- O-ISM3
-
Articles
- Ten ways ISMS fail
- How can you Measure how Secret a Secret is?
- What is the Maturity of your ISMS?
- Risk, Investment and Maturity
- Compliance vs Continuous Improvement
- A primer in Metrics driven Process Management
- Process Management with Security Metrics
- Measuring Security
- Beyond Authentication, Authorization and Accounting
- Return On Security Investment
- Standards, standards, standards, Are they any good?
-
by Vicente Aceituno Canal
- Slideshare
- Youtube
- Youtube (Spanish)
- Contact
-
Foundations
- Ask Smart Questions to Set Security Service Levels
- Can you pass the O-ISM3 Test?
- The CIA triad is not helping you as much as you think
- Advanced Classification of Information
- Security Foundations Series: Secrecy
- Security Foundations Series: Privacy
- Security Foundations Series: Availability
- Security Foundations Series: Expiration
- Security Foundations Series: Retention
- Security Foundations Series: Quality
- Security Foundations Series: Compliance
- Security Foundations Series: Technical Objectives
- Security Foundations Series: Intellectual Property you Own
- Security Foundations Series: Intellectual Property you Use
- What is an Operational, Positive Definition of Security
- Operational Definitions for Security
- Information Assurance Markup Language
- Security Quarks help communicate with non IT people
- Security Quarks and the Cookie Monster
- Information Security Paradigms
Standards, standards, standards, Are they any good?
In this video we take an overall view on the information security management process, linking Goals, Situational Awareness, Resources, Priotities and Plans, etc...
Conventional wisdom seems to assume that being intelligent is about having all the answers; but I beg to disagree. An intelligent manager is he who makes the right questions, as these will make evident what he knows and what we has to learn about the complex landscape of his company. The right questions will place a manager in the right track for a well thought security strategy.
My favourite set of questions, seasoned with my own answers, follows.
- How do you know were you are? Perform assessments that compare your model of company with theoretical models, which can be standards or compliance requirements.
- Where are you? This is answered by the assessments results, ranging from the result of a PenTest to finding you current O-ISM3 maturity.
- How safe is the organisation? This depends on what are the security targets, how mature is the organisation's security management, and the context of the organisation. A risk assessment can give rough idea of where the organisation stands.
- How capable is the organisation to remain safe? The higher O-ISM3 capability level achieved, the more capable it is.
- Where would you like to be? An objective answer is to state explicitly your goals, among them: business goals, legal and standard compliance goals, and technical goals.
- How close to your goal can you afford to be? Unless you organisation has unlimited resources, you can express this using security targets.
- How much should be spent in security? The minimum to achieve security targets. There is normally no need to achieve invulnerability.
- How can you get there? Get management commitment, procure resources, project the implementation of the security processes you can afford starting with knowledge management.
- How do you stay there when you manage it? Take decisions to get closer to your security targets and use metrics to monitor your results.
- How do you stay there when you get someone to manage it for you? Agree on metrics based SLAs with your providers and use them to monitor their results.
- How do you improve you ISMS effectiveness and efficiency? Enhance the capability of your security processes using metrics, and control charts.
- How good are you at staying there? Make an assessment of the capability of your security processes.
- How do you prove to others were you are? Get your ISMS certified.