May 17, 2012

Posts Comments

You are here: Home / 2009 / Archives for December 2009

PS-Prep, Capability Maturity Models and Standards

December 18, 2009 By 2 Comments

Contributing Writer, Donald Byrne, CBCP, CDCP, CBRO-M, Lead Auditor

As part of the PS-Prep posting in the October 16 issue of the Federal Register (Vol. 74, No 199 Page 53288) the Department of Homeland Security posted seven questions for which they are seeking public feedback. The sixth question dealt with the feasibility of using a capability maturity model (CMM) as part of the certification process. This article addresses this question and provides my perspective as a UKAS approved auditor on this topic.

Some History

The concept of a capability maturity model was developed in the late 1980’s at the Software Engineering Institute at Carnegie Mellon University (CMU). As originally conceived, the model attempts to evaluate the ability of an organization’s software development process to successfully complete a project with high quality. The model uses a variety of criteria to determine the maturity level (think “quality level”) of the process. Beginning in the 1990’s this methodology was applied with varying degrees of success to other types of projects including construction and manufacturing.

Difficulties

As first conceived by CMU, the model recognizes five levels of maturity from Initial (Level 1) to Optimized (Level 5). Subsequent applications of the CMM concept have used a six or even seven layer framework. Some of these models have over 400 individual elements that must be evaluated in order to determine the maturity level of the operation or business unit. This difference in model structure highlights one of the main issues associated with attempting to use a CMM approach to PS-Prep. The simple fact is that there is no standardized or internationally recognized representation for a capability maturity model dealing with preparedness. The structure, content, organization, and criteria are all arbitrary, and therefore not suitable for a standards-based approach to business resiliency evaluation.

Next, because there is no accepted set of criteria or even an agreed to structure, it is difficult to imagine how to apply this methodology to the three areas highlighted in PL 110-53, namely emergency management, disaster recovery, and business continuity. Even more problematic would be the development of a model that is applicable across industries and organization size.

Last, by design, a CMM uses an element-based approach to assessment. This is in contrast to the model used by the International Organization for Standardization (ISO) which is a management system or process-approach. While it is not a requirement that a management system approach be used as part of a PS-Prep standard, many organizations do prefer this structure since it draws on the strategy employed in other ISO standards such as ISO 9001 (Quality Management), ISO 28000 (Supply Chain Resiliency and Security) and ISO 27001 (Information Security Management System). Is it even possible to mix an element-based model with a process based model in a meaningful way?

It should be noted for completeness that NFPA 1600 is an element-based standard that was recommended by DHS for use in the PS-Prep program and many other element-based standards do exist.

A Layered Approach?

Some CMM proponents have suggested “layering” the CMM model on top of the proposed PS-Prep standards (NFPA 1600, BS 25999, and ASIS SPC.1). While this may be an intellectually interesting idea, it is all but impractical from a business perspective. In fact, even attempting to follow a layered model might require a team of up to four experts to conduct the review. First, you would need an auditor who was trained to evaluate the CMM model. Of course, that begs the question of which CMM framework to use since, as pointed out above, there is no single standard in this area.

Second, a subject matter expert (SME) on the application of the model against the various standards would have to be on the team. Of course this assumes that you could find or train someone on this topic since it would be a new field of discipline with no recognized experts. Assuming a training course on this subject could be developed in a timely manner, the question remains – who would have the expertise to develop such a course? Certainly, there are certainly some organizations who may feel they know the subject well enough to perform undertake this task but again – against which CMM specification would be used as the basis of this course?

With these two elements in place, then the certification team would still require experts on both the preparedness standard (such as ASIS SPC1) and auditing experience.

With this team in place, how would one settle disagreements between the various auditors and SME’s? Which framework or evaluation procedure would take priority – the CMM or the Standard? Could one be assured that this procedure would be applied consistently across industries and businesses?  How would an auditor or assessor judge conformity or non-conformity of an individual plan element if that decision now had to be qualified as to the level of CMM completeness? Are you really more mature in terms of preparedness because you have at least some type of fire suppression equipment in place versus another firm that has a detailed emergency response process? Following this concept, how would you judge the maturity level of a requirement such as “… must demonstrate management support for the program?”

To What End

In summary, a CMM approach to assessment simply adds a layer of ambiguity and unnecessary nuances to an already complex process. It may significantly increase the cost of conducting a conformity review and does not add obvious value.

