You can subscribe to this list here.
2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2005 |
Jan
(2) |
Feb
(1) |
Mar
(2) |
Apr
(1) |
May
(2) |
Jun
(2) |
Jul
|
Aug
(8) |
Sep
(1) |
Oct
|
Nov
(7) |
Dec
(9) |
2006 |
Jan
(3) |
Feb
(3) |
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: <vi...@is...> - 2006-03-22 14:11:40
|
Dear All, We have finally revised ISM3, this version brings interesting novelties: - Process Metrics. - Revised Maturity Levels. - Guidelines for accreditation. - Guidelines for outsourcing. - Guidelines for implementation. - Revised Glossary. - Vastly improved guidance on classification of information and information systems. - Updated references. Check http://www.fistconference.org/data/presentaciones/ism3v1.1.pdf for more details. The PDF is attached as a extensionless ZIPed file. I hope Marta can upload it to the ISECOM website soon (thanks) My best Vicente |
From: Edward <est...@du...> - 2006-02-06 20:10:50
|
I admit to having some difficulty with the current process template; its the four metric headings that are the problem - could we run them all together in this context. Break them out separately in a template for the implementers to use. Some comments are attached in the pdf. Any views? Regards Edward |
From: Edward <est...@du...> - 2006-02-04 20:59:08
|
I think we should lose section 2.2; the structure should be clear from the index. Edward |
From: Edward S. <est...@ho...> - 2006-02-04 14:59:32
|
OK, Vince et al. I'd like to suggest some changes of terminology to make the ISM3 model more accessible. Please see the attached summary page (section 2.1). If I have your agreement, I will continue through the document suggesting further tweaks, in order to improve readability and clarity. One thing I think we should do is reduce the size of the whole of section 2 - take it right back to the bare basics if possible. Use of diagrams may help with this, and there should be zero elements of repetition. The index - I hate the index; could we have one in a similar format to the OSTMM index, i.e. minimal sub-section numbers - more stylish. Regards Edward _________________________________________________________________ The new MSN Search Toolbar now includes Desktop search! http://toolbar.msn.co.uk/ |
From: <vi...@is...> - 2006-01-09 17:26:35
|
I attach, as a unextensioned zipped PDF file, the version that will soon be published in the ISECOM website. I'd be happy to receive your comments. Sincerely Vicente Aceituno |
From: Pete H. <li...@is...> - 2006-01-02 22:22:12
|
This is meant specifically to be a methodology for the European method of TPM as an open competitor to Microsoft. It would be for secure start-up technology as well using the Fritz chip (TPM chip). We have 26 other partners in this including AMD, HP, IBM, SUSE, and Infineon. -pete. Rafael Ausejo Prieto wrote: > Microsoft is working right now in a trusted computing platform for > Windows Vista, including a TPM module with some interesting features as > rooted boot integrity and encryption. Secure Startup technology provides > secure boot, hard drive encryption, and TPM services. > > Pete Herzog wrote: >> I think that's a very good idea. I think one of the biggest >> challenges we face when developing methodologies and standards is to >> look past the pervasive products which we see as standards. Our own >> experiences work against us and often it's a slow climb out of this >> dark hole. The worst is that as we do so, we try to get others to see >> what we now see and are met with the same resistance that those who >> challenged the sun's rotation of the earth had encountered. >> >> Sorry, I'm just a little frustrated with the sec industry again. >> Happens every year around this time ;) >> >> On that note, sorry Vicente, I had to ask, but is anyone here >> interested in working on a trusted computing methodology? It's >> somewhere in-between infosec management, infosec testing, and >> low-level OS change control. So I'm looking for people who are >> OSSTMM, ISM3, and OMCD oriented to help develop a framework for OpenTC >> (www.opentc.net). I will make requests on the other lists later once >> the project is posting on the ISECOM website. >> >> Sincerely, >> -pete. >> >> >> vi...