O-ISM3 brings continuous improvement to information security management, and it provides a framework for security decision-making that is top down in nature, where security controls, security objectives, and spending decisions are driven by (and aligned with) business objectives. We have for some time now heard from information security managers that they would like a resource aimed at showing how the O-ISM3 standard could be used in managing information security alongside ISO27001/27002.
This new guide provides specific guidance on this topic. We view this as an important resource, for the following reasons:
O-ISM3 complements ISO27001/2 by adding the "how" dimension to information security management.
O-ISM3 uses a process-oriented approach, defining inputs and outputs, and allowing for evaluation by process-specific metrics.
O-ISM3 provides a framework for continuous improvement of information security processes Some of the specific guidance to be found in the guide include these items:
Maps O-ISM3 and ISO27001 security objectives.
Maps ISO27001/27002 controls and documents to O-ISM3 security processes, documents, and outputs.
Provides a critical linkage between the controls-based approach found in ISO27001, to the process-based approach found in O-ISM3.
When a few know something and want to keep others from learning, that’s a secret. Everyone has secrets, some small, like eating a bar of chocolate when you are on a diet, some are personally important, like a embarrassing personal or professional mistake in the past. There are as many types of secrets as people and organisations that keep them, among them:
• Personal secrets and family secrets, normally related to the moral and taboos of the culture where they live.
• Business secrets, like financial information, strategy and trade secrets.
• Law enforcement secrets, like forensic or methods, investigation information and details about ongoing investigations.
• Crime secrets, like insider trading, organised crime and gangs.
• Political secrets, (Most nations have some form of Official Secrets Act and classify material according to the level of protection needed) like:
o Weapon designs and technology (nuclear, cryptographic, stealth).
o Military plans.
o Diplomatic negotiation positions.
o Intelligence information, sources and methods.
o International relations, secret treaties like:
• Social secrets, like certain religions or secret societies as the masonry.
• Professional secrets, like health workers, social workers and journalists.
• Other, like video tape rental and sale records in the USA.
While we all have an intuitive way to distinguish small secrets from high secrets, there hasn’t been so far a way to measure it.
By using the following formula:
Secret = Log C*(Sum Tdk / Sum Tk) = Log C + Log ( Sum Tdk / Sum Tk )
Where C is the quantity of information, Tk is the time someone has known the secret, Tdk the time has had interest in knowing the secret.
If C=1, we can see some examples:
¿Who did “Famous for Nothing” went with for a dirty weekend last summer? If two people know since the 1st of August, 48 more since the 1st of September and 100.000 coach potatoes would like to know and they find out after five months, just before revelation the secrecy is:
S = Log ((100.000 * 5) / (2 * 5 + 48 * 4)) = 3,39
if only 8 people had found out in September, the secret would be S = 4,04
¿Who killed Kennedy? Let's suppose two people know since 1963, and 300 million Americans would like to know. After 42 years:
S = Log( 300 million * 42 / 2 * 42 ) = 8,1
¿Who was Deep Throat? Just before it was found, 4 people knew, and 300 millions were interested. After 33 years:
S = Log( 300 million * 33 / 4 * 33 ) = 7,8
What if 2 more people had found out after 30 years?
S = Log( 300 million * 33 / (4 * 33 + 2 * 30) ) = 6,7
At a business, perhaps a secret is important for a few years, and all your competitors would be eager to know. If 10 people in the company know for a year, and 150 people from other companies would like to know:
S = Log( 150 * 1 / (10 * 1) ) = 1,17
If after two years the market is more competitive and more people (1500) is interested:
Secret = Log (1500 * 1 / (10 * 1) ) = 2,17
For the sake of example, I will use the following groups for measuring secrets:
• Family 10
• Social environment 100
• High school 300
• Competition 300
• Gang 50
• Police 100000
• Army 1000000
• Population 30000000
• Foreign Armies 15000000
Applying the formula, the following approximate values can server as examples of measured secrets:
• A social secret, like the confidence of a friend or an alibi of where you slept, 0,70
• Secret signs and telling signs from a gang, 0,95
• Hiding a mistake, like breaking something, 1,00
• Keeping the privacy of others like a confession, or the social situation of someone, 1,00
• Keeping the privacy of an average person like a list of video rentals of records of library use, 1,04
• Cheating on your wife/husband, 1,44
• Secrets from a Masonry, Scientology or Mirrahism, 1,48
• A regular trade secret, 2,18
• A mistake or wrongdoing of a politician 2,40
• Mafia, Yazuka or insider trading, 3,30
• Keeping the privacy of a politician like a list of video rentals of records of library use, 3,48
• Identity of a witnesses in a criminal case, 5,70
• A journalistic source, 5,78
• The Coca cola formula, 6
• Corruption, misuse of public funds 7,57
• Nuclear weapons, cryptography, 8,00
• Osama Bin Laden location 8,50
Mysteries, secrets known by no one, like those discovered by Champollion when deciphering Egyptian hieroglyphics have S=infinite.
Ignorance on the existence of the secret makes it less secret, as the interest on learning it is less, and the effort on keeping it secret is lower as well. Unfortunately it is very difficult to estimate the number of people interested in a secret, so the accuracy measuring secrecy won’t normally be very high. This way of measuring secrets can lead to some interesting exercises, like adding a factor to the formula for how intense is the interest for learning the secret or analyzing the diffusion of a secret in a group depending on the likelihood of every member of the group of revealing it.
Measuring secrecy can help to gain an understanding on how secret is the information we handle and the kind of efforts to make to keep it secret. To have a clear understanding on the reasons for keeping the secrecy and the influence of time, interest and group of people who know the secret, can give insights on how to manage secrets properly. Two conclusions can be easily drawn from the formula. Firstly, preventing others to know the existence of the secret makes it easier to keep it; Secondly keeping the group of people who know the secret as small as possible prevents leakages more effectively than any technical measure.
A clear understanding on the type of secrets in a organisation, how secret they seem to be, the impact of their revelation and a measure of their secrecy is the first step to a cost effective and efficient classification and protection of secrets.