isecom-ism3 — Information Security Management Maturity Model

[ISECOM-ISM3] ISM3 v1.15 finally out

[<vi...@is...>]

Dear All,

We have finally revised ISM3, this version brings interesting novelties:
- Process Metrics.
- Revised Maturity Levels.
- Guidelines for accreditation.
- Guidelines for outsourcing.
- Guidelines for implementation.
- Revised Glossary.
- Vastly improved guidance on classification of information and
information systems.
- Updated references.

Check http://www.fistconference.org/data/presentaciones/ism3v1.1.pdf for
more details.

The PDF is attached as a extensionless ZIPed file.

I hope Marta can upload it to the ISECOM website soon (thanks)

My best

Vicente

[ISECOM-ISM3] ISM3 1.1 Sections 2.3-2.4 - the Process template

[Edward <est...@du...>]

I admit to having some difficulty with the current process template;  its the 
four metric headings that are the problem - could we run them all together in 
this context.  Break them out separately in a template for the implementers 
to use.

Some comments are attached in the pdf.  Any views?  

Regards
Edward

[ISECOM-ISM3] ISM3 Section 2.2

[Edward <est...@du...>]

I think we should lose section 2.2;  the structure should be clear from the 
index.
Edward

[ISECOM-ISM3] ISM3 1.1 Review - Intro Section

[Edward S. <est...@ho...>]

OK, Vince et al.

I'd like to suggest some changes of terminology to make the ISM3 model more
accessible.  Please see the attached summary page (section 2.1).  If I have
your agreement, I will continue through the document suggesting further
tweaks, in order to improve readability and clarity.

One thing I think we should do is reduce the size of the whole of section 2 
-
take it right back to the bare basics if possible.  Use of diagrams may help
with this, and there should be zero elements of repetition.

The index - I hate the index;  could we have one in a similar format to the
OSTMM index, i.e. minimal sub-section numbers - more stylish.

Regards
Edward

_________________________________________________________________
The new MSN Search Toolbar now includes Desktop search! 
http://toolbar.msn.co.uk/

[ISECOM-ISM3] Final

[<vi...@is...>]

I attach, as a unextensioned zipped PDF file, the version that will soon
be published in the ISECOM website.

I'd be happy to receive your comments.

Sincerely

Vicente Aceituno

Re: [ISECOM-ISM3] Killing Encrypytion

[Pete H. <li...@is...>]

This is meant specifically to be a methodology for the European method 
of TPM as an open competitor to Microsoft.

It would be for secure start-up technology as well using the Fritz chip 
(TPM chip).  We have 26 other partners in this including AMD, HP, IBM, 
SUSE, and Infineon.

-pete.


