Maturity Level & Risk
Information Security that makes Business Sense
Video Blog youtube.com/user/vaceituno