The one question that proponents of adopting a CMM approach to resiliency have to answer before proceeding with further promotion of this idea is: “Would adding a CMM assessment model add value to a certification?” Specifically, would knowing that you are at Level 3 for section 5.2 of British Standard 25999, but only at Level 1 for section 5.3 help saves lives? Are these statements even meaningful since BS 25999 is a process-oriented standard and should not be evaluated on an element basis? Would such information allow management to make decisions that will save jobs? Can you really say that that one business is 35% prepared for a fire while another is 45% prepared? And if you could get around all the technical complexity – what is the value of this knowledge?

Summary

While some groups are trying to apply a CMM to business continuity planning in industries such as banking, and healthcare, it is difficult to image the regulators of these business sectors embracing this approach since it would throw their current inspection processes into pandemonium.

In closing, a properly structured CMM approach can offer many benefits to a wide variety of projects. However, it is just as clear that CMM has no place in the certification process of PS-Prep.

Filed Under: PS-Prep Program Tagged With: , , , , , , , , , , ,

Information Security Management — Developing Your Strategy

December 17, 2009 By Leave a Comment

The requirements for IT departments are no longer just to ensure that the business can access email and files and keep all of the company’s computers working.  The need for Information Security has moved to the top of the requirements list as  well as beyond the firewall protection mentality.  This need and the challenge to manage information assets now often become a discussion at the board level. 

Management of IT Security is strategic as well as tactical and ensuring the proper knowledge, toolsets, projections and trends requires an information security strategy that begins with an information security analysis.

Determine your Risk Tolerance to the Information Assets

One of the most challenging aspects of creating a proper management structure for Information Security is to determine what information assets you need to protect.  Ensuring the confidentiality, integrity and availability of these assets is what you measure the risks against.  Performing an information security analysis or risk analysis should include the assets, threats, vulnerabilities and the likelihood of occurrence.   The next step is for the business to determine their risk tolerance.   With that information in hand, you are able to determine how much exposure the business can accept for that asset.   Most likely, this information will result in another critical discussion on the goals and objectives for business continuity and disaster recovery strategies.

Develop a Information Security Management Foundation for the Business

Organizations need to indentify good control structure in order to manage tactical safety of the assets and those elements such as physical and environmental conditions that are part of the “IT team” makeup.  A management structure needs a foundation.  It must utilize known standards such as ISO 27001 and the controls found in standards Annex A or Cobit 4.1 (and sometimes both) to set the control structure for the protection of the identified assets.   The management tier, though, needs to be viewed holistically, and by implementing a management system concept of continuous improvement, it provides a balance of review, improvement and commitment.

Competence, Awareness and Training

Most organizations today include IT management at the strategic level.   Searches on the internet still bring up blogs and articles from 2005 -2007 where the struggle to get IT management into the Business was rare and an uphill battle.  Today that is no longer the “norm” but an exception.   CIO’s, CTO, CSO’s all have a strong mixed background of IT and Business.  Many have an Information Security degree or certification to be able to understand, at the very least, conceptually, the requirements of IT and Business together.  It is still an ongoing challenge to imbed management with an awareness of security needs and requirements in their organization.  However, through security policy training, varying certifications and ongoing education, the management of IT can ensure the competence of the team and the organization as a whole.  This competence, awareness and training of the organization also must be addressed and reviewed at least annually, as technology and the risks to the information assets are always changing.

Create a sustainable and improvable model

The many challenges to create a sustainable management structure for Information Security within an organization, requires a good look at “big picture” – i.e. what tactical requirements does IT have?  What strategic requirements does the business have? What inputs and outputs are required to ensure a cohesive entity?   

Often, many organizations seek out the skills of an Information Security Consultant who brings a set of “best practices” and a view of multiple organizations to the table.  A combination of having a core business skill set, along with the viewpoint of an outsider, is most likely the best option to ensure integrity of the structure. 

There is also a new business model that was introduced by ISACA (isaca.org) called the Business Model for Information Security (“BisMO”).  Begun in 2008 with a formal agreement with the University of Southern California (USA) Marshall School of Business Institute for Critical Information Infrastructure Protection, this BiSMO concept has an objective to form a holistic and dynamic approach to information security that is both predictive and proactive as it adapts to changes, considers the organizational culture and delivers value to the business.   

In summary, there is no need to create a new wheel to develop a quality management system for Information Security.  Utilizing security standards, business models, experience and good controls are all critical elements to the success of the program.

Filed Under: Information Security Tagged With: , , , ,

A Day in the Life of an Information Security Consultant

December 16, 2009 By Leave a Comment

The call came from the CIO

I need you now – don’t disappear

A client demand – we need to know

How do we fill out this Information Security Questionnaire?

