�ݺ�ߣ

Terminology
• Model is a high level construct representing
processes, variables and relationships. Thus, model is
an abstract, conceptual construct without providing
specific guidance on or practices for implementation.
• A framework is defined as a support structure in
which another software project can be organized or
developed.
• While a model is abstract and conceptual, a
framework is linked to demonstrable work.
• Furthermore, frameworks set assumptions and
practices that are designed to directly impact
implementations. In contrast, models provide the
general guidance for achieving the goals, but without
getting into the details of practice and procedures.

Methodology
• A methodology is a codified set of
recommended practices, sometimes
accompanied by training materials,
formal educational programs,
worksheets and diagramming tools.

Standards
• A standard is a published document that contains a
technical specification or other precise criterion
designed to be used consistently as a rule, guideline or
definition.
• Standards help to make life simpler and to increase the
reliability and effectiveness of many goods and services
that we use.
• They are the summary of best practices and are created
by bringing together the experiences and expertise of
all interested parties- the producers, sellers, buyers,
users and regulators of a particular material, product,
process or service.
• An important point to note is that standards are
designed for voluntary use and do not impose any
regulations.
• However, laws and regulations may refer to certain
standards, and make compliance with them
compulsory.

Standard
• A security standard is like any other standard
within any other industry.
• A standard is “a published specification that
establishes a common language, and contains a
technical specification or other precise criteria
and is designed to be used consistently, as a
rule, a guideline, or a definition”. Further,
according to ISO, standards “contribute to
making life simpler, and to increasing the
reliability and effectiveness of the goods and
services we use”.
• In essence a STANDARD is a common set of
rules, definitions and agreed “regulations” that
all parties can refer to for common reference.

Security Policy
• SECURITY POLICY is a set of policies
issued by an organization to ensure
that all information technology users
within the domain of the organization
or its networks comply with rules and
guidelines related to the security of
the information stored digitally at any
point in the network or within the
organization's boundaries of authority.

ISO 27001
• ISO 27001 (formally known as ISO/IEC
17799:2005) is a specification for an
information security management system
(ISMS).
• An ISMS is a framework of policies and
procedures that includes all legal, physical
and technical controls involved in an
organisation's information risk
management processes.
• According to its documentation, ISO 27001 was
developed to "provide a model for establishing,
implementing, operating, monitoring, reviewing,
maintaining and improving an information
security management system."

ISO27001
• It is an ISM standard.
• Its purpose is to help organizations to
establish and maintain the ISMS.
• It is the set of requirements that must be
met if you want your ISMS to be
formally certified.
• Being ISO 27001 approved is a certification
which shows that the business has
defined and implemented effective
security process.

• ISO 27001 uses a topdown, risk-based
approach and is technology-neutral.
• The specification defines a six-part planning
process:
 Define a security policy.
 Define the scope of the ISMS.
 Conduct a risk assessment.
 Manage identified risks.
 Select control objectives and controls to be
implemented.
 Prepare a statement of applicability.

1. PLAN-Establish content
• Define ISMS scope
• Define policy
• Identify risks
• Assess risks
• Select control objectives

2. DO-Implement and operate
• Implement risk treatment plan
• Deploy controls

3. CHECK- Monitor and review
• Monitor processes
• Regular reviews
• Internal audits

`
4. ACT-Maintain and improve
• Implement improvements
• Corrective actions
• Preventive actions
• Communicate with stakeholders

Implementation context of
PDCA cycle in ISO 270001

• ISO 27001 is designed to help organizations
establish and maintain effective information
security controls through continual
improvements.
• Developed in october, 2005 by International
standards Organization, ISO 27001 implements
principles of the Organization for Economic
Cooperation and Development(OECD) on
governing the security of information and
networks.
• The standard creates a road map for the secure
design, implementation, management and
maintenance of IT processes in the organization.

COBIT
• COBIT stands for Control Objectives for
Information and related technology.
• COBIT is a framework for developing,
implementing, monitoring and improving
information technology (IT) governance
and management practices.
• The COBIT framework is published by the IT
Governance Institute and the Information
Systems Audit and Control Association (ISACA).
• The goal of the framework is to provide a
common language for business executives
to communicate with each other about
goals, objectives and results.

• The original version, published in 1996,
focused largely on auditing. The latest
version, published in 2013, emphasizes
the value that information governance can
provide to a business' success.
• It also provides quite a bit of advice
about enterprise risk management.
• Supports managers and allows balancing
technical issues, business risks and
control requirements.
• Ensures quality, control and reliability of
information systems in organization

Components of COBIT5
• Framework: The main framework of COBIT guides
organizations through best practices and standardization
surrounding IT processes and infrastructure. The goal is to
align IT with the overall business goals by getting IT on
the same page as the rest of the company and to help
other executives and senior managers better understand
IT objectives.
• Process descriptions: COBIT includes language that
anyone in the organization will understand — so that
CEOs, CFOs, CIOs and other key players will easily
understand terminology, processes and descriptions. It
can help establish a solid ground for communication
between IT and outside departments.
• Control objectives: This section offers an overview of
high-level requirements that can help develop and
improve every IT process, allowing businesses to adapt
these to their own needs and goals.

