SlideShare a Scribd company logo

Security models for security architecture

Vladimir Jirasek
Vladimir Jirasek

The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value. The presentation was given at BrighTalk

Technology
1 of 26
Download to read offline
SECURITY MODELS FOR IMPROVING YOUR ORGANIZATION’S DEFENCE POSTURE AND STRATEGY Vladimir Jirasek Blog: JirasekOnSecurity.com Bio: About.me/jirasek 9th Nov 2011
About me • Security professional (11 years) • Founding member and steering group member of (Common Assurance Maturity Model) CAMM (common- assurance.com) • Director, CSA UK & Ireland • I love reading books: thrillers (Clive Cussler) and business management (Jo Owen)
I will cover topics today • Security model for information security • Security policy structure • Security processes • Security technology stack • Security metrics for organisations
Security model – business drives security Security management Correction of security processes International CEO & Board security standards Process Governance Policy framework Metrics framework framework Information Information Information Line Security Security Security Management Laws & policies Processes Metrics Regulations objectives Product Information Technology Define Management Drivers Security Rules People Measure Security Inform standards Metrics Portal Compliance Program requirements Management Information Security Artefacts Risk & Compliance Business Execute security Measure security Define security objectives controls controls maturity controls Auditors Security Security Security threats intelligence Professionals External security metrics
Information Security Policy framework CIS Business and O Information Security Policy Security objectives Data classification Employee Acceptable policy Use Policy CIO Security Information Technology Security Policy objectives IT Security IT security standards [reuse Architecture internationally accepted controls] Technology Controls and Technical Security processes teams architecture repository Security Processes guidelines
Relationship between business objectives and security processes Provides response to “Do we have all business risks covered?” International standards Control C1 Control C2 Security Security Objective SO1 Control C3 Process P1 Business objective Security Control C4 BO1 Objective SO2 Control C5 Business process B3 Business process B1 Security Business process B2 Business objective Security Control C6 Process P2 BO2 Objective SO3 Control C7 Business Security Control C8 objective BO3 Objective SO4 Control C9 Security Security Control C10 Process P3 Objective SO5 Control C11 Security Process P4 Provides response to “Why are we doing this?”
Sources of security controls • ISO 27000 series • ISF Standard of Good Practice 2011 • PCI DSS • NIST SP 800-53 • CObIT 4 • SANS 20 critical controls
Security technology stack GRC Organise security reporting around the stack Information & Event Mgmt Identity, Entitlement, Access For each prepare current, Data Security target state analysis and Cryptography roadmap Application Security Host Security Network Security Physical Security
GRC Information & Event Security stack::Network Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Network firewalls Host Security Network Security • VPN gateways Physical Security • Network Intrusion Detection/Prevention • DDoS • WiFi security • Network Access Control • DNS Security • Web, Email & IM filtering
GRC Information & Event Identity, Entitlement, Acc Network security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Monitor and control data Interconnect hosts on flow s on netw ork netw ork Use identity Establish secure channel Retrieve access control Control hosts on Identity and Access Netw ork security netw ork Monitor and control Send security logs applications Detect security incidents running on netw ork Key management Security event management Crypto offload Application security Cryptography
GRC Information & Event Identity, Entitlement, Acc Security stack::Host Mgmt Data Security Cryptography ess Application Security • Configuration compliance Host Security Network Security • Patch management Physical Security • Vulnerability scanning • Anti-malware • Application control • Location awareness • Device control • Trusted execution protection
GRC Information & Event Identity, Entitlement, Acc Host security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Data security Application security Monitor and filter restricted data Protects data at rest Protect integrity of applications Host security Use identity Send security logs Retrieve access control Detect security incidents Identity and Access domain Key management Security even management Cryptography domain
GRC Information & Event Security stack::Application Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Code reviews/scanning – binary and source Host Security Network Security • Security sensors (AppSensor) Physical Security • Web application scanning • Penetration testing • Web protection (WAF) Application Security Services throughout a lifecycle Num ber of flaw s and vulnerabilities o o C st t iat e d rem e E1 E2 E3 E4 E5 EOL Binary Code Analysis IT Security Assessm ent Web Application Scanning Web Application Protection Company Confidential
GRC Information & Event Identity, Entitlement, Acc Application security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
GRC Information & Event Identity, Entitlement, Acc Security stack::Data Mgmt Data Security Cryptography ess Application Security • Data classification Host Security Network Security • Email encryption Physical Security • File encryption • Document Rights Management • Data Leakage protection • Watermarking • End point encryption • Database security
GRC Information & Event Identity, Entitlement, Acc Data security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
GRC Information & Event Security stack::IAEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Principal management Host Security Network Security • Account provisioning Physical Security • Rights management • Directories • Single sign on and Federation • Authorisation • Role and rights auditing • 2nd factor authentication
GRC Information & Event Identity, Entitlement, Acc IAEM relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Security event management Provides authentication and authorisation services Send security logs Host security Detect security incidents Identity and Access Data security Key management Application security Cryptography domain
GRC Information & Event Identity, Entitlement, Acc Security stack::Cryptography Mgmt Data Security Cryptography ess Application Security • Key generation Host Security Network Security • Key escrow Physical Security • Host and Network HSM • Certificate management & PKI
GRC Information & Event Identity, Entitlement, Acc Cryptography relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Store encryption keys Email certificates Disk encryption Certificates for authentication Identity and Access Cryptography Digital signatures of log files Application signing Encryption of sensitive logs Encrypted and signed Application communication Security event management IPSec VPN SSL VPN, SSL split tunnel Application security Netw ork Security
GRC Information & Event Security stack::SIEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Collection of security relevant logs Host Security Network Security • Archiving – retention Physical Security • Correlation with other data sources • Acting on security information • Ideal to use MSSP
GRC Information & Event SIEM relationships Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security Host Security Network Security Physical Security CMDB Security event management Collect security Collect, analyse and configuration react on security events I dentity and Access Security even management Data security Netw ork security Cryptography Application security
Security metrics characteristics • Measurable • Objective • Quantitative (ideally) • Meaningful • With KPIs attached – know what is good and bad • Linked to business objectives – money speaks
Metrics for CIO – Policy compliance and control maturity Policy IT Unit A IT Unit B IT Unit C Overall IT statement Governance 3  3.5  2  3  Awareness 3  4  3  3.5  Development N/A 2  1  1.5  Hardening 4  N/A 2  3  Network N/A N/A 3  3  End devices 2  2  3  2  2 (£10m) 3 (£13.1m) Overall 3 (£3m)  3 (100k)   
Metrics for CIO – Maturity of controls for business processes/services Invest in IT service to lower the VaR IT Maturity VaR for VaR for VaR for VaR for IT ServiceBusi Process A Process B Process C service ness process IT Service 1 2 £1m £2m £1m £4m Infrastructure 3 £1m £3m £10m £14m IT Service 2 3 £0.5m N/A £20m £20.5m IT Service 3 4 N/A £100k £500k £600k Overall £2.5m £5.1k £31.5m £39.1m
Summary • Business drives security • Reuse good content from information security community • Security policy framework – target audience, think of implementation • Link security metrics to policy which is linked to business objectives • All rounded security controls – good prevention against cyber threats