@is... wrote: >> >>> Hi, >>> >>> I'd like your advice on this. >>> >>> I am seriously considering killing OSP-13 Encryption Management. >>> >>> The reason is that I think encryption is just a technology to perform >>> access control (like not allowing access to a secret repository). >>> >>> Specifically, it helps to: >>> - Bear the users accountable are for the repositories and messages they >>> create or modify; >>> - Bear the users accountable for their use of Services and acceptance of >>> contracts and agreements; >>> - Precision, relevance and consistency of repositories is assured; >>> Use of services and access to repositories is restricted to >>> authorized users; >>> - Intellectual property is accessible to authorized users only; >>> - Private information of clients and employees is accessible for a valid >>> purpose to authorized users only and is held for no longer than >>> required; >>> - Secrets are accessible to authorized users only; >>> - Third party services and repositories are appropriately licensed and >>> accessible only to authorised users. >>> >>> So what I plan to do is to transfer some of the content to "OSP-11 >>> Access >>> control over services, repositories channels and interfaces", and remove >>> the appropiate references to it. >>> >>> Opinions? >>> >>> Happy New Year >>> >>> Vicente >>> >>> >>> ------------------------------------------------------- >>> This SF.net email is sponsored by: Splunk Inc. Do you grep through >>> log files >>> for problems? Stop! Download the new AJAX search engine that makes >>> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! >>> http://ads.osdn.com/?ad_idv37&alloc_id865&op=click >>> _______________________________________________ >>> ISECOM-ISM3 mailing list >>> ISE...@li... >>> https://lists.sourceforge.net/lists/listinfo/isecom-ism3 >>> >>> >> >> >> ------------------------------------------------------- >> This SF.net email is sponsored by: Splunk Inc. Do you grep through log >> files >> for problems? Stop! Download the new AJAX search engine that makes >> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! >> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click >> _______________________________________________ >> ISECOM-ISM3 mailing list >> ISE...@li... >> https://lists.sourceforge.net/lists/listinfo/isecom-ism3 >> >> > > |
From: <vi...@is...> - 2006-01-02 14:59:46
|
I have deleted OSP-13 and added some precision in several paragraphs. The new deadline for completion is January the 10th. Todo: - I am adding codes for documents, so they can be tracked more easily automatically or between translations of ISM3. - I will review the metric descriptions and cross them with work products to make sure nothing is missing. - Finally, I got Edward's opinion, but I still need more feedback on the role of metrics in accreditation. Should they be mandatory? Can they be audited? Does a ISM3 Level 5 makes sense? Zipped PDF (whithout extension) attached. The attached xls includes the relation between ISM3 categories and traditional categories of information (confidenciality et al) My best Vicente |
From: Rafael A. P. <ra...@au...> - 2005-12-31 12:33:07
|
Microsoft is working right now in a trusted computing platform for Windows Vista, including a TPM module with some interesting features as rooted boot integrity and encryption. Secure Startup technology provides secure boot, hard drive encryption, and TPM services. Pete Herzog wrote: > I think that's a very good idea. I think one of the biggest challenges > we face when developing methodologies and standards is to look past the > pervasive products which we see as standards. Our own experiences work > against us and often it's a slow climb out of this dark hole. The worst > is that as we do so, we try to get others to see what we now see and are > met with the same resistance that those who challenged the sun's > rotation of the earth had encountered. > > Sorry, I'm just a little frustrated with the sec industry again. Happens > every year around this time ;) > > On that note, sorry Vicente, I had to ask, but is anyone here interested > in working on a trusted computing methodology? It's somewhere > in-between infosec management, infosec testing, and low-level OS change > control. So I'm looking for people who are OSSTMM, ISM3, and OMCD > oriented to help develop a framework for OpenTC (www.opentc.net). I > will make requests on the other lists later once the project is posting > on the ISECOM website. > > Sincerely, > -pete. > > > vi...@is... wrote: > >> Hi, >> >> I'd like your advice on this. >> >> I am seriously considering killing OSP-13 Encryption Management. >> >> The reason is that I think encryption is just a technology to perform >> access control (like not allowing access to a secret repository). >> >> Specifically, it helps to: >> - Bear the users accountable are for the repositories and messages they >> create or modify; >> - Bear the users accountable for their use of Services and acceptance of >> contracts and agreements; >> - Precision, relevance and consistency of repositories is assured; >> Use of services and access to repositories is restricted to authorized >> users; >> - Intellectual property is accessible to authorized users only; >> - Private information of clients and employees is accessible for a valid >> purpose to authorized users only and is held for no longer than required; >> - Secrets are accessible to authorized users only; >> - Third party services and repositories are appropriately licensed and >> accessible only to authorised users. >> >> So what I plan to do is to transfer some of the content to "OSP-11 Access >> control over services, repositories channels and interfaces", and remove >> the appropiate references to it. >> >> Opinions? >> >> Happy New Year >> >> Vicente >> >> >> ------------------------------------------------------- >> This SF.net email is sponsored by: Splunk Inc. Do you grep through log >> files >> for problems? Stop! Download the new AJAX search engine that makes >> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! >> http://ads.osdn.com/?ad_idv37&alloc_id865&op=click >> _______________________________________________ >> ISECOM-ISM3 mailing list >> ISE...