Rafael Ausejo Prieto wrote:
> Microsoft is working right now in a trusted computing platform for 
> Windows Vista, including a TPM module with some interesting features as
> rooted boot integrity and encryption. Secure Startup technology provides 
> secure boot, hard drive encryption, and TPM services.
> 
> Pete Herzog wrote:
>> I think that's a very good idea.  I think one of the biggest 
>> challenges we face when developing methodologies and standards is to 
>> look past the pervasive products which we see as standards.  Our own 
>> experiences work against us and often it's a slow climb out of this 
>> dark hole.  The worst is that as we do so, we try to get others to see 
>> what we now see and are met with the same resistance that those who 
>> challenged the sun's rotation of the earth had encountered.
>>
>> Sorry, I'm just a little frustrated with the sec industry again. 
>> Happens every year around this time ;)
>>
>> On that note, sorry Vicente, I had to ask, but is anyone here 
>> interested in working on a trusted computing methodology?  It's 
>> somewhere in-between infosec management, infosec testing, and 
>> low-level OS change control.  So I'm looking for people who are 
>> OSSTMM, ISM3, and OMCD oriented to help develop a framework for OpenTC 
>> (www.opentc.net).  I will make requests on the other lists later once 
>> the project is posting on the ISECOM website.
>>
>> Sincerely,
>> -pete.
>>
>>
>> vi...@is... wrote:
>>
>>> Hi,
>>>
>>> I'd like your advice on this.
>>>
>>> I am seriously considering killing OSP-13 Encryption Management.
>>>
>>> The reason is that I think encryption is just a technology to perform
>>> access control (like not allowing access to a secret repository).
>>>
>>> Specifically, it helps to:
>>> - Bear the users accountable are for the repositories and messages they
>>> create or modify;
>>> - Bear the users accountable for their use of Services and acceptance of
>>> contracts and agreements;
>>> - Precision, relevance and consistency of repositories is assured;
>>> Use of services and access to repositories is restricted to 
>>> authorized users;
>>> - Intellectual property is accessible to authorized users only;
>>> - Private information of clients and employees is accessible for a valid
>>> purpose to authorized users only and is held for no longer than 
>>> required;
>>> - Secrets are accessible to authorized users only;
>>> - Third party services and repositories are appropriately licensed and
>>> accessible only to authorised users.
>>>
>>> So what I plan to do is to transfer some of the content to "OSP-11 
>>> Access
>>> control over services, repositories channels and interfaces", and remove
>>> the appropiate references to it.
>>>
>>> Opinions?
>>>
>>> Happy New Year
>>>
>>> Vicente
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc. Do you grep through 
>>> log files
>>> for problems?  Stop!  Download the new AJAX search engine that makes
>>> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>>> http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
>>> _______________________________________________
>>> ISECOM-ISM3 mailing list
>>> ISE...@li...
>>> https://lists.sourceforge.net/lists/listinfo/isecom-ism3
>>>
>>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
>> files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
>> _______________________________________________
>> ISECOM-ISM3 mailing list
>> ISE...@li...
>> https://lists.sourceforge.net/lists/listinfo/isecom-ism3
>>
>>
> 
> 

[ISECOM-ISM3] Getting there

[<vi...@is...>]

I have deleted OSP-13 and added some precision in several paragraphs.

The new deadline for completion is January the 10th.

Todo:
- I am adding codes for documents, so they can be tracked more easily
automatically or between translations of ISM3.
- I will review the metric descriptions and cross them with work products
to make sure nothing is missing.
- Finally, I got Edward's opinion, but I still need more feedback on the
role of metrics in accreditation. Should they be mandatory? Can they be
audited? Does a ISM3 Level 5 makes sense?

Zipped PDF (whithout extension) attached.

The attached xls includes the relation between ISM3 categories and
traditional categories of information (confidenciality et al)

My best

Vicente

Re: [ISECOM-ISM3] Killing Encrypytion

[Rafael A. P. <ra...@au...>]

Microsoft is working right now in a trusted computing platform for 
Windows Vista, including a TPM module with some interesting features as
rooted boot integrity and encryption. Secure Startup technology provides 
secure boot, hard drive encryption, and TPM services.