Recommended

A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?Ulf Mattsson
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 

Recommended

A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?Ulf Mattsson
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Anshu Gupta
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0Maganathin Veeraragaloo
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 

More Related Content

What's hot

Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Anshu Gupta
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 

What's hot (20)

Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 

Viewers also liked

Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Schneider Electric
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapWAJAHAT IQBAL
 
Capability Model_Data Governance
Capability Model_Data GovernanceCapability Model_Data Governance
Capability Model_Data GovernanceSteve Novak
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
 

Viewers also liked (7)

Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
Capability Model_Data Governance
Capability Model_Data GovernanceCapability Model_Data Governance
Capability Model_Data Governance
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
 

Similar to Security models for security architecture

Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metricsVladimir Jirasek
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT SecuritySeccuris Inc.
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
Ta Security
Ta SecurityTa Security
Ta Securityjothsna
 
TA security
TA securityTA security
TA securitykesavars
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodologylaurahees
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
Know more about exin unique information security program
Know more about exin unique information security programKnow more about exin unique information security program
Know more about exin unique information security programElke Couto Morgado
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011IBM Sverige
 
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
[Chaco] Soluciones de Seguridad – Nicolás Pérez, GiuxIBMSSA
 
E-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldE-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldChris Byrne
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
Corporate Presentation
Corporate PresentationCorporate Presentation
Corporate PresentationArul Nambi
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeJeff Johnson
 

Similar to Security models for security architecture (20)

Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT Security
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
iCode Security Architecture Framework
iCode Security Architecture FrameworkiCode Security Architecture Framework
iCode Security Architecture Framework
 
Ta Security
Ta SecurityTa Security
Ta Security
 
TA security
TA securityTA security
TA security
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
Know more about exin unique information security program
Know more about exin unique information security programKnow more about exin unique information security program
Know more about exin unique information security program
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Tata Kelola Keamanan Informasi
Tata Kelola Keamanan InformasiTata Kelola Keamanan Informasi
Tata Kelola Keamanan Informasi
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
 
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
 
E-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldE-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real World
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
Corporate Presentation
Corporate PresentationCorporate Presentation
Corporate Presentation
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
Agam Profile
Agam ProfileAgam Profile
Agam Profile
 