@li... >> https://lists.sourceforge.net/lists/listinfo/isecom-ism3 >> >> > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > _______________________________________________ > ISECOM-ISM3 mailing list > ISE...@li... > https://lists.sourceforge.net/lists/listinfo/isecom-ism3 > > -- Rafael Ausejo Prieto www.ausejo.net |
From: Pete H. <li...@is...> - 2005-12-30 10:50:34
|
I think that's a very good idea. I think one of the biggest challenges we face when developing methodologies and standards is to look past the pervasive products which we see as standards. Our own experiences work against us and often it's a slow climb out of this dark hole. The worst is that as we do so, we try to get others to see what we now see and are met with the same resistance that those who challenged the sun's rotation of the earth had encountered. Sorry, I'm just a little frustrated with the sec industry again. Happens every year around this time ;) On that note, sorry Vicente, I had to ask, but is anyone here interested in working on a trusted computing methodology? It's somewhere in-between infosec management, infosec testing, and low-level OS change control. So I'm looking for people who are OSSTMM, ISM3, and OMCD oriented to help develop a framework for OpenTC (www.opentc.net). I will make requests on the other lists later once the project is posting on the ISECOM website. Sincerely, -pete. vi...@is... wrote: > Hi, > > I'd like your advice on this. > > I am seriously considering killing OSP-13 Encryption Management. > > The reason is that I think encryption is just a technology to perform > access control (like not allowing access to a secret repository). > > Specifically, it helps to: > - Bear the users accountable are for the repositories and messages they > create or modify; > - Bear the users accountable for their use of Services and acceptance of > contracts and agreements; > - Precision, relevance and consistency of repositories is assured; > Use of services and access to repositories is restricted to authorized users; > - Intellectual property is accessible to authorized users only; > - Private information of clients and employees is accessible for a valid > purpose to authorized users only and is held for no longer than required; > - Secrets are accessible to authorized users only; > - Third party services and repositories are appropriately licensed and > accessible only to authorised users. > > So what I plan to do is to transfer some of the content to "OSP-11 Access > control over services, repositories channels and interfaces", and remove > the appropiate references to it. > > Opinions? > > Happy New Year > > Vicente > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_idv37&alloc_id865&op=click > _______________________________________________ > ISECOM-ISM3 mailing list > ISE...@li... > https://lists.sourceforge.net/lists/listinfo/isecom-ism3 > > |
From: <vi...@is...> - 2005-12-30 10:23:26
|
Hi, I'd like your advice on this. I am seriously considering killing OSP-13 Encryption Management. The reason is that I think encryption is just a technology to perform access control (like not allowing access to a secret repository). Specifically, it helps to: - Bear the users accountable are for the repositories and messages they create or modify; - Bear the users accountable for their use of Services and acceptance of contracts and agreements; - Precision, relevance and consistency of repositories is assured; Use of services and access to repositories is restricted to authorized us= ers; - Intellectual property is accessible to authorized users only; - Private information of clients and employees is accessible for a valid purpose to authorized users only and is held for no longer than required; - Secrets are accessible to authorized users only; - Third party services and repositories are appropriately licensed and accessible only to authorised users. So what I plan to do is to transfer some of the content to "OSP-11 Access control over services, repositories channels and interfaces", and remove the appropiate references to it. Opinions? Happy New Year Vicente |
From: Edward S. <est...@ho...> - 2005-12-29 09:22:12
|
