I have attended two CIO conferences in the last 6 months and
at
both there was a general dissapointment with the way
security is
being run. Lack of quantifiable results, lack of
demonstrable value
to the business. Its still seen as a cost.If you are happy
with the
current states of affairs then you are one of the chosen few
or out
of line with the common feelings of C level execs (mainly
banking I
admit).
I did not choose a good word in tools. What I meant were
good
security business tools (and that doesnt mean the hyped up
vendor
compliance tools). Let me illustrate with an example.
I am the CSO for a large law firm in CA. As such SB1386 is
high on
our watch list. We have to manually track issues and
manually
(excel, email etc) decide what needs to be reported to
auditors,
exec managemement and Sacremento. This is not an efficient
system.
Another example is metrics. While the new book on security
metrics
is a good read and well written it is academic. I dont think
the
author has even been a CSO or that the metrics he suggests
have
been implemented. I want tools such as tried and tested
metrics
programs in my bag. I want templates, guidance, analysis to
compare
against. That tool is unlikley to be a technology tool.
On Thu, 08 Feb 2007 10:09:53 +0100 rogermillen hushmail.com wrote:
>Excellent thoughts Tony. I would be worried about anyone
who is
>frustrated with the current state of affairs. I think
their
>frustration is not a result of unavailability of
'business
>management tools' but because of their excessive
dependence on
>tools that is making them sit there waiting for such
'tools' to
>come and rescue them.
>
>As you correctly mentioned, compliance is largely a
matter of
>strategic thought process and choices rather than
nitty-gritties
>of
>which control maps to which regulation. Every regulation
remains
>vague when it comes to implementation, and permits the
>organization
>to determine what is considered "appropriate"
for it's size and
>complexity.
>
>Consider this statement from FTC guidelines on GLBA
Safeguard
>rule:
>"Information security program. You shall develop,
implement, and
>maintain a comprehensive information security program
that is
>written in one or more readily accessible parts and
contains
>administrative, technical, and physical safeguards that
are
>appropriate to your size and complexity, the nature and
scope of
>your activities, and the sensitivity of any customer
information
>at
>issue."
>
>While it requires development of information security
program, the
>
>last few lines clearly allow the organization enough and
I should
>add necessary flexibility in developing a program. This
is the
>case
>with every regulation out there.
>
>Now if this flexibility in the regulation is frustrating
anyone
>and
>they are waiting for a tool to rescue them, my sincere
advice
>would
>be to stop waiting. I do not believe any tool can ever
be
>developed
>that can help them with it.
>
>Best,
>Roger
>
>
>On Wed, 07 Feb 2007 22:03:16 -0800 Tony UcedaVĂ©lez
><tonyuvversprite.com> wrote:
>>>4. Someone releases some decent policies and
>>>standards
>>>for free!
>>
>>I can definitely understand your frustration in not
having the
>>necessary
>>'business management tools' that support both your
compliance and
>
>>security
>>needs, however, at the end of the day, some degree
of unique
>>customization
>>will have to be made on behalf of you and your
colleagues within
>>security to
>>come up with a Information Security Management
System (ISMS) that
>
>>is right
>>for your organization and that above all else is
strategic. No
>>that wasn't
>>a typo, for strategic planning of security
objectives at any
>>organization
>>were brought to life for reasons that relate to
regulatory
>>requirements,
>>lawsuits, business image, etc, therefore, as part of
a strategic
>>effort to
>>mitigate all of the above (and more) a customized
and scalable
>>security
>>governance program will require constant innovation
and
>>investment. Generic
>>Policy & Procedures XYZ is not a strategic
governance decision
>>that would
>>reflect the unique operations and business culture
of your
>>organization.
>>
>>>I hope people are going to wake up and smell the
coffee about
>>>compliance. You can't buy technical security
tools to help you
>>achieve
>>>compliance against many of the regulations. As
soon as people
>>>realize
>>>that we can all focus on the important work.
>>
>>I will agree with you that security tools (contrary
to the vendor
>>propaganda) will not achieve compliance in and of
itself,
>however,
>>because
>>those tools increase the security posture of the
networks, hosts,
>
>>data
>>environments, etc by some degree, they typically
have some degree
>
>>of
>>beneficial impact to compliance efforts.
>>
>>>I want something that helps me review our org
against the
>>>frameworks (COSO, ITIL), regulations (FFIEC) and
standards
>(7799)
>>
>>>and produce me a well organized plan that we can
work towards. I
>
>>am
>>>tired of having to fire fight all day. In short
I want real
>>>business management tools.
>>
>>Take into account that the reference material out
there related
>to
>>frameworks, maturity models, risk assessment
methodologies, etc,
>>are simply
>>reference materials for guidance. Echoing the 'one
size fits
>all'
>>or let me
>>cross map everything to everything will simply
create a heavily
>>distorted
>>view of how your policies (or other governance
inspired
>materials)
>>map to
>>other frameworks, compliance regulations, standards,
etc. The
>>ITCi impact
>>assessment tool (indirectly referenced earlier in
another post)
>is
>>a well
>>intentioned, innovative Excel workbook that does
cross map
>>security elements
>>to compliance regulations. Unfortunately I've seen
this tool
>>stored on the
>>security share drive of many financial institutions
where some
>>poor security
>>professional attempts to single handedly use this
tool to map
>>security
>>efforts to an array of compliance regs that they may
be not even
>>be well
>>acquainted with. The truth is that all compliance
initiatives
>are
>>typically
>>directed by what a CRO (Chief Risk Officer), Chief
Legal Council,
>
>>Chief
>>Privacy Officer (or other C-Level) who may determine
what
>>compliance
>>initiative is paramount for the organization to
follow. Because
>>compliance
>>costs serious money, picking which regulation to
abide by, to
>what
>>degree,
>>and for how long becomes a strategic issue.