Agama Profile
Agama ProfileAgama Profile
Agama Profile
 

More from Vladimir Jirasek

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVladimir Jirasek
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud securityVladimir Jirasek
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Vladimir Jirasek
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009Vladimir Jirasek
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksVladimir Jirasek
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesVladimir Jirasek
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White HatsVladimir Jirasek
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011Vladimir Jirasek
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekVladimir Jirasek
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityVladimir Jirasek
 

More from Vladimir Jirasek (16)

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
 

Recently uploaded

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 

Recently uploaded (20)

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 

Security models for security architecture

  • 1. SECURITY MODELS FOR IMPROVING YOUR ORGANIZATION’S DEFENCE POSTURE AND STRATEGY Vladimir Jirasek Blog: JirasekOnSecurity.com Bio: About.me/jirasek 9th Nov 2011
  • 2. About me • Security professional (11 years) • Founding member and steering group member of (Common Assurance Maturity Model) CAMM (common- assurance.com) • Director, CSA UK & Ireland • I love reading books: thrillers (Clive Cussler) and business management (Jo Owen)
  • 3. I will cover topics today • Security model for information security • Security policy structure • Security processes • Security technology stack • Security metrics for organisations
  • 4. Security model – business drives security Security management Correction of security processes International CEO & Board security standards Process Governance Policy framework Metrics framework framework Information Information Information Line Security Security Security Management Laws & policies Processes Metrics Regulations objectives Product Information Technology Define Management Drivers Security Rules People Measure Security Inform standards Metrics Portal Compliance Program requirements Management Information Security Artefacts Risk & Compliance Business Execute security Measure security Define security objectives controls controls maturity controls Auditors Security Security Security threats intelligence Professionals External security metrics
  • 5. Information Security Policy framework CIS Business and O Information Security Policy Security objectives Data classification Employee Acceptable policy Use Policy CIO Security Information Technology Security Policy objectives IT Security IT security standards [reuse Architecture internationally accepted controls] Technology Controls and Technical Security processes teams architecture repository Security Processes guidelines
  • 6. Relationship between business objectives and security processes Provides response to “Do we have all business risks covered?” International standards Control C1 Control C2 Security Security Objective SO1 Control C3 Process P1 Business objective Security Control C4 BO1 Objective SO2 Control C5 Business process B3 Business process B1 Security Business process B2 Business objective Security Control C6 Process P2 BO2 Objective SO3 Control C7 Business Security Control C8 objective BO3 Objective SO4 Control C9 Security Security Control C10 Process P3 Objective SO5 Control C11 Security Process P4 Provides response to “Why are we doing this?”
  • 7. Sources of security controls • ISO 27000 series • ISF Standard of Good Practice 2011 • PCI DSS • NIST SP 800-53 • CObIT 4 • SANS 20 critical controls
  • 8. Security technology stack GRC Organise security reporting around the stack Information & Event Mgmt Identity, Entitlement, Access For each prepare current, Data Security target state analysis and Cryptography roadmap Application Security Host Security Network Security Physical Security
  • 9. GRC Information & Event Security stack::Network Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Network firewalls Host Security Network Security • VPN gateways Physical Security • Network Intrusion Detection/Prevention • DDoS • WiFi security • Network Access Control • DNS Security • Web, Email & IM filtering
  • 10. GRC Information & Event Identity, Entitlement, Acc Network security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Monitor and control data Interconnect hosts on flow s on netw ork netw ork Use identity Establish secure channel Retrieve access control Control hosts on Identity and Access Netw ork security netw ork Monitor and control Send security logs applications Detect security incidents running on netw ork Key management Security event management Crypto offload Application security Cryptography
  • 11. GRC Information & Event Identity, Entitlement, Acc Security stack::Host Mgmt Data Security Cryptography ess Application Security • Configuration compliance Host Security Network Security • Patch management Physical Security • Vulnerability scanning • Anti-malware • Application control • Location awareness • Device control • Trusted execution protection
  • 12. GRC Information & Event Identity, Entitlement, Acc Host security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Data security Application security Monitor and filter restricted data Protects data at rest Protect integrity of applications Host security Use identity Send security logs Retrieve access control Detect security incidents Identity and Access domain Key management Security even management Cryptography domain
  • 13. GRC Information & Event Security stack::Application Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Code reviews/scanning – binary and source Host Security Network Security • Security sensors (AppSensor) Physical Security • Web application scanning • Penetration testing • Web protection (WAF) Application Security Services throughout a lifecycle Num ber of flaw s and vulnerabilities o o C st t iat e d rem e E1 E2 E3 E4 E5 EOL Binary Code Analysis IT Security Assessm ent Web Application Scanning Web Application Protection Company Confidential
  • 14. GRC Information & Event Identity, Entitlement, Acc Application security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
  • 15. GRC Information & Event Identity, Entitlement, Acc Security stack::Data Mgmt Data Security Cryptography ess Application Security • Data classification Host Security Network Security • Email encryption Physical Security • File encryption • Document Rights Management • Data Leakage protection • Watermarking • End point encryption • Database security
  • 16. GRC Information & Event Identity, Entitlement, Acc Data security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
  • 17. GRC Information & Event Security stack::IAEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Principal management Host Security Network Security • Account provisioning Physical Security • Rights management • Directories • Single sign on and Federation • Authorisation • Role and rights auditing • 2nd factor authentication
  • 18. GRC Information & Event Identity, Entitlement, Acc IAEM relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Security event management Provides authentication and authorisation services Send security logs Host security Detect security incidents Identity and Access Data security Key management Application security Cryptography domain
  • 19. GRC Information & Event Identity, Entitlement, Acc Security stack::Cryptography Mgmt Data Security Cryptography ess Application Security • Key generation Host Security Network Security • Key escrow Physical Security • Host and Network HSM • Certificate management & PKI
  • 20. GRC Information & Event Identity, Entitlement, Acc Cryptography relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Store encryption keys Email certificates Disk encryption Certificates for authentication Identity and Access Cryptography Digital signatures of log files Application signing Encryption of sensitive logs Encrypted and signed Application communication Security event management IPSec VPN SSL VPN, SSL split tunnel Application security Netw ork Security
  • 21. GRC Information & Event Security stack::SIEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Collection of security relevant logs Host Security Network Security • Archiving – retention Physical Security • Correlation with other data sources • Acting on security information • Ideal to use MSSP
  • 22. GRC Information & Event SIEM relationships Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security Host Security Network Security Physical Security CMDB Security event management Collect security Collect, analyse and configuration react on security events I dentity and Access Security even management Data security Netw ork security Cryptography Application security
  • 23. Security metrics characteristics • Measurable • Objective • Quantitative (ideally) • Meaningful • With KPIs attached – know what is good and bad • Linked to business objectives – money speaks
  • 24. Metrics for CIO – Policy compliance and control maturity Policy IT Unit A IT Unit B IT Unit C Overall IT statement Governance 3  3.5  2  3  Awareness 3  4  3  3.5  Development N/A 2  1  1.5  Hardening 4  N/A 2  3  Network N/A N/A 3  3  End devices 2  2  3  2  2 (£10m) 3 (£13.1m) Overall 3 (£3m)  3 (100k)   
  • 25. Metrics for CIO – Maturity of controls for business processes/services Invest in IT service to lower the VaR IT Maturity VaR for VaR for VaR for VaR for IT ServiceBusi Process A Process B Process C service ness process IT Service 1 2 £1m £2m £1m £4m Infrastructure 3 £1m £3m £10m £14m IT Service 2 3 £0.5m N/A £20m £20.5m IT Service 3 4 N/A £100k £500k £600k Overall £2.5m £5.1k £31.5m £39.1m
  • 26. Summary • Business drives security • Reuse good content from information security community • Security policy framework – target audience, think of implementation • Link security metrics to policy which is linked to business objectives • All rounded security controls – good prevention against cyber threats