ISO27001 (used to be known as BS7799-2) requires measurement of the effectiveness of controls - ISO27004 will soon be published covering security metrics http://www.iso27001security.com/html/iso27000.html Therefore for ISO27000 compliance, an organisation will need to develop metrics. Every maturity level of ISM3 which is certifiable to ISO27001 would need appropriate metrics, to cover the ISO27000 controls. Say an organisation does not opt for ISO27000 certification, and just implements ISM3: I'd still say that without measurement, you cannot manage, and therefore metrics are essential to any management system - i.e. Level 1 of ISM3! However, rather than define compulsory metrics, it would be better to allow flexibility. I would say you should require evidence for the collection and review of appropriate metric(s) as part of the "Supervised" criteria for Certification. Regards Edward >From: vi...@is... >To: ise...@li... >Subject: [ISECOM-ISM3] Maturity Levels >Date: Wed, 28 Dec 2005 06:45:53 -0500 (EST) > >Hi, > >I have an important question for you. > >The current Maturity Levels structure can be certified as ISO9001 >compliant or BS7799-2 compliant. Do you think it would be wise to stablish >a fifth level, Level 5, where metrics where compulsory instead of >optional? Could this level and this particular requirement be tested using >ISO9001 or BS7799-2 audit processes? > >Happy New Year > >Vicente > >P.S. Zip attached without extension ><< ISM3_v1.120051226 >> _________________________________________________________________ Are you using the latest version of MSN Messenger? Download MSN Messenger 7.5 today! http://messenger.msn.co.uk |
From: <vi...@is...> - 2005-12-28 11:46:04
|
Hi, I have an important question for you. The current Maturity Levels structure can be certified as ISO9001 compliant or BS7799-2 compliant. Do you think it would be wise to stablis= h a fifth level, Level 5, where metrics where compulsory instead of optional? Could this level and this particular requirement be tested usin= g ISO9001 or BS7799-2 audit processes? Happy New Year Vicente P.S. Zip attached without extension |
From: Vicente A. <ace...@ya...> - 2005-12-24 14:59:53
|
Dear All, The last draft release of ISM3 v1.1 is out. It incorporates the comments from several reviewers. Those who make a significant contribution will be mentioned in page 2 in the final release. The draft is available at: http://www.seguridaddelainformacion.com/archivos/ISM3_v1.1-20051221.zip There might be some typos, or even some sentence that doesn't makes sense. That's why it's called a draft :) I am pretty confident about the changes in yellow, I would like a second opinion about the changes in green. The earlier I get your comments, the more chances they will make it into the final release. The new deadline is January the 2nd. As most of you know, ISM3 is a standard for the creation of business-oriented ISM systems. Some qualities of ISM3 v1.1 are: - It is an open standard. - It is fully compatible with ITIL, ISO9000, CMMI, Cobit and ISO17799 / BS 7799-2. - It incorporates security governance considerations. - It scales to small and big organizations. - It adapts to young and stablished organizations. - It is rich in implementation guidance, like for example security responsibilities. - Its process orientation integrates well with ITIL. - It supports explictly the outsourcing of security management and operations processes. - ISM3 based ISM systems are accreditable. - Guidance on accreditable scope. - Metrics, that help to manage the processes and measure the success of the ISM system. - Accreditation process. - Guidanec on using ISM3 in outsourcing and partners/vendors partnerships. Repost of an old mail to this list: Some very good compartives between security methodologies are: http://www.phi-solutions.com/documents/ISO17799_SSE_CMM_comparison.pdf http://www.phi-solutions.com/documents/ISO9001_BS7799-2_ISO13335_comparison.pdf http://www.cerias.purdue.edu/news_and_events/events/symposium/2004/posters/pdfs/Metrics%20Based%20Security%20Assessment.pdf http://www.securityforum.org/assests/pdf/sec_stan.pdf http://www.theiia.org/iia/download.cfm?file=404 http://www.cyberpartnership.org/InfoSecGov4_04.pdf http://www.bsa.org/resources/loader.cfm?url=/commonspot/security/getfile.cfm&Pag\eID=5841 http://www.itsmf.org.za/Presentations/CobiT%20ITIL%20and%20BS7799.pdf I am planning to hold a conference on ISM3 v1.1 in India around the 20th of January. If you are interested, drop me a mail to vi...@is... (not to this list), and I will make sure you get all the details. Merry Xmas Vicente Aceituno __________________________________ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ |
From: Andre B. <and...@no...> - 2005-12-12 13:26:01
|