• Management guidelines: The COBIT guide
offers best practices for establishing objectives,
process and assigning task items or
responsibilities across the organization. It also
gives guidance on measuring performance and
how the framework can integrate with other IT
management frameworks.
• Maturity models: COBIT maturity models help
businesses assess the maturity of their
organization, understand how the process will
grow with the organization and identify any
potential problems that might arise down the
line.

• The name COBIT originally stood for "Control
Objectives for Information and Related
Technology," but the spelled-out version of the
name was dropped in favor of the acronym in
the fifth iteration of the framework.
• COBIT 5 is based on five key principles for
governance and management of enterprise IT:
  Principle 1: Meeting Stakeholder Needs
   Principle 2: Covering the Enterprise End-to-End
   Principle 3: Applying a Single, Integrated
Framework
   Principle 4: Enabling a Holistic Approach
   Principle 5: Separating Governance From
Management

COBIT 5 Principles
28
Source: COBIT®
5, figure 2. © 2012 ISACA®
All rights
reserved.

SSE-CMM
(Systems Security
Engineering and
Capability Maturity
Model)

Overview
• The SSE-CMM describes the essential
characteristics of an organization's security
engineering process that must exist to ensure
good security engineering.
• It is developed based on the premise that if
you can guarantee the quality of the
processes that are used by the organization,
then you can guarantee the quality of the
products and services generated by the
processes.
• SSE-CMM focus on process definition and
improvement as a core value.
• SSE-CMM looks at the occurrence of security
defects or incidents, and seeks to identify the flaw
in the related process so as to remediate the flaw,
thus removing the overall defect.

Basic Concepts
• Process Process is a sequence of steps
performed for a given purpose. It is the system of
tasks, supporting tools, and people involved in the
production and evolution of some end result (e.g.,
product, system, or service).
• Base Practices (BP) & Generic Practices (GP)
Base practices are practices that collectively
define security engineering. Examples of BPs are
Identify Natural Threats, Assess Threat Likelihood,
Capture Security View of System Operation, etc.
Generic practices are basically process
management practices. Examples of GPs are
Planning Performance, Tracking Performance,
Ensure Training, etc.
• Process Area Process areas are groups of
practices, when taken together, achieve a
common purpose.

• Process Capability
• Process capability refers to an organization's potential.
• It is a range within which an organization is expected to
perform. For example, in a software development project,
one statistical metric to measure the process capability is
to collect the # of software defects and plot the
percentage of defects per thousand lines of source code. If
you use the same team of developers and repeat roughly
the same set of processes in your software development,
your next project will have a comparable process
capability, ie, in this case, the percentage of defects per
thousand lines of source code will fall within a similar
range of variation.
• Process Maturity Process maturity indicates the extent
to which a specific process is explicitly defined, managed,
measured, controlled, and effective. Process maturity
indicates the potential for growth in process capability.

Capability Maturity
Model
• A CMM is a framework for evolving an
engineering organization from an ad hoc,
less organized, less effective state to a
highly structured and highly effective
state.
• Use of such a model is a means for
organizations to bring their practices
under statistical process control in order
to increase their process capability
with regard to cost, productivity,
schedule, and quality.

Benefits of adopting the
CMM framework
1. Improving Predictability The first improvement expected as an
organization matures is predictability. For instance, Level 1
organizations often miss their originally scheduled delivery dates
by a wide margin, whereas organizations at a higher CMM level
should be able to predict the outcome of cost and schedule of a
project with higher accuracy.
2. Improving Control The second improvement expected as an
organization matures is control. As an organization’s CMM level
increases, the organization will be able to establish revised targets
more accurately. For example, if the business has asked for some
new features and functions for a software application, the software
development team will be able to more accurately determine how
many more days of work will be needed.
3. Improving Process Effectiveness The third improvement
expected as an organization matures is process effectiveness. As
an organization matures, costs decrease, development time
becomes shorter, and productivity and quality increase. In
a Level 1 organization, development time can be quite long
because of the amount of rework that must be performed to
correct mistakes. In contrast, organizations at a higher maturity
level can obtain shortened overall development times via
increased process effectiveness and reduction of costly rework.

SSE-CMM Levels
Capability Level 1 – Initial-Performed
Informally
• Base practices of the process area are generally
performed.
• The performance of these base practices may
not be rigorously planned and tracked.
• Performance depends on individual knowledge
and effort.
• Work products of the process area testify to
their performance.
• Individuals within the organization recognize
that an action should be performed, and there
is general agreement that this action is
performed as and when required.
• There are identifiable work products for the
process.