Therefore no level
>of
>>multi-dimensional matrices, mapping compliance regs
to frameworks
>
>>to
>>standards to maturity models to human genome will
assist in
>>successfully
>>portraying how your governance program is
all-inclusive. So we're
>
>>back to
>>the previous recommendation of simply using these
reference
>>materials in
>>order to achieve a strategic governance program in
support of the
>>enterprise's strategic objectives.
>>
>>As an aside, COSO provides two types of frameworks:
one for
>>Internal Control
>>and one for Enterprise Risk Management and both used
primarily in
>
>>managing
>>IT related functions that support financial and
compliance
>>functions.
>>Conversely, ITIL is a framework that is geared to
managing and
>>measuring
>>service delivery functions. Depending on the nature
of your
>>security and
>>majority of your security and compliance functions,
I'd pick the
>>one that
>>achieves the greater degree of flexibility or
scalability -again
>>suitable to
>>your unique organization.
>>
>>I feel that the state of our security industry is
held captive by
>
>>the
>>directives of compliance efforts and how it clouds
the altruistic
>
>>belief of
>>most security efforts. To your point, frustration
ensues as
>>security
>>concerns and conversations end-up taking inevitable
tangents to
>>compliance
>>centric questions from management, thereby forcing
many of us to
>>find the
>>best framework, set of standards, type of policies,
etc, to
>depict
>>how
>>governance activities are achieving compliance
efforts.
>>
>>Tony UcedaVĂ©lez, CISA, GIAC
>>VerSprite, LLC
>>(office) 678.938.3434
>>(email) tonyuvversprite.com
>>(web) www.versprite.com
>>
>>
>>
>>-----Original Message-----
>>From: listbouncesecurityfocus.com
>>[mailto:listbouncesecurityfocus.com] On
>>Behalf Of seclists008hushmail.com
>>Sent: Wednesday, February 07, 2007 11:24 AM
>>To: psrcsecurityfocus.com; jason.bevisfoundstone.com
>>Subject: RE: Food for Thought
>>
>>
>>I want something that helps me review our org
against the
>>frameworks (COSO, ITIL) , regulations (FFIEC) and
standards
>(7799)
>>
>>and produce me a well organized plan that we can
work towards. I
>>am
>>tired of having to fire fight all day. In short I
want real
>>business management tools.
>>
>>On Wed, 07 Feb 2007 16:14:15 +0100 Jason.BevisFOUNDSTONE.COM
>>wrote:
>>>So I'm interested in Wish number #1. I'm not
sure I fully
>>>understand
>>>what you think could help manage the day to day
life in the info
>
>>>sec
>>>dept.
>>>
>>>Can you expand?
>>>
>>>As for the others I'd be interested in the
different sites
>people
>>>have
>>>for policies.
>>>
>>>
>>>Jason Bevis
>>>CISSP, ISSMP
>>>
>>>-----Original Message-----
>>>From: listbouncesecurityfocus.com
>>>[mailto:listbouncesecurityfocus.com]
>>>On Behalf Of seclists008hushmail.com
>>>Sent: Wednesday, February 07, 2007 9:34 AM
>>>To: psrcsecurityfocus.com
>>>Subject: Re: Food for Thought
>>>
>>>I hope people are going to wake up and smell the
coffee about
>>>compliance. You can't buy technical security
tools to help you
>>achieve
>>>compliance against many of the regulations. As
soon as people
>>>realize
>>>that we can all focus on the important work.
>>>
>>>I hope finally people will stop focusing on the
network and
>focus
>>>on the
>>>information.
>>>
>>>5 Wishes
>>>1. Someone would build a decent open source
platform to manage
>>day
>>
>>>to
>>>day life in an info sec dept. I am tired of
building things
>>>myself.
>>>2. Someone will educate regulators / regulators
will consult the
>>>industry about best practices. Note PCI
specifiying web
>>>application
>>>firewalls is almost criminal 3. People will get
back to basics
>>and
>>
>>>then
>>>tackle the cream 4. Someone releases some decent
policies and
>>>standards
>>>for free!
>>>5. My boss will roll up in a heap and keel over
>>>
>>>
>>>
>>>
>>>ListStimulation(nudge);
>>>
>>>Anyone playing the "Whats hot and whats not
at RSA this week"?
>>>More NAC,
>>>less DAC or is it more red buttons and tools
with compliance
>>>written on
>>>the box? Is there anything truly cool happening
in the security
>>>industry
>>>today?
>>>If not why not? If yes, what is it? If you had 5
wishes on the
>>>industry
>>>what would they be?
>>>
>>>ListStimulation(relaxed);
>>>
>>>
>>>
>>>--
>>>Click for free info to become an interior
designer & be your own
>>>boss
>>>http://tagline.hushmail.com/fc/CAaCXv1QGcWmKQwg4
WLEoonedZdjtvZT/
>>
>>
>>--
>>Stone Hawk Drug Rehab
>>Stone Hawk drug rehab has the highest success rate
nationwide
>with
>>76%
>>http://tagline.hushmail.com/fc/MhtZOXMr3PxmNlu
Mme1dhBcKHQ5hRNnDUe8
>3
>>S/
>
>
>--
>Click to consolidate debt and lower month expenses:
>http://tagline.hushmail.com/fc/CAaCXv1QPxasxTGpi
QZ7pmV7XxXjETMG/
--
Click for free info on criminal justice degrees and make
$150K/ year
http://tagline.hushmail.com/fc/CAaCXv1S4xtCd6sfT
ySe9nidja8yrYYN/
|