We need it now – so please get working

I look at this 300 question document with huge trepidation

Sure glad the client invested in Information Security Consulting

It makes me glad we finished the Information Security Implementation

So now the controls are in place

We utilized good compliance technology

The answers are there – no need to race

The team works together – a lesson in IT Sociology

The document is now complete

Time to relax and get something to eat…..

Filed Under: Information Security Tagged With: , , , ,

The SANS Institute: A Well Recognized Resource for Information Security Training

December 16, 2009 By Leave a Comment

From recent past posting requrest, we are writing again about the value and importance that information from the SANS Institute adds to the libraries and resources of all internal organizational business continuity and information security risk management teams.

The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a co-operative research and education organization.  Its programs now reach more than 165,000 security professionals around the world.  The SANS Institute is the most trusted and by far the largest source for information security training and certification in the world.

Most importantly, many of the valuable SANS resources are free to all who ask.

CLICK HERE to learn more about the SANS Institute, and be sure to pass this link along to all of the members of your organization’s information security training and security management teams.

Filed Under: Information Security Tagged With: , , , , ,

See What Experts Predict to be The Faces of Fraud in 2010

December 15, 2009 By Leave a Comment

As teams of business continuity planners and information security specialists try to organize their strategies for 2010, the risk of having their organization affected by fraud is one that must be addressed.

To assist that process, Linda McGlasson, a Managing Editor of the Bank Info Security website has recently posted an article that should be on the list of required reading for all risk management groups.

This article is a compilation of the ten (10) predominant types of fraud that institutions and their customers can expect to see in 2010.  It has been organized by industry experts and should offer valuable information for security specialists who work with and support those business continuity planners.

To read this list and see how “Ghosts of Crimes Past and Present Will Haunt the Future” …. CLICK HERE.

Filed Under: Information Security Tagged With: , , ,

Continued Security Threats Predicted in 2010 Report

December 14, 2009 By Leave a Comment

As business continuity planning teams approach the new year, the topic of cybersecurity remains high on the list of topics to address in 2010.  To address this risk managment priority,  we would like to discuss some of the findings stated in a recent report titled — Trend Micro Annual Report:  The Future of Threats and Threat Technologies 2010

We have cited the Trend Micro website before, and we continue to recommend it as a great reference and resource for your risk managment, business continuity, information technololgy and contingency planning teams. 

While it is difficult to cover every possible threat eventuality that may take place in 2010 and beyond, this report is the collective insight of Trend Micro threat experts, researchers, and engineers.  Their combined knowledge of the existing computing landscape, plus their many years of experience in the field of security, enable them to identify real-world technological trends and threats for both home users as well as businesses in 2010 and beyond.

Recent analysis by these teams, has indicated that a new piece of malware is now created every 1.5 seconds.

In this report, the Trend Micro team states that they examine how:

     “Cybercriminals will formulate more direct and brazen extortion tactics to obtain quicker access to cash.

     It’s business as usual for botnets, but heavier monetization by botnet hearders.

     Social media will be used by malware to enter the users’ “circle of trust.”

     Web threats will continue to plague Internet users.

     Cloud computing will present new security challenges.

     Changes in the Internet infrastructure will widen the playing field for cybercriminals.”

Be sure to bring this new report to the attention of anyone in your organization responsible for risk analysis, corporate and/or enterprise security, audit or compliance to security policies, security assessment status or network security maintenance.

To view the full report, CLICK HERE.

Filed Under: Cybersecurity Tagged With: , , , , , , , , , , , , , , ,

Suggested Gifts of Preparedness Offered from FEMA

December 12, 2009 By Leave a Comment

On Dec. 9, FEMA unveiled its list of gift ideas for this year’s holiday season. And, while the list might not be typical of those sent to the North Pole, it does feature some good suggestions and even a few geek-pleasing gadgets that speak to the need for all of us to be thinking about preparedness this year.

According to FEMA Administrator Craig Fugate, “now is the best time to prepare for disaster since many families will be gathering together for extended periods, providing opportunities to formulate family wide emergency plans”.

Some of the ideas expressed in the list are:

  • National Oceanic and Atmospheric Administration weather radios with extra batteries;
  • Enrollment in a CPR or first-aid class;
  • Smoke detectors;
  • Foldable ladders for second-story escape in a fire;
  • Car kits (emergency flares, shovels, flashlights and fluorescent distress flags);
  • Pet disaster kits (food, water, leashes, dishes and carrying case or crate); and
  • Battery-powered lamps.

You may want to introduce this list to your business continuity and risk management planning teams before their holiday break this season.

To view the original article published on the Government Technology website, CLICK HERE .