Pete Herzog wrote:
> I think that's a very good idea.  I think one of the biggest challenges 
> we face when developing methodologies and standards is to look past the 
> pervasive products which we see as standards.  Our own experiences work 
> against us and often it's a slow climb out of this dark hole.  The worst 
> is that as we do so, we try to get others to see what we now see and are 
> met with the same resistance that those who challenged the sun's 
> rotation of the earth had encountered.
> 
> Sorry, I'm just a little frustrated with the sec industry again. Happens 
> every year around this time ;)
> 
> On that note, sorry Vicente, I had to ask, but is anyone here interested 
> in working on a trusted computing methodology?  It's somewhere 
> in-between infosec management, infosec testing, and low-level OS change 
> control.  So I'm looking for people who are OSSTMM, ISM3, and OMCD 
> oriented to help develop a framework for OpenTC (www.opentc.net).  I 
> will make requests on the other lists later once the project is posting 
> on the ISECOM website.
> 
> Sincerely,
> -pete.
> 
> 
> vi...@is... wrote:
> 
>> Hi,
>>
>> I'd like your advice on this.
>>
>> I am seriously considering killing OSP-13 Encryption Management.
>>
>> The reason is that I think encryption is just a technology to perform
>> access control (like not allowing access to a secret repository).
>>
>> Specifically, it helps to:
>> - Bear the users accountable are for the repositories and messages they
>> create or modify;
>> - Bear the users accountable for their use of Services and acceptance of
>> contracts and agreements;
>> - Precision, relevance and consistency of repositories is assured;
>> Use of services and access to repositories is restricted to authorized 
>> users;
>> - Intellectual property is accessible to authorized users only;
>> - Private information of clients and employees is accessible for a valid
>> purpose to authorized users only and is held for no longer than required;
>> - Secrets are accessible to authorized users only;
>> - Third party services and repositories are appropriately licensed and
>> accessible only to authorised users.
>>
>> So what I plan to do is to transfer some of the content to "OSP-11 Access
>> control over services, repositories channels and interfaces", and remove
>> the appropiate references to it.
>>
>> Opinions?
>>
>> Happy New Year
>>
>> Vicente
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
>> files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
>> _______________________________________________
>> ISECOM-ISM3 mailing list
>> ISE...@li...
>> https://lists.sourceforge.net/lists/listinfo/isecom-ism3
>>
>>
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> ISECOM-ISM3 mailing list
> ISE...@li...
> https://lists.sourceforge.net/lists/listinfo/isecom-ism3
> 
> 


-- 
Rafael Ausejo Prieto
www.ausejo.net

Re: [ISECOM-ISM3] Killing Encrypytion

[Pete H. <li...@is...>]

I think that's a very good idea.  I think one of the biggest challenges 
we face when developing methodologies and standards is to look past the 
pervasive products which we see as standards.  Our own experiences work 
against us and often it's a slow climb out of this dark hole.  The worst 
is that as we do so, we try to get others to see what we now see and are 
met with the same resistance that those who challenged the sun's 
rotation of the earth had encountered.

Sorry, I'm just a little frustrated with the sec industry again. 
Happens every year around this time ;)

On that note, sorry Vicente, I had to ask, but is anyone here interested 
in working on a trusted computing methodology?  It's somewhere 
in-between infosec management, infosec testing, and low-level OS change 
control.  So I'm looking for people who are OSSTMM, ISM3, and OMCD 
oriented to help develop a framework for OpenTC (www.opentc.net).  I 
will make requests on the other lists later once the project is posting 
on the ISECOM website.

Sincerely,
-pete.


vi...@is... wrote:
> Hi,
> 
> I'd like your advice on this.
> 
> I am seriously considering killing OSP-13 Encryption Management.
> 
> The reason is that I think encryption is just a technology to perform
> access control (like not allowing access to a secret repository).
> 
> Specifically, it helps to:
> - Bear the users accountable are for the repositories and messages they
> create or modify;
> - Bear the users accountable for their use of Services and acceptance of
> contracts and agreements;
> - Precision, relevance and consistency of repositories is assured;
> Use of services and access to repositories is restricted to authorized users;
> - Intellectual property is accessible to authorized users only;
> - Private information of clients and employees is accessible for a valid
> purpose to authorized users only and is held for no longer than required;
> - Secrets are accessible to authorized users only;
> - Third party services and repositories are appropriately licensed and
> accessible only to authorised users.
> 
> So what I plan to do is to transfer some of the content to "OSP-11 Access
> control over services, repositories channels and interfaces", and remove
> the appropiate references to it.
> 
> Opinions?
> 
> Happy New Year
> 
> Vicente
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
> _______________________________________________
> ISECOM-ISM3 mailing list
> ISE...@li...
> https://lists.sourceforge.net/lists/listinfo/isecom-ism3
> 
> 

[ISECOM-ISM3] Killing Encrypytion

[<vi...@is...>]

Hi,

I'd like your advice on this.

I am seriously considering killing OSP-13 Encryption Management.

The reason is that I think encryption is just a technology to perform
access control (like not allowing access to a secret repository).

