Gain management acceptance for the security business within the Swiss Army…
-
Upload
vicente-aceituno -
Category
Technology
-
view
5.819 -
download
3
description
Transcript of Gain management acceptance for the security business within the Swiss Army…
Swiss Armed ForcesArmed Forces Command Support OrganisationLars Minth MBA, MSc. Info SecArchitectures & SecurityChief Architect
Using
ISM3 to
gain Management Acceptance for the
Security Business
within the Swiss Armed
Forces
2Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Switzerland is neutral
The politics of each
nation is based on tradition and history.
Neutrality Right
defines the rights and obligations of a neutral nation.
The international
situation defines the freedom of action. Best case of
narrowing this freedom was WWII
The politics of
neutrality assures the effectiveness and credibility of the
neutrality. It is dependent on the
other three factors.
…and
complicated to handle although
necessary
3Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
Organisational
Structure & Responsibility
Practical
Implementation
Business / IT Alignment
Dependency on
other Frameworks
Challenges
As-Is Situation „Sec Management“ (not only Swiss DoD)
Resources (money,
personnel, …)
„We already have
an ISMS“
4Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
Dependency on
other Frameworks
Challenges
Patch Management
WinSys
Patch Management
Ein V
Patch Management
OSS
Segmentation &
Filtering CC Basis
Segmentation &
Filtering CC Col
Segmentation &
Filtering Ein V
Segmentation &
Filtering OSS
As-Is Situation „Sec Management“ (not only Swiss DoD)
5Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
IT-Sicherheits-
politik und -ziele
managen
Schutzobjekte
einstufen und
priorisieren
Ziele
Übergeordnete
Vorgaben
managen
Rechtliche
Vorgaben
sicherstellen
Sicherheits-
organisation
sicherstellen
Umsetzung
managen
Beratung und
Schulung
sicherstellen
Überprüfung und
Verbesserung
sicherstellen
Risk-Managment
betreiben
Übergeordnete Rechtserlasse
Rechtliche Vorgaben
Übergeordnete
Vorgaben
Verordnungen,
Weisungen, HITS
Schutzvorgaben
Umsetzungsbericht
Verbesserungen
Beratung /
Schulung
Input für die Sicherheits-
organisation
Input für Beratung
und Schulung
Input für
Risk-Mgmt
Sofortanforderungen
Eingestufte
Schutzobjekte
Input für
SchutzobjekteBedrohung
Controlling-
bericht
Input für Ziel-
setzungsprozess
IT-Strategie
Bedrohungslage
Zuständigkeiten
und Aufgaben
Übergeordnete
Vorgaben
Vorgaben
Datenschutz
Rechtserlasse
Archivierung (B AR)
Siko
I1
I4
I9I8
I10
I7
I5
I2
I6
I3
Input für rech-
tliche Vorgaben
Schutzanforde-
rungen zuweisen
drafted
since
2005
drafted
since
2005 drafted
since
2005
drafted
since
2005
drafted
since
2005
drafted
since
2005
As-Is (WAS) ISMS Swiss DoD
6Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
SM&CInformation
Assurance
Information and Integration Services
(Core Enterprise Services)
Common COI Services
Network/Transport Services
Discovery
Enterprise
Directory
Services
Service
Discovery
Services
Interaction
Publish/
Subscribe
Services
Messaging
Services
Collaboration
Services
Mediation
Translation
Services
Composition
Services
Storage
Services
Metadata
Registry
Services
Information
Discovery
Services
Infrastructure
Application
Services
Information
Assurance
Services
Service
Management
Services
COI-Specific Services
Repository
Transaction
Services
Where is the Security located?
7Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
Planning &
Conception
Program Office
Transport
Services
Sec-Mgmt /
Cyber Defense
Concepts,
Policies, Architecture
Information-
Exchange
PMGR IA V
Programboard
Information Assurance
PMGR
C4ISTAR
PMGR BLSV
Program Team
CNO (CNE,
CNA, CND)
Situation
Awareness
Sec Mngment
Infrastructure
ISMS
E2E Information
Security
Mil IEG
Web Services IA
Content Based
Access Control
Security
Research
Security-
Concepts
Security-
Architecture
Security Policies
Secure QoS
Secure Routing
E2E Transport
Security
Secure Core
Networking
contains the following projects
contains the following projects
contains the following projects
contains the following projects
Where is the Security Management located ?
8Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
So what kind of Security Management
do you want to have?
It`s all about Views and Roles!
9Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
So what kind of Security Management
do you want to have?
It`s all about Views and Roles!
10Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
So what kind of Security Management
do you want to have?
It`s all about Views and Roles!
…and what about Security as a
Service?
Do we need Security?
Do we see Security?
Who pays for Security?
Is ROSI around?
Do we know what Security means from our
viewpoint?
11Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
Security Service Interface
Security Service Management
Control & Coordination Interface
Server
Users &
ManagersThreats
Applications
Communication-
Services
Core
Enterprise
Services
Service
Management
Cyber
Network
Defense
Security
Management
Infrastructure /
Integrated
Security
Architecture
COMPLIANCE:
Instructions, Rules, Policies
Operational
Management
ITIL-Processes v3
Cap.
Mgmt
Other
Pro-cesses
Change
Mgmt
Computer
Network Defense
&
SituationalAwarenes
Security (Service) Management Infrastructure
(inter)national
Civil Security Federation
12Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
•Support Federated Operations – SMI will be structured to operate across multiple autonomous CIS
configurations.
• Be Transparent to End Users – SMI exists to provide the security services that end users need. SMI
will be designed to minimize demands upon end users. To the extent feasible, these services will operate “behind the scenes” virtually transparent to end users.
• Facilitate Flexible Deployment – limited bandwidth, disconnected and otherwise austere mission environments.
• Incorporate a Service Oriented Paradigm – SMI services will be structured with standard interfaces
and intuitive interactions.
• Embrace a Commercial Strategy – SMI will use best-of-breed commercial products as a baseline and
work with industry leaders to implement needed enhancements.
• Employ a Standards-Based Approach – SMI will adopt a standards-based system design and implementation. The Swiss DoD SMI should work within commercial and international standards bodies to address or refine SMI-related standards to align with good IA practices.
Guiding Principles for SMI
13Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
• Establishing the current baseline
• Improving the processes
• Progressively integrating
• Improving on the collaboration of the services
Roadmap for the SMI
14Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
Research Study with the ISG-RHUL
15Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
Criteria for an ISMS
maturity levels certification organizational model
distribution of
responsibilities
link between business
goals and information
security aims, input, outcome
metricsselection of security
processescapability
PDCA & paradigms
16Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
ISMS Framework-Decision
BS7799/ISO 27 Familie
CoBIT
Common Criteria
FISMAInformation Security Forum
ITIL version 3
Management Frameworks
NIST
OCTAVE
Security GovernanceSSE-CMM
ISM3
Le Moigne`s Three-dimensional Thinking
ISM3/ISO27
strategic -- tactical -- Operational
17Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
ISM3
Management ISM3 Maturity
Security Information Model
Information ISM3 Security
Management Maturity Model
concepts for
processes, capability,
maturity
security in context process model
risk assessment,
outsourcing,
definitions
18Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
concepts for
processes, capability,
maturity
ISM process
modelrisk assessment
outsourcing, defs
security in
context
Information
SecurityManagement
Maturity
Model
ITILv3
ISO 27k
Operating Tasks
Tactical Tasks
Strategic Tasks
General Tasks
Aligning all
above
Security Targets
Security
Objectives
Business
Objectives
Security
Research
Security-
Concepts
Outsourcing
ISM3-RA
Feedback on
Mgmt
Process Metrics
Process
Definition
contains the following content
contains the following content
ISM3 Building Blocks
Operation
ISO 31000
ISO 900x
19Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
Process BSP-5 Environment Patching (IT managed domain Patching)
Description This process covers the on-going update of services to prevent incidents
related to known weaknesses, enhancing the Reliability of the updated
systems.
Value Patching prevents incidents arising from the exploitation of known weaknesses
in services.
Documentation OSP-051-Services Update Level Report Template
OSP-052-Services Patching Management Procedure
Inputs Inventory of Assets (OSP-3)
Outputs Up to date services in every IT managed domain.