Hi M.Ramkumar, you have to include the text after the space also. The = full link is = http://www.seguridaddelainformacion.com/archivos/ISM3_v1.1%2020051211.pdf= where the "%20" acts as a space. =20 Have a nice day... =20 -----Message d'origine----- De : ise...@li... = [mailto:ise...@li...] De la part de Ramkumar = R Envoy=E9 : 12 d=E9cembre, 2005 07:02 =C0 : vi...@is...; ise...@li... Objet : [ISECOM-ISM3] RE: New ISM3 snapshot Importance : Haute =20 Hi Vicente, The link is not working...! Pl help. =20 With warm Regards, R.Ramkumar Executive Director - KPQR -----Original Message----- From: vi...@is... [mailto:vi...@is...]=20 Sent: Monday, December 12, 2005 12:15 AM To: ise...@li... Subject: New ISM3 snapshot =20 The latest snapshot is available from: =20 http://www.seguridaddelainformacion.com/archivos/ISM3_v1.1 20051211.pdf =20 You can choose to post me your comments privately or copy the ism3 list. =20 Those who didn't comment last one won't get the next if I don't receive any news from them this week. =20 My best =20 Vicente =20 =20 =20 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log = files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=3D7637&alloc_id=3D16865&op=3Dclick _______________________________________________ ISECOM-ISM3 mailing list ISE...@li... https://lists.sourceforge.net/lists/listinfo/isecom-ism3 |
From: Ramkumar R <ram...@kp...> - 2005-12-12 12:02:19
|
Hi Vicente, The link is not working...! Pl help. With warm Regards, R.Ramkumar Executive Director - KPQR -----Original Message----- From: vi...@is... [mailto:vi...@is...] Sent: Monday, December 12, 2005 12:15 AM To: ise...@li... Subject: New ISM3 snapshot The latest snapshot is available from: http://www.seguridaddelainformacion.com/archivos/ISM3_v1.1 20051211.pdf You can choose to post me your comments privately or copy the ism3 list. Those who didn't comment last one won't get the next if I don't receive any news from them this week. My best Vicente |
From: <vi...@is...> - 2005-12-11 18:45:34
|
The latest snapshot is available from: http://www.seguridaddelainformacion.com/archivos/ISM3_v1.1 20051211.pdf You can choose to post me your comments privately or copy the ism3 list. Those who didn't comment last one won't get the next if I don't receive any news from them this week. My best Vicente |
From: <vi...@is...> - 2005-11-28 14:35:20
|
Questions to close before final release: - License. What is the best license for ISM3? - Metrics+RAVs. Are the defined metrics measurable and help to take management decisions? - Accreditation process. The BS7799-2 and ISO9001 accreditation routes must be clearly explained. - Scope of Accreditation. The limits for accreditation that will make accreditation meaningful must be set. - GP-2 ISMS Audit. - TSP-4 Service Level Management. This process has been filled with content. Should a similar process be set up at the Strategic Level? - OSP-13 Encryption Management. I am unhappy with the current metrics of this process. Any suggestions about how to fix it? - Guidance on job descriptions. This shouldn't be difficult, as responsibilities are explained all over ISM3. - Supervision structure. Same as above. - Resources - Resources need for each process (people, technology, money, time...). Should be give some guidance on the resources needed to implement every / some of the processes? Any volunteer for this? - We should detect contradictions between ISM3 and ITIL, Cobit, ISO9001, CISWG report, CMMI and ISO27000. If someone volunteers, I have have some material that could allow to publish a complete fairly complete mapping between standards. I'd like to include some graph expressing how ISM3 applies PDCA. (See attachment) My best Vicente Aceituno |
From: <vi...@is...> - 2005-11-27 22:41:30
|
You can downlowad the latest version for your review from: http://www.seguridaddelainformacion.com/archivos/ISM3_v1.1-20051127.pdf You can choose to post me your comments privately or copy the ism3 list. My best and thanks for your help Vicente Aceituno |
From: <vi...@is...> - 2005-11-19 18:19:43
|
This is for your eyes only. Changes are in yellow and red. Main Changes and assignees: -Metrics (Me) -Scope (Anup) -Deployment (Anup) -New process: GP-2 ( ) -Risk Analysis Posture (Eduardo?) -Accreditation Process (Anup) -Relation to Partners, Vendors and Outsourcing providers. Smaller changes: - References to NDA and data recovery among others. - Glossary - References I need examples of significant committees. (pag 12) Please identify any term that should be in the glossary and is not. Saludos / Sincerely Vicente P.S. The mail server is giving me grief. The attached file is a zipped (7z) pdf. |
From: <vi...@is...> - 2005-11-16 15:59:09
|
I have been checking the relationship between Security Objectives, and th= e management processes. The attached xls presents a relation between security objectives, techniques and ISM3 processes. There is not a real one 2 one relation between security objective and ISM3 process. For this reason probably thi= s won't go into ISM3 v1.1. It is just a sanity check about all the importan= t security techniques being incorporated in the ISM3 processes. my best Vicente |