Specifically, it helps to:
- Bear the users accountable are for the repositories and messages they
create or modify;
- Bear the users accountable for their use of Services and acceptance of
contracts and agreements;
- Precision, relevance and consistency of repositories is assured;
Use of services and access to repositories is restricted to authorized us=
ers;
- Intellectual property is accessible to authorized users only;
- Private information of clients and employees is accessible for a valid
purpose to authorized users only and is held for no longer than required;
- Secrets are accessible to authorized users only;
- Third party services and repositories are appropriately licensed and
accessible only to authorised users.

So what I plan to do is to transfer some of the content to "OSP-11 Access
control over services, repositories channels and interfaces", and remove
the appropiate references to it.

Opinions?

Happy New Year

Vicente

RE: [ISECOM-ISM3] Maturity Levels

[Edward S. <est...@ho...>]

ISO27001 (used to be known as BS7799-2) requires measurement of the 
effectiveness of controls - ISO27004 will soon be published covering 
security metrics http://www.iso27001security.com/html/iso27000.html

Therefore for ISO27000 compliance, an organisation will need to develop 
metrics.  Every maturity level of ISM3 which is certifiable to ISO27001 
would need appropriate metrics, to cover the ISO27000 controls.

Say an organisation does not opt for ISO27000 certification, and just 
implements ISM3:  I'd still say that without measurement, you cannot manage, 
and therefore metrics are essential to any management system - i.e. Level 1 
of ISM3!

However, rather than define compulsory metrics, it would be better to allow 
flexibility.  I would say you should require evidence for the collection and 
review of appropriate metric(s) as part of the "Supervised" criteria for 
Certification.

Regards
Edward



>From: vi...@is...
>To: ise...@li...
>Subject: [ISECOM-ISM3] Maturity Levels
>Date: Wed, 28 Dec 2005 06:45:53 -0500 (EST)
>
>Hi,
>
>I have an important question for you.
>
>The current Maturity Levels structure can be certified as ISO9001
>compliant or BS7799-2 compliant. Do you think it would be wise to stablish
>a fifth level, Level 5, where metrics where compulsory instead of
>optional? Could this level and this particular requirement be tested using
>ISO9001 or BS7799-2 audit processes?
>
>Happy New Year
>
>Vicente
>
>P.S. Zip attached without extension


><< ISM3_v1.120051226 >>

_________________________________________________________________
Are you using the latest version of MSN Messenger? Download MSN Messenger 
7.5 today! http://messenger.msn.co.uk

[ISECOM-ISM3] Maturity Levels

[<vi...@is...>]

Hi,

I have an important question for you.

The current Maturity Levels structure can be certified as ISO9001
compliant or BS7799-2 compliant. Do you think it would be wise to stablis=
h
a fifth level, Level 5, where metrics where compulsory instead of
optional? Could this level and this particular requirement be tested usin=
g
ISO9001 or BS7799-2 audit processes?

Happy New Year

Vicente

P.S. Zip attached without extension

[ISECOM-ISM3] Public draft, ISM3

[Vicente A. <ace...@ya...>]

Dear All,

The last draft release of ISM3 v1.1 is out. It
incorporates the comments from several reviewers.
Those who make a significant contribution will be
mentioned in page 2 in the final release.

The draft is available at:
http://www.seguridaddelainformacion.com/archivos/ISM3_v1.1-20051221.zip

There might be some typos, or even some sentence that
doesn't makes sense. That's why it's called a draft :)

I am pretty confident about the changes in yellow, I
would like a second opinion about the changes in
green. The earlier I get your comments, the more
chances they will make it into the final release. The
new deadline is January the 2nd.

As most of you know, ISM3 is a standard for the
creation of
business-oriented ISM systems. Some qualities of ISM3
v1.1 are:
- It is an open standard.
- It is fully compatible with ITIL, ISO9000, CMMI,
Cobit and ISO17799 / BS 7799-2.
- It incorporates security governance considerations.
- It scales to small and big organizations.
- It adapts to young and stablished organizations.
- It is rich in implementation guidance, like for
example security responsibilities.
- Its process orientation integrates well with ITIL.
- It supports explictly the outsourcing of security
management and operations processes.
- ISM3 based ISM systems are accreditable.
- Guidance on accreditable scope.
- Metrics, that help to manage the processes and
measure the success of the ISM system.
- Accreditation process.
- Guidanec on using ISM3 in outsourcing and
partners/vendors partnerships.