Services Update Level Report (OSP-4)
Metrics Report (TSP-4)
Quality Update level, calculated as follows:
The update level for a specific information system is equal to the sum of the
days outstanding for all pending security patches.
The IT managed domain update level is equal to the sum of the individual
update levels, divided by the number of information systems.
The lower this metric, the better. This metric allows checking of the progress
of the patching process, and comparison of the update level of different IT
managed domains.
Responsibilities Supervisor: TSP-14 Process Owner
Process Owner: Information Systems Management
Related Processes BSP-4 Change Control Informationsystem Environment
BSP-9 Change Control Security Measures
Related Methods Project Quant
ISM
3 P
rocesses
20Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
BSP-5 „IT managed Domain Patching“
Op. SecMgt
Prozessowner
responsible person in
organisational unit
Operational Security
Management
roles/responsibilities in distinct processes
21Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
Low
Investment
Medium
Investment
High
Investment
High
Benef it
OSP-12 User Registration
SSP-4 Define TPSRSR rules
TSP-6 Define IT managed domains and life-
cycles
GP-2 ISM System and BusinessAudit
OSP-14 Physical environment Protection
Management
OSP-7 IT managed domain Hardening
OSP-8 Software Development Life-cycle
ControlOSP-19 Internal Technical Audit
OSP-4 Information Systems IT managed domain
Change Control
OSP-9 Security Measures Change Control
OSP-26 Enhanced Reliability and Availability
Management
Medium
Benef it
TSP-11 Security Awareness
TSP-8 Personnel Security
TS8P-9 Security PersonnelTraining
OSP-3 Inventory Management
OSP-2 Security Procurement
OSP-6 IT managed domain Clearing
OSP-27 Archiving Management
OSP-15 Operations Continuity Management
OSP-20 Incident Emulation
Low
Benef it
TSP-10 Disciplinary Process
TSP-13 Insurance Management
OSP-22 Alerts Monitoring
OSP-28 External Events Detection and
Analysis
OSP-23 Internal Events Detection and Analysis
OSP-24 Handling of incidents and near-incidents
OSP-25 Forensics
TSP-7 Background Checks
TSP-14 Information Operations
Business-Orientation of Sec-Processes
22Schweizer ArmeeFührungsunterstützungsbasis
INTERN
• (Direct and Provide) defines security
objectives , coordinates und provides
resources ;
• (Implement and Optimize): Designs and
implements the ISM processes, defines
security targets and manages the assigned
resources;
• (Perform and Report): fulfills the set
security/business processes performing the
defined security processes
Lars Minth
Security Frameworks
Operating
Tasks
Operational-Strategic
Tasks
Tactical-Archi-
tectural
Tasks
ISM3 Levels of Responsibility
23Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
Security in (Business) Context
24Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
1. Obtain and Maintain Executive Sponsorship and Commitment
2. Encourage Company-WideSupport and Participation
3. Use, Adopt and Align to Industry Standards
4. Make it Easy for People to do the Right Thing
5. Document, Publish and Refine your Processes
6. Recognize that Training and Awareness is Key
7. Manage Risk, not Security
8. Manage with Facts and Numbers
9. Avoid the Compliance Trap
10. Leverage Corporate Business Initiatives
Management Acceptance
25Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
• understand the business roles (good investment)
• dare to ask questions + act on results• transform security activities into services (not only if you want to be an ITIL service provider)
• manage security services by business-proven security processes (ISM3)
• establish a formal stakeholder management• develop a marketing strategy for security (Kotler is not bad)
• talk to all stakeholders and make security public
Conclusion
• understand the benefits of security/risk (good investment)
• don`t wait to ask if security activities seem to be strange to your business•demand security to provide understandable inputs,
outputs, metrics and capabilities for its activities (ISM3)• talk to your security folks
• give security space to explain
26Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
Please tell me
later …
• what was unclear
?
• did you make
other experiences
?
• did you see/hear
what you had
expected
?
27Schweizer ArmeeFührungsunterstützungsbasis
INTERN
Lars Minth
Security Frameworks
Thank`s for your time spent with me