360 Security Model

1. 360 Security Model Holistic Approach to Security

2. Security’s New Mantra “Security needs to be a business process” Great strategic goal – but we will never get there under today’s approaches.

3. What Models Do We Have Today? • Process oriented, (ISO9001:2000, BS7799-2:2002, CMMI, ITIL/ITSM) • Controls oriented (ISO13335-4, BSI-ITBPM) • Product oriented (Common Criteria) • Risk analysis oriented (Octave, Magerit) • Best practice oriented (ISO/IEC 17799:2000, CobiT, ISF-SGP) But how many business people understand these and can implement them?

4. CobiT Excerpts • Prepare a risk management action plan to address the most significant risks. • Define and implement a security framework that consists of standards, measures, practices and procedures. Develop clear policies and detailed guidelines, supported by a repetitive and assertive communications plan that reaches every employee. • Establish security baselines and rigorously monitor compliance. The industry needs to know HOW to do these things, not JUST that they need to be done.

5. CEO and Board C-Level Individuals Consultants Department Managers Managed Services IT and technologists Products Generic Technology Training What are We Doing Today? • Sending staff to technical security courses • Bringing in consultants • Purchasing products • Using managed security services

6. Security Consulting Issues

7. Why Is Our Current Model Dangerous? • Relying too heavily on consultants • Not making educated and informed decisions about; • Purchasing security products and services • Employing managed services • Not knowing what to spend the security budget on • People, process, technology • Not understanding what level of protection the security budget is providing • Not being able to report to the board members and share holders about the company’s security protection level • Wasting time, money, and effort without making enough progress

8. Level of Sophistication We are currently here

9. We Need to Evolve • We need a new model to empower organizations and allow them to understand security in business terms • We need a model that takes the theoretical best practices and turns them into practical action items • Companies need to be able to take ownership of their internal security program • The current approach will continue to provide a gap between what we preach and what we practice • Holistic, integrated security, that is a business process

10. Where Is Your Company Today? • Defined policies, but no security program • Security program with no real structure • Security program with certain pieces structured • Structured security program with no support from business units • Structured security program fought by cultural issues

11. Security Programs… Structure or Chaos – or In Between? If you don’t know where you are, you can’t get to where you want to go. It’s okay if your program looks at first like a big ball of mud, at least until you know better. • Swamp guides become • more valuable than • security architects

12. Standardized security understanding at this level CEO and Board • Government Regulations and Laws • Big picture of company risks • Personal liability issues • Big picture of company’s security posture Standardized security understanding at this level C-Level Individuals • Security program development • Security roles and delegation of responsibilities • Develop company’s security infrastructure and • business process • Mapping compliancy requirements to tactical and • strategic company goals Standardized security understanding at this level Department Managers Standardized security understanding at this level IT and technologists • Implementation of security program and • infrastructure • Compliancy checklists, auditing, monitoring • Tying technology solutions to business objectives • Implementation of technology solutions Who Needs To Know What?

13. You Do Not Need to Understand Technology to Integrate Security

14. Securing from the Inside Out, Instead of Outside In

15. Target Who Needs to Understand What The model outlines the depth of each topic that the different corporation levels need to understand.

16. It should be a uniquely conceptual model in that it embodies eminently practical elements that can be applied alone or in sequence to define project activity deliverables.

17. Security Maturity Evolution Assurance Auditing, monitoring, and reporting processes and controls in place to ensure they are meeting standards and that they are effective Security Organizational Structure Individuals and organizations assigned responsibility, accountability, and authority to support the infrastructure Baseline Security Standards Security controls defined to establish a consistent basis for managing risk Documented Strategy, Principles, and Policy Clearly defined set of technology-independent policies developed from the business strategy Security Metrics Measure the efficiency, effectiveness, value, and continuous performance improvement of the individual security process Initiate Stakeholder Security Program Stakeholder sponsored program with responsibilities assigned Security Capability Compliance and Certification Establish compliance measurement and reporting system Security Technical Framework Establishment of standards and technologies to support stakeholder interaction Security Architecture Architecture principles and policies in place to define core security functions • Defined • Level 1 • Level 2 • Integrated • Level 3 • Optimized • Evolution

19. 5. OPTIMIZING Process control 4. MANAGED Process measurement 3. DEFINED Process definition 2. REPEATABLE Basic management control 1. INITIAL Ad hoc Incrementally Improves All Security Areas Quality Improvement Model: Capability Maturity “A conceptual framework to help organizations: • Characterize the maturity of their process (AS IS) • Establish goals for process improvement (TO BE) • Set priorities for getting there (TRANSITION) • Manage & sustain change (STABLIZE) • And introduce change incrementally.”

20. Centralized Access to All Necessary Information