Repost of an old mail to this list:
Some very good compartives between security
methodologies are:
http://www.phi-solutions.com/documents/ISO17799_SSE_CMM_comparison.pdf
http://www.phi-solutions.com/documents/ISO9001_BS7799-2_ISO13335_comparison.pdf
http://www.cerias.purdue.edu/news_and_events/events/symposium/2004/posters/pdfs/Metrics%20Based%20Security%20Assessment.pdf
http://www.securityforum.org/assests/pdf/sec_stan.pdf
http://www.theiia.org/iia/download.cfm?file=404
http://www.cyberpartnership.org/InfoSecGov4_04.pdf
http://www.bsa.org/resources/loader.cfm?url=/commonspot/security/getfile.cfm&Pag\eID=5841
http://www.itsmf.org.za/Presentations/CobiT%20ITIL%20and%20BS7799.pdf

I am planning to hold a conference on ISM3 v1.1 in
India around the 20th of January. If you are
interested, drop me a mail to vi...@is... (not
to this list), and I will make sure you get all the
details.

Merry Xmas

Vicente Aceituno


	
		
__________________________________ 
Yahoo! for Good - Make a difference this year. 
http://brand.yahoo.com/cybergivingweek2005/

RE : [ISECOM-ISM3] RE: New ISM3 snapshot

[Andre B. <and...@no...>]

Hi M.Ramkumar, you have to include the text after the space also.  The =
full link is =
http://www.seguridaddelainformacion.com/archivos/ISM3_v1.1%2020051211.pdf=
 where the "%20" acts as a space.

=20

Have a nice day...

=20

-----Message d'origine-----
De : ise...@li... =
[mailto:ise...@li...] De la part de Ramkumar =
R
Envoy=E9 : 12 d=E9cembre, 2005 07:02
=C0 : vi...@is...; ise...@li...
Objet : [ISECOM-ISM3] RE: New ISM3 snapshot
Importance : Haute

=20

Hi Vicente,

      The link is not working...! Pl help.

=20

With warm Regards,

R.Ramkumar

Executive Director - KPQR

-----Original Message-----

From: vi...@is... [mailto:vi...@is...]=20

Sent: Monday, December 12, 2005 12:15 AM

To: ise...@li...

Subject: New ISM3 snapshot

=20

The latest snapshot is available from:

=20

http://www.seguridaddelainformacion.com/archivos/ISM3_v1.1 20051211.pdf

=20

You can choose to post me your comments privately or copy the ism3 list.

=20

Those who didn't comment last one won't get the next if I don't receive

any news from them this week.

=20

My best

=20

Vicente

=20

=20

=20

-------------------------------------------------------

This SF.net email is sponsored by: Splunk Inc. Do you grep through log =
files

for problems?  Stop!  Download the new AJAX search engine that makes

searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!

http://ads.osdn.com/?ad_id=3D7637&alloc_id=3D16865&op=3Dclick

_______________________________________________

ISECOM-ISM3 mailing list

ISE...@li...

https://lists.sourceforge.net/lists/listinfo/isecom-ism3

[ISECOM-ISM3] RE: New ISM3 snapshot

[Ramkumar R <ram...@kp...>]

Hi Vicente,
	The link is not working...! Pl help.

With warm Regards,
R.Ramkumar
Executive Director - KPQR
-----Original Message-----
From: vi...@is... [mailto:vi...@is...] 
Sent: Monday, December 12, 2005 12:15 AM
To: ise...@li...
Subject: New ISM3 snapshot

The latest snapshot is available from:

http://www.seguridaddelainformacion.com/archivos/ISM3_v1.1 20051211.pdf

You can choose to post me your comments privately or copy the ism3 list.