Filed Under: PS-Prep Program Tagged With: , ,

e-Discovery Glossary Offers Valuable Resource for Information Management Teams

December 11, 2009 By Leave a Comment

The Clearwell website has, as one of its many resource offerings, put together a section of its website called “E-Discovery Central”.  This resource is a comprehensive depository on nearly all issues pertaining to e-discovery including news, free downloadable content, and insights from a variety of expert sources.

This resource is also a great resource for organizational in-house business continuity planning groups and information system management teams to develop more knowledge of e-discovery practices and complex e-discovery issues. 

One of the best elements of this section is the free on-line “e-discovery glossary” which contains the commonly used terms for e-discovery and digital information management. 

This information will greatly assist in better  understanding any compliance management requirements resulting from a potential “legal hold” or any related regulatory compliance  request under litigation proceedings against your company. 

To view the glossary, CLICK HERE

Filed Under: Regulatory Compliance Tagged With: , , ,

Cybersecurity, Forensics, Risk Management — What Core Security Skills Will Be Required in 2010?

December 10, 2009 By Leave a Comment

Business Continuity Planning groups will have to keep the subject of security high on their agendas in 2010.  To assist these contingency planners, information security specialists and risk mitigation groups focused on the core security skill expected to be required in 2010, we refer to comments made in a recent interview between Kent Anderson, a member of ISACA’s Security Management Committee, and Tom Field , the Editorial Director for the website govinfosecurity.com.

In this article, the core security skills needed in organizations in 2010 were based on three categories:

     Technology - with particular focus in the areas of;  Virtualization, and Wireless/Mobile applications.

     Business Issues – with particular focus in the areas of: Regulatory Environment and Economic Pressure

     Pure (Core) Security- with a particular focus on the convergence of information security and all business functions.

The underlying skill requirement  for all of the above was stated as the ability to better understand, better analyze and better communicate risks and threats throughout the entire organization.

In summary the interview stressed heavily on the need for the security professional in 2010 to avoid on solely a technical focus, but rather to become an individual who understands how to apply the core security skills stated above; how to do a risk assessment; how to do a threat assessment; and then take that information and effectively relate it back to the business.

READ MORE ABOUT THIS INTERVIEW.

Filed Under: Cybersecurity Tagged With: , , , , , , , ,

Recent Survey Indicates 84% of Respondents Plan to Bring eDiscovery In-House

December 9, 2009 By Leave a Comment

Clearwell Systems, Inc., a leader in intelligent e-discovery, recently announced findings from a survey conducted in partnership with analyst firm Enterprise Strategy Group (ESG). The survey, titled “Trends in Electronic Discovery: A Market Perspective” quantifies both the rise in e-discovery and litigation over the past year. Additionally, the survey findings reinforce the need for increased enterprise readiness to manage the expected growth in volume of eDiscovery cases in 2010.

It has been three years since the U.S. Federal Rules of Civil Procedure were amended with provisions centered on discovery and management of electronically stored information (ESI). In the same timeframe, the macroeconomic climate went from explosive growth to recession, forcing organizations to cut costs as quickly as possible. As companies continue to operate in cost containment or reduction mode, they are changing the way they conduct e-discovery, moving away from a primarily outsourced approach to bringing core elements of e-discovery in-house. The intersection of these two industry trends led ESG and Clearwell to survey over 100 Fortune 2000 enterprises and government agencies.

Key survey findings include:

–  78 percent of respondents said that the number of lawsuits and regulatory inquiries they experienced increased in 2009 compared to 2008.  The top two factors for the increase in legal activity were “increase in the amount of lawsuits” and “repercussions of the financial crisis”

–  53 percent of the respondents expect the number of lawsuits and regulatory inquiries to increase by at least 20 percent in 2010, with 13 percent of respondents planning for an increase of 50 percent or more

–  While most respondents taking the survey believe 2010′s increases will be driven by higher litigation, 46 percent of the respondents expect to receive more regulatory inquiries

–  48 percent indicated that they currently have an active project to bring segments of the e-discovery process in-house; another 36 percent will within next 12 months -  87 percent of respondents plan to budget for technology that specifically supports the electronic discovery process in 2010

–  22 percent of those surveyed have “E-Discovery Manager” titles, a reflection of the move in-house and importance of having a dedicated resource.

For business continuity planning groups charged with making recommendations for company eDiscovery strategies, and considering in-house vs. outsourcing their eDiscovery process, we recommend reading this report.  READ THIS REPORT.

Filed Under: Information Security Tagged With: , ,
« Older Posts
Newer Posts »