From: <vi...@is...> - 2005-11-08 17:23:10
|
Dear All, I think I will be able to give you news soon about a real implementation of ISM3 in progress. In the meantime, I want to tell you about the stuff that will go into ISM= 3 v1.1: 1- EA 7/03 additions - done 2- OSSTMM synchronization 3- Scope considerations (any volunteer?) 4- Implementation process (any volunteer?) 5- Accreditation and Certification processes 6- Governance in line with CISWG reports. 7- METRICS. *Efficiency metrics/ROSI: Efficacy compared to investment. Efficacy is related to averted incidents. *I think we should cover Activity metrics in a general way, showing how t= o use the to distinguish normal from abnormal activity. What are your criteria for this? My own criteria is that "Abnormal" is over or below th= e arithmetic mean plus/minus 2 standard deviations of the arithmetic mean. *Availability metrics. These make sense only at the operational level. *Coverage metrics. These make sense only at the operational level. *Update metrics. These make sense only at the operational level. *The processes will be classified as: - Action processes. These are continuos in time. - Triggered processes. These are performed in a as needed basis. - Prevention. These can't reach "abnormal" levels, as they prepare the organization to better perform the rest of the processes. *The management diagnosis of out of bounds metrics should be: 1- Process fault. 2- TPSRSR fault. 3- Fault in PDCA process. 4- Technology fault / Technology used doesn't perform as expected. 5- Inadequate funding (The process was designed under funding constraints= , The technology was chosen considering funding constraints.) 6- Security Target too high. Every metric described will help to reach one of these conclusions. As th= e corresponding management action is obvious, we can express that as well. I await your feedback on my last week's post on metrics. My best Vicente Aceituno |
From: Anup N. <an...@ju...> - 2005-11-03 10:31:26
|
Dear Members, I am glad to join the ISM3 effort and I would like to introduce myself. = My name is Anup Narayanan and I am from Kerala, India. I am a CISA and = CISSP and been working in the field of Information Security for the past = 6 years. In fact I run my own Information Security Consultancy firm = (www.juvenaconsulting.com). I felt attracted to ISM3, after having worked with the BS7799 standard = for quite some time. What I could gauge was that the management of the = organizations where I was deploying BS7799 did not understand what they = were doing, but they wanted it done, else they would not get business = from security conscious customers. I appreciate Vicente's efforts to create a ISMS which is aligned towards = the business goals of the organization and which is flexible enough to = be implemented by organizations of all sizes and easily understood by = the Senior Management. I look forward to contribute my best towards the effort. Warm Regards, Anup Narayanan ----- Original Message -----=20 From: vi...@is...=20 To: ise...@li...=20 Sent: Wednesday, November 02, 2005 4:01 PM Subject: [ISECOM-ISM3] Metrics b4 new Year Dear All, I plan to publish a revision of ISM3 before the end of this year, with your help, of course. This revision will have some small tweaks, like = EA 7/03 additions, OSSTMM synchronization, being more specific on ISM3 minimum scope, specify the accreditation and certification processes = and METRICS. I attach a preview of my work on Metrics for ISM3. For the time being = is just a list. I have come to realize that metrics are dozen a dime. = It's very easy to make up things you could measure. Far more difficult is = to make up things that can trigger management decisions. So the criteria for inclusion of metrics in ISM3 v1.1 will be: - The metric can't reach a value and stay there. Example: Percentage = of security policies written. This kind of metric would a project = management progress metric, not a management process (versus project) metric. - The metric must help to detect abnormal conditions, or help to take decisions. - "Normal conditions" won't be pre-defined. This means that historic = data of the metric must let us know what are the normal values for the = metric. For example, if we now the arithmetic mean and the standard deviation, values within the AM plus minus the standard deviation will be = considered "normal". I hope to reach a manageable number of meaningful metrics. - Four main categories of metrics will be used: --Activity: This metric measure how much "work products" have been = produced. --Coverage: This metric measure if all defined environments or systems = are being protected by the process. For example, AV could be installed in = only the 50% of user PCs. --Update: This metric measure how updated or recent is the process. --Avaliability: This metric measure if there have been failures in the processes. Metrics will be defined expressing the associated action when the = metric indicates abnormalities. There are four types of processes: - Management processes. - Action processes. These are continuos in time. - Triggered processes. These are performed in a as needed basis. - Prevention. These can't reach "abnormal" levels, as they prepare the organization to better perform the rest of the processes. As this is a lot of work, I expect some of you to come forward and undertake the detailed definition of a few of the processes. The rest can review the ongoing work. BTW, we have a new member, Anup Narayan has joined the ISM3 effort. My best Vicente Aceituno |