Those who didn't comment last one won't get the next if I don't receive
any news from them this week.

My best

Vicente

[ISECOM-ISM3] New ISM3 snapshot

[<vi...@is...>]

The latest snapshot is available from:

http://www.seguridaddelainformacion.com/archivos/ISM3_v1.1 20051211.pdf

You can choose to post me your comments privately or copy the ism3 list.

Those who didn't comment last one won't get the next if I don't receive
any news from them this week.

My best

Vicente

[ISECOM-ISM3] ISM3 review reminder

[<vi...@is...>]

Questions to close before final release:

- License. What is the best license for ISM3?
- Metrics+RAVs. Are the defined metrics measurable and help to take
management decisions?
- Accreditation process. The BS7799-2 and ISO9001 accreditation routes
must be clearly explained.
- Scope of Accreditation. The limits for accreditation that will make
accreditation meaningful must be set.
- GP-2 ISMS Audit.
- TSP-4 Service Level Management. This process has been filled with
content. Should a similar process be set up at the Strategic Level?
- OSP-13 Encryption Management. I am unhappy with the current metrics of
this process. Any suggestions about how to fix it?
- Guidance on job descriptions. This shouldn't be difficult, as
responsibilities are explained all over ISM3.
- Supervision structure. Same as above.
- Resources - Resources need for each process (people, technology, money,
time...). Should be give some guidance on the resources needed to
implement every / some of the processes? Any volunteer for this?
- We should detect contradictions between ISM3 and ITIL, Cobit, ISO9001,
CISWG report, CMMI and ISO27000. If someone volunteers, I have have some
material that could allow to publish a complete fairly complete mapping
between standards.

I'd like to include some graph expressing how ISM3 applies PDCA. (See
attachment)


My best

Vicente Aceituno

[ISECOM-ISM3] ISM3 snapshot

[<vi...@is...>]

You can downlowad the latest version for your review from:
http://www.seguridaddelainformacion.com/archivos/ISM3_v1.1-20051127.pdf

You can choose to post me your comments privately or copy the ism3 list.

My best and thanks for your help

Vicente Aceituno

[ISECOM-ISM3] ISM3 early draft

[<vi...@is...>]

This is for your eyes only.

Changes are in yellow and red.

Main Changes and assignees:
-Metrics (Me)
-Scope (Anup)
-Deployment (Anup)
-New process: GP-2 ( )
-Risk Analysis Posture (Eduardo?)
-Accreditation Process (Anup)
-Relation to Partners, Vendors and Outsourcing providers.

Smaller changes:
- References to NDA and data recovery among others.
- Glossary
- References

I need examples of significant committees. (pag 12)
Please identify any term that should be in the glossary and is not.

Saludos / Sincerely

Vicente

P.S. The mail server is giving me grief. The attached file is a zipped
(7z) pdf.

[ISECOM-ISM3] ISM3 security techniques

[<vi...@is...>]

I have been checking the relationship between Security Objectives, and th=
e
management processes.

The attached xls presents a relation between security objectives,
techniques and ISM3 processes. There is not a real one 2 one relation
between security objective and ISM3 process. For this reason probably thi=
s
won't go into ISM3 v1.1. It is just a sanity check about all the importan=
t
security techniques being incorporated in the ISM3 processes.

my best

Vicente

[ISECOM-ISM3] ISM3 v1.1 updates

[<vi...@is...>]

Dear All,

I think I will be able to give you news soon about a real implementation
of ISM3 in progress.

In the meantime, I want to tell you about the stuff that will go into ISM=
3
v1.1:

1- EA 7/03 additions - done
2- OSSTMM synchronization
3- Scope considerations (any volunteer?)
4- Implementation process  (any volunteer?)
5- Accreditation and Certification processes
6- Governance in line with CISWG reports.

7- METRICS.
*Efficiency metrics/ROSI: Efficacy compared to investment. Efficacy is
related to averted incidents.

