Information Security Program
Development and Management
Security Program
Organization-wide
security practice in a
holistic manner
logical, administrative and physical
protection mechanisms, procedures,
business processes and people, that all
work together to provide a protection
level for an environment
based on a flexible and
well defined framework
framework defines the general requirement and
structure of the security program where organizations
are free to plug in different types of technologies,
methods, and procedures to accomplish the necessary
protection level
why
security through ad-hoc manner
firefighting. deal with security
issues after incidents have
occurred.
security through obscurity
Rely on confusion to provide security
security through framework
Develop security program using security
principles and industry best practices
Industry Standards
British Standard 7799 (BS7799)
1995. UK govt department of trade and industry. Outlines how an information security
management system (ISMS) (aka a security program) should be built and maintained.
Provides guidance to organizations on how to design, implement and maintain policies,
processes and technologies to manage risk to sensitive information assets.
ISO/IEC 27000
ISO and IEC built on top of BS7799 to launch new global standard. Serves as industry best
practices for management of security controls in a holistic manner within orgs around the
world. It's common for orgs to seeks ISO/IEC 27001 certification by an accredited third party.
vs
Program specifies the pieces and
parts that need to be put in place to
provide a holistic security for the
organization overall and how to
properly take care of those pieces
and parts
Architecture illustrates how these
components are to be integrated into the
different layers of the current business
environment
e.g. security program could dictate the data that
needs to be put in place. The architecture can
show how this happens at the infrastructure,
application, component and business level.
Enterprise Security Architecture
A subset of an enterprise architecture.
Defines the infosec security strategy that
consists of layers of solutions, processes and
procedures and the way they are linked
across an enterprise strategically, tactically,
and operationally.
Describes the structure and behavior of all components that
make up a holistic information security management
system. Ensures that security efforts align with business
practices in a standardized and cost effective manner.
Industry standards
Sherwood Applied Business Security
Architecture (SABSA)
A framework and methodology for enterprise security architecture
Development guidlines
Strategic alignment
The business drivers and the regulatory and legal requirements
are being met by the security enterprise architecture.
Process enhancement
When an organization is developing its security enterprise
components, those components must be integrated into the
business processes to be effective. This can allow for process
management to be refined and calibrated.
Business enablement
Security cannot stand in the way of business processes, but should
be implemented to better enable them.
Security effectiveness
Security controls in place need to provide the necessary
level of protection with the finite funds being used.
vs
enterprise addresses the
structure of an
organization
System view looks at
individual pieces that
make up whole picture
Security Controls Development
CobiT
Control Objectives for Information and related Technology (CobiT)
is a framework which contains set of control objectives developed
by the Information Systems Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI)
NIST SP 800-55
CobiT contains control objectives used within the private sector; the U.S.
government has its own set of requirements. The National Institute of
Standards and Technology (NIST) SP 800-53 outlines controls that agencies
need to put into place to be compliant with the Federal Information Security
Management Act of 2002.
Process management development
Security controls needs to be used effectively and efficiently
by proper process. The security controls can be considered
the “things,” and processes are how we use these things.
System architecture
Addresses the structure of software and computing components