From: <vi...@is...> - 2005-11-02 10:31:11
|
Dear All, I plan to publish a revision of ISM3 before the end of this year, with your help, of course. This revision will have some small tweaks, like EA 7/03 additions, OSSTMM synchronization, being more specific on ISM3 minimum scope, specify the accreditation and certification processes and METRICS. I attach a preview of my work on Metrics for ISM3. For the time being is just a list. I have come to realize that metrics are dozen a dime. It's very easy to make up things you could measure. Far more difficult is to make up things that can trigger management decisions. So the criteria for inclusion of metrics in ISM3 v1.1 will be: - The metric can't reach a value and stay there. Example: Percentage of security policies written. This kind of metric would a project management progress metric, not a management process (versus project) metric. - The metric must help to detect abnormal conditions, or help to take decisions. - "Normal conditions" won't be pre-defined. This means that historic data of the metric must let us know what are the normal values for the metric. For example, if we now the arithmetic mean and the standard deviation, values within the AM plus minus the standard deviation will be considered "normal". I hope to reach a manageable number of meaningful metrics. - Four main categories of metrics will be used: --Activity: This metric measure how much "work products" have been produced. --Coverage: This metric measure if all defined environments or systems are being protected by the process. For example, AV could be installed in only the 50% of user PCs. --Update: This metric measure how updated or recent is the process. --Avaliability: This metric measure if there have been failures in the processes. Metrics will be defined expressing the associated action when the metric indicates abnormalities. There are four types of processes: - Management processes. - Action processes. These are continuos in time. - Triggered processes. These are performed in a as needed basis. - Prevention. These can't reach "abnormal" levels, as they prepare the organization to better perform the rest of the processes. As this is a lot of work, I expect some of you to come forward and undertake the detailed definition of a few of the processes. The rest can review the ongoing work. BTW, we have a new member, Anup Narayan has joined the ISM3 effort. My best Vicente Aceituno |
From: Vicente A. <ace...@ya...> - 2005-09-29 08:01:40
|
Hi, I think is high time to add metrics to ISM3. Please submit you ideas about what would be the best metrics for every ISM3 process. Thanks for your help. Vicente Aceituno __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com |
From: Anthony B. N. <abn...@es...> - 2005-08-31 16:10:30
|
At 01:31 AM 31/08/05, vi...@is... wrote: >On the other hand, if a company just wants to cheat the system, they can >falsify not only documents but any other information source, so I don't >see how can you have the guarantee that you are not being fooled... I agree. There is no such thing as a certification that cannot be cheated, I just want to make it a bit more difficult to get away with it. >I think ISM3 has the strengh of being suitable to every different need and >resources avaliability, so normally it will be cheaper and it will make >more sense to actually implementing it rather than faking it. I think you are right, most everyone who wants the certification will go to the effort of implementing it. However for the certification to be of value to the outside world, it has to have controls within it that make cheating difficult, otherwise the suspicion will be there that a significant population of cheaters exist. (I can verify from talking to some of the engineers at client companies that the view of ISO 9000 is that it is only as good as the company implementing it, and if you don't trust the company, you don't trust the certification. This to the extent that they will ask for ISO 9000 certification as a minimum, but once you verify that you have it you have only passed the first test, and someone is sent out to verify that it is real. Cheating has devalued the certification, even if the number of cheaters is small.) A.B.N. >Sincerely > >Vicente |