*I think we should cover Activity metrics in a general way, showing how t=
o
use the to distinguish normal from abnormal activity. What are your
criteria for this? My own criteria is that "Abnormal" is over or below th=
e
arithmetic mean plus/minus 2 standard deviations of the arithmetic mean.

*Availability metrics. These make sense only at the operational level.
*Coverage metrics. These make sense only at the operational level.
*Update metrics. These make sense only at the operational level.

*The processes will be classified as:
- Action processes. These are continuos in time.
- Triggered processes. These are performed in a as needed basis.
- Prevention. These can't reach "abnormal" levels, as they prepare the
organization to better perform the rest of the processes.

*The management diagnosis of out of bounds metrics should be:
1- Process fault.
2- TPSRSR fault.
3- Fault in PDCA process.
4- Technology fault / Technology used doesn't perform as expected.
5- Inadequate funding (The process was designed under funding constraints=
,
The technology was chosen considering funding constraints.)
6- Security Target too high.

Every metric described will help to reach one of these conclusions. As th=
e
corresponding management action is obvious, we can express that as well.

I await your feedback on my last week's post on metrics.

My best

Vicente Aceituno

[ISECOM-ISM3] Hello All - Self Introduction

[Anup N. <an...@ju...>]

Dear Members,

I am glad to join the ISM3 effort and I would like to introduce myself. =
My name is Anup Narayanan and I am from Kerala, India. I am a CISA and =
CISSP and been working in the field of Information Security for the past =
6 years. In fact I run my own Information Security Consultancy firm =
(www.juvenaconsulting.com).

I felt attracted to ISM3, after having worked with the BS7799 standard =
for quite some time. What I could gauge was that the management of the =
organizations where I was deploying BS7799 did not understand what they =
were doing, but they wanted it done, else they would not get business =
from security conscious customers.

I appreciate Vicente's efforts to create a ISMS which is aligned towards =
the business goals of the organization and which is flexible enough to =
be implemented by organizations of all sizes and easily understood by =
the Senior Management.

I look forward to contribute my best towards the effort.

Warm Regards,

Anup Narayanan
  ----- Original Message -----=20
  From: vi...@is...=20
  To: ise...@li...=20
  Sent: Wednesday, November 02, 2005 4:01 PM
  Subject: [ISECOM-ISM3] Metrics b4 new Year


  Dear All,

  I plan to publish a revision of ISM3 before the end of this year, with
  your help, of course. This revision will have some small tweaks, like =
EA
  7/03 additions, OSSTMM synchronization, being more specific on ISM3
  minimum scope, specify the accreditation and certification processes =
and
  METRICS.

  I attach a preview of my work on Metrics for ISM3. For the time being =
is
  just a list. I have come to realize that metrics are dozen a dime. =
It's
  very easy to make up things you could measure. Far more difficult is =
to
  make up things that can trigger management decisions.

  So the criteria for inclusion of metrics in ISM3 v1.1 will be:
  - The metric can't reach a value and stay there. Example: Percentage =
of
  security policies written. This kind of metric would a project =
management
  progress metric, not a management process (versus project) metric.
  - The metric must help to detect abnormal conditions, or help to take
  decisions.
  - "Normal conditions" won't be pre-defined. This means that historic =
data
  of the metric must let us know what are the normal values for the =
metric.
  For example, if we now the arithmetic mean and the standard deviation,
  values within the AM plus minus the standard deviation will be =
considered
  "normal".

  I hope to reach a manageable number of meaningful metrics.

  - Four main categories of metrics will be used:
  --Activity: This metric measure how much "work products" have been =
produced.
  --Coverage: This metric measure if all defined environments or systems =
are
  being protected by the process. For example, AV could be installed in =
only
  the 50% of user PCs.
  --Update: This metric measure how updated or recent is the process.
  --Avaliability: This metric measure if there have been failures in the
  processes.

  Metrics will be defined expressing the associated action when the =
metric
  indicates abnormalities.

  There are four types of processes:
  - Management processes.
  - Action processes. These are continuos in time.
  - Triggered processes. These are performed in a as needed basis.
  - Prevention. These can't reach "abnormal" levels, as they prepare the
  organization to better perform the rest of the processes.