Editor's Notes

  1. This model is used to link security technologies reference model and blueprints to business requirementsAll security technology must support at least one information security process otherwise should be deployedBy linking requirements to policies to processes and to technologies we can be assured that technologies we deploy are justifiable and, at the same time, we know there should be no gapsInformation Security is a journey not a project and needs to be treated accordinglyInformation Security Policy is driven by business, legal and regulatory requirements which then mandates what security processes must and should be implementedIT Security policy is based on ISF Standard of Good Practice (SoGP) which maps to major regulatory and international standardsSecurity processes are run by People using Technology and report to Information Security Centre where data is correlated, normalised and available for management decisions, all in appropriate level of detail for audienceThe effectiveness of security processes is measured by Internal security metrics that are based on accepted best practice metrics, hence Nokia’s information security status can be compared with other companies
  2. Why infosec policy and then IT sec policy, IT sec policy is for CIO/CTOArchitecture repository -
  3. Examples of business objectives – increase market share by adopting e-commerce, increase output in factories by 20%Examples of security processes, security controls can span more than one security process, and security processes typically cover multiple controls,
  4. Areas support each other, all feed into SIEM and GRC
  5. Network firewalls – ideally application sessions aware, audit the configurationVPN gateways – linked to IAEM platform, Network Access Control, Application streamingNetwork Intrusion Detection/Prevention – physical and virtual, linked to CMDB, vulnerability data and loggingDDoS – protecting against flooding but also application specific DoS