• Capability Level 2 – Repeatable-Planned and
Tracked
• Performance of the base practices in the process
area is planned and tracked.
• Performance according to specified procedures is
verified.
• Work products conform to specified standards
and requirements.
• Measurement is used to track process area
performance, thus enabling the organization to
manage its activities based on actual
performance.
• The primary distinction from Level 1, Performed
Informally, is that the performance of the process
is planned and managed.

Capability Level 3 – Well Defined
• Base practices are performed according to a well-
defined process using approved, tailored versions of
standard, documented processes.
• The primary distinction from Level 2, Planned and
Tracked, is that the process is planned and managed
using an organization-wide standard process.
• Capability Level 4 – Managed- Quantitatively
Controlled
• Detailed measures of performance are collected and
analyzed.
• This leads to a quantitative understanding of process
capability and an improved ability to predict
performance.
• Performance is objectively managed, and the quality
of work products is quantitatively known.
• The primary distinction from the Well Defined level is
that the defined process is quantitatively understood
and controlled.

• Capability Level 5 – Optimizing-Continuously
Improving
• Quantitative performance goals (targets) for process
effectiveness and efficiency are established, based on
the business goals of the organization.
• Continuous process improvement against these goals
is enabled by quantitative feedback from performing
the defined processes and from piloting innovative
ideas and technologies.
• The primary distinction from the quantitatively
controlled level is that the defined process and the
standard process undergo continuous refinement and
improvement, based on a quantitative understanding
of the impact of changes to these processes.

Methodologies
• IAM
• IEM
• SIPES

IAM
• Information Security (INFOSEC)
Assessment Methodology (IAM) is a
detailed and systematic method for
examining security vulnerabilities from
an organizational perspective as opposed
to a only a technical perspective.
• Often overlooked are the processes,
procedures, documentation, and informal
activities that directly impact an
organization’s overall security posture but
that might not necessarily be technical in
nature.

• The main motive of IAM is to give organizations
that provide INFOSEC assessments a
repeatable framework for conducting
organizational types of assessments as well
as provide assessment consumers ,
appropriate information on what to look for
in an assessment provider.
• The IAM is also intended to raise awareness of
the need for organizational types of assessment
versus the purely technical type of assessment.
• Three phases:
– Pre-assessment
– On-site activities
– Post assessment

Pre-Assessment
–
Determine and manage the customer’s expectations
–
Gain an understanding of the organization’s information
criticality
–
Determine customer’s goals and objectives
–
Determine the system boundaries
–
Coordinate with customer
–
Request documentation
• It concludes with a written assessment plan

On-Site Assessment
• This phase represents primary thrust of IAM in that it
takes the results of pre-assessment phase, validate
those results and perform additional data gathering
and validation.
• Conduct opening meeting
• Gather and validate system information (via
interview, system demonstration, and document
review)
• Analyze assessment information
• Develop initial recommendations
• The result of this phase is a report of initial
analysis

Post assessment phase
• It concludes the IAM by pulling together all
details from previous two phases,
combining them into final analysis and
report .
• Additional review of documentation
• Additional expertise (get help
understanding what you learned)
• Report coordination (and writing)

IEM(INFOSEC Evaluation
Methodology)
• The IEM is a follow-on methodology to the
IAM.
• It provides the technical evaluation
processes that were intentionally
missing from the IAM.
• The IEM is a hands-on methodology, meaning
you'll be actively interacting with the
customer's technical environment.
• Whereas the IAM provides us with an
understanding of organizational security as it
relates to policies and procedures, the IEM
offers a comprehensive look into the actual
technical security at the organization.

IEM
• Three phases:
– Pre evaluation
– On-site evaluation
– Post evaluation

Pre evaluation
• Takes IAM pre assessment report as input and
then coordinate the rules of engagement for
conducting a technical evaluation of systems
• Pull information from IAM Pre-Assessment
• Coordination with the customer to determine
acceptable Rules of Engagement (ROE)
• Give the team an understanding of the perceived
system components
• Define customer expectations
• Define customer constraints or concerns
• Legal Requirements
• Develop the Technical Evaluation Plan (TEP)
• Concludes with a technical evaluation plan.

On site evaluation
• Represents bulk of hands-on
technical work, performing various
discoveries, scans and evaluations.
• All findings are manually validated to
ensure accuracy.
Post-evaluation
• Concludes the methodology in a
manner similar to IAM by pulling
together all data generated , putting
them into a final report that details
findings, recommendations and a
security road map.

Security Incident Policy
Enforcement System (SIPES)
• Its purpose is to offer a methodology
for defining and executing a Security
Incident Policy Enforcement Systems.
• This methodology is planned for
completeness.
• The Security Incident Policy
Enforcement System (SIPES) draft
displays a relatively abstract method
to addressing the difficulty of incident
response management.

�ݺ�ߣ

standards1.pdf

More Related Content

standards1.pdf