  As this is a lot of work, I expect some of you to come forward and
  undertake the detailed definition of a few of the processes.

  The rest can review the ongoing work.

  BTW, we have a new member, Anup Narayan has joined the ISM3 effort.


  My best

  Vicente Aceituno

[ISECOM-ISM3] Metrics b4 new Year

[<vi...@is...>]

Dear All,

I plan to publish a revision of ISM3 before the end of this year, with
your help, of course. This revision will have some small tweaks, like EA
7/03 additions, OSSTMM synchronization, being more specific on ISM3
minimum scope, specify the accreditation and certification processes and
METRICS.

I attach a preview of my work on Metrics for ISM3. For the time being is
just a list. I have come to realize that metrics are dozen a dime. It's
very easy to make up things you could measure. Far more difficult is to
make up things that can trigger management decisions.

So the criteria for inclusion of metrics in ISM3 v1.1 will be:
- The metric can't reach a value and stay there. Example: Percentage of
security policies written. This kind of metric would a project management
progress metric, not a management process (versus project) metric.
- The metric must help to detect abnormal conditions, or help to take
decisions.
- "Normal conditions" won't be pre-defined. This means that historic data
of the metric must let us know what are the normal values for the metric.
For example, if we now the arithmetic mean and the standard deviation,
values within the AM plus minus the standard deviation will be considered
"normal".

I hope to reach a manageable number of meaningful metrics.

- Four main categories of metrics will be used:
--Activity: This metric measure how much "work products" have been produced.
--Coverage: This metric measure if all defined environments or systems are
being protected by the process. For example, AV could be installed in only
the 50% of user PCs.
--Update: This metric measure how updated or recent is the process.
--Avaliability: This metric measure if there have been failures in the
processes.

Metrics will be defined expressing the associated action when the metric
indicates abnormalities.

There are four types of processes:
- Management processes.
- Action processes. These are continuos in time.
- Triggered processes. These are performed in a as needed basis.
- Prevention. These can't reach "abnormal" levels, as they prepare the
organization to better perform the rest of the processes.

As this is a lot of work, I expect some of you to come forward and
undertake the detailed definition of a few of the processes.

The rest can review the ongoing work.

BTW, we have a new member, Anup Narayan has joined the ISM3 effort.


My best

Vicente Aceituno

[ISECOM-ISM3] ISM3 Metrics

[Vicente A. <ace...@ya...>]

Hi,

I think is high time to add metrics to ISM3.

Please submit you ideas about what would be the best
metrics for every ISM3 process.

Thanks for your help.

Vicente Aceituno


		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

[ISECOM-ISM3] RE: ISM3 & ISO 17799

[Anthony B. N. <abn...@es...>]

At 01:31 AM 31/08/05, vi...@is... wrote:
>On the other hand, if a company just wants to cheat the system, they can
>falsify not only documents but any other information source, so I don't
>see how can you have the guarantee that you are not being fooled...

I agree.  There is no such thing as a certification that cannot be 
cheated, I just want to make it a bit more difficult to get away with it.

>I think ISM3 has the strengh of being suitable to every different need and
>resources avaliability, so normally it will be cheaper and it will make
>more sense to actually implementing it rather than faking it.

I think you are right, most everyone who wants the certification will 
go to the effort of implementing it.  However for the certification 
to be of value to the outside world, it has to have controls within 
it that make cheating difficult, otherwise the suspicion will be 
there that a significant population of cheaters exist.  (I can verify 
from talking to some of the engineers at client companies that the 
view of ISO 9000 is that it is only as good as the company 
implementing it, and if you don't trust the company, you don't trust 
the certification.  This to the extent that they will ask for ISO 
9000 certification as a minimum, but once you verify that you have it 
you have only passed the first test, and someone is sent out to 
verify that it is real.  Cheating has devalued the certification, 
even if the number of cheaters is small.)

A.B.N.

>Sincerely
>
>Vicente