Standards, standards, standards, Are they any good?

In this video we take an overall view on the information security management process, linking Goals, Situational Awareness, Resources, Priotities and Plans, etc...

Conventional wisdom seems to assume that being intelligent is about having all the answers;  but I beg to disagree. An intelligent manager is he who makes the right questions, as these will make evident what he knows and what we has to learn about the complex landscape of his company. The right questions will place a manager in the right track for a well thought security strategy.

My favourite set of questions, seasoned with my own answers, follows.

  1. How do you know were you are? Perform assessments that compare your model of company with theoretical models, which can be standards or compliance requirements.
  2. Where are you? This is answered by the assessments results, ranging from the result of a PenTest to finding you current O-ISM3 maturity.
  3. How safe is the organisation? This depends on what are the security targets, how mature is the organisation's security management, and the context of the organisation. A risk assessment can give rough idea of where the organisation stands.
  4. How capable is the organisation to remain safe? The higher O-ISM3 capability level achieved, the more capable it is.
  5. Where would you like to be? An objective answer is to state explicitly your goals, among them: business goals, legal and standard compliance goals, and technical goals.
  6. How close to your goal can you afford to be? Unless you organisation has unlimited resources, you can express this using security targets.
  7. How much should be spent in security? The minimum to achieve security targets. There is normally no need to achieve invulnerability.
  8. How can you get there? Get management commitment, procure resources, project the implementation of the security processes you can afford starting with knowledge management.
  9. How do you stay there when you manage it? Take decisions to get closer to your security targets and use metrics to monitor your results.
  10. How do you stay there when you get someone to manage it for you? Agree on metrics based SLAs with your providers and use them to monitor their results.
  11. How do you improve you ISMS effectiveness and efficiency? Enhance the capability of your security processes using metrics, and control charts.
  12. How good are you at staying there? Make an assessment of the capability of your security processes.
  13. How do you prove to others were you are? Get your ISMS certified.

Pages