On Feb 9, 2006, at 7:08 AM, Mark Curphey wrote:

> Good stuff but a few questions.
>
> 1. I don't see (and I maybe missing this due to IE7 rendering and
> mature
> eyes) key processes like ensuring organizations revue log files,
> ensuring
> background checks are done on new staff starters etc. Are your
> processes at
> a higher level than that?

This is the high-level picture. The details are provided in the CISO
toolKit that this abstracts. Background checks are called out as part
of HR requirements under personnel for example. To get the drill-down
at a few levels more depth, go to the linked page and read the
detailed table of contents of the book in the toolkit. They are far
closer to the detailed specifications you are asking about.

> 2. I don't think there are any COTS systems to do the workflow yet
> (?) so I
> imagine this is indeed a significant cost involved in codifying
> IS017799.
> Have you heard about any sort of cost / time / benefit analysis?

Several COST systems are starting down this line - Elemental security
- Skybox are two of the growing candidates.

> 3. If you cant measure the direct and indirect cost today (which is
> what you
> imply or at least the way I am reading it) how can you make a call
> on the
> fact you will get greater costs? Maybe the whole BPM market is
> really a BS
> market but there are some impressive ROI models being brandished
> around on
> BPM for other sectors and I struggle to think they don't apply to
> security.
> We like to think we are *different* but we really aren't IMHO.

The security metrics book provides many thousands of things you can
measure that are meaningful in terms of process, and comparisons to
others, but this is only of limited value because measurement costs
too. Security architecture is intended to address these issues by
codifying things that we know work and that dramatically reduce the
attack graphs,

The ROI models just don't work, and ROI is the wrong approach to
security analysis. I can show an ROI every day like:

No security: you are out of business now and forever.
Add gobs of security: you are not out of business now and forever.

ROI is huge - you pay back the entire value of the enterprise every
day. But this is not the issue. The issue is more along the lines of
rational behavior.

FC

> -----Original Message-----
> From: Fred Cohen [mailto:fred.cohen (at) all (dot) net [email concealed]]
> Sent: Thursday, February 09, 2006 5:31 AM
> To: Mark Curphey
> Cc: 'Brad Bemis'; thomas.jones (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed];
> security-management (at) securityfocus (dot) com [email concealed]
> Subject: Re: Process Improvement for Security
>
> PRocess controls are increasingly being put in place through workflow
> systems and these systems are starting to move toward codifying
> things like
> ISO17799 but the level of customization required for an enterprise
> is very
> substantial. It takes years of effort to get to this point.
> Certainly some
> enterprises have achieved this. The core processes are reasonably
> described
> in the "Enterprise Security Architecture" picture with drill-down
> on the
> all.net Web site. But as you drive this into the detailed level,
> you find
> that there are thousands of things to measure (and do) that go largely
> unmeasured (and not done) today. The problem with getting security
> really
> tied down like this is that the cost is prohibitive and that, while
> you will
> get great security in terms of reduction in harmful incidents, you
> will also
> get great costs. The goal of an enterprise is presumably to
> minimize (cost +
> loss) associated with security issues.
> Thus rather than get to a gold-plated security program, acceptance
> of small
> risks is far less expensive than a process that leaves no holes.
> That's
> where risk management has to come into play, and risk management
> seems to
> say that doing security with a six-sigma approach leads to higher cost
> without all that much lower loss.
>
> FC
>
> On Feb 8, 2006, at 10:44 PM, Mark Curphey wrote:
>
>> Brad
>>
>> Interesting links, thanks. In my experience very few corporate
>> security functions have even defined what their processes are in a
>> way
>> that then can be measured with any scheme like Six Sigma or otherwise
>> so while an interesting idea proposed it seems the first step is to
>> document / diagram the various processes. I would be interested if
>> anyone has a good list of the core processes they think are needed in
>> a commercial sec dept such as vuln management, continuity planning,
>> risk assessment, security monitoring etc? Maybe ISO17799 is
>> sufficient
>> (I don't think so but) ......
>>
>> -----Original Message-----
>> From: Brad Bemis [mailto:bradleyb (at) bradleyb (dot) net [email concealed]]
>> Sent: Monday, February 06, 2006 9:07 PM
>> To: thomas.jones (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed];
>> security-management (at) securityfocus (dot) com [email concealed]
>> Subject: RE: Process Improvement for Security
>>
>> I just went through a week long Greenbelt training class on Lean
>> Six-Sigma.
>>
>>
>> I can see some real potential in the process improvements steps, and
>> since my organization is adopting Lean Six-Sigma as its primary
>> process improvement/quality management model, it can also function as
>> a common language between IT and the Business. It isn't really
>> anything new beyond general TQM, good business practices, and the
>> like, but it does do a good job of encapsulating everything. The
>> measurements, metrics, and ability to represent data in charts,
>> graphs, and more are really quite impressive.
>>
>> In terms of usefulness, I am still somewhat unconvinced that it is a
>> 'silver bullet' solution - everything comes down to having good data
>> - meaningful data that can be used to serve a purpose. The metrics
>> and measurements for information security have certainly come a long
>> way over the last few years, but a lot of the people and
>> process-oriented aspects of a security program (often the ones that
>> have the most significant
>> impact)
>> can be somewhat difficult to measure
>> in a meaningful way.
>>
>> A local company has been doing presentations on 'Security Kaizen'
>> that have
>> also been pretty interesting - a quick google search should get you
>> pointed in the right direction. It provides some interesting
>> ideas on
>> metrics, measurements, process improvement, and security program
>> development. Used in conjunction with the NIST Pub on security
>> metrics for technology systems, and a few other odds and ends (like
>> COBIT, ITIL, CMMI, ISO 17799, and the FFIEC IT Examiners Handbook to
>> name a few) you can probably put together a very nice data collection
>> method. I've also come across a few pretty good articles during my
>> own google searching.
>>
>>
>>
>>> -----Original Message-----
>>> From: thomas.jones (at) hushmail (dot) com [email concealed] [mailto:thomas.jones (at) hushmail (dot) com [email concealed]]
>>> Sent: Monday, January 30, 2006 10:58 AM
>>> To: psrc (at) securityfocus (dot) com [email concealed]
>>> Subject: Process Improvement for Security
>>>
>>> In line with my last post can anyone point me to a resource or does
>>> anyone have any opinions on applying Six Sigma, balanced scorecards
>> or
>>> other business process techniques to information security ?
>>>
>>>
>>>
>>> Concerned about your privacy? Instantly send FREE secure email, no
>> account
>>> required
>>> http://www.hushmail.com/send?lH0
>>>
>>> Get the best prices on SSL certificates from Hushmail
>>> https://www.hushssl.com?lH5
>>
>>
>>
>>
>
> -- This communication is confidential to the parties it is intended
> to serve
> --
> Security Posture securityposture.com tel/fax
> University of New Haven unhca.com 925-454-0171
> Fred Cohen & Associates all.net 572 Leona Drive
> ASP Press asp-presss.com Livermore, CA 94550
>
>
>
>

-- This communication is confidential to the parties it is intended
to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
ASP Press asp-presss.com Livermore, CA 94550

[ reply ]