316
• Security Management https://store.theartofservice.com/the-security-management- toolkit.html

Security Management

Embed Size (px)

DESCRIPTION

IT risk management - Organization for security management 1 the business and functional managers https://store.theartofservice.com/the-security-management-toolkit.html

Citation preview

Page 1: Security Management

• Security Management

https://store.theartofservice.com/the-security-management-toolkit.html

Page 2: Security Management

IT risk management - Organization for security management

1 The set up of the organization in charge of risk management is

foreseen as partially fulfilling the requirement to provide the resources

needed to establish, implement, operate, monitor, review, maintain

and improve an ISMS. The main roles inside this organization are:

https://store.theartofservice.com/the-security-management-toolkit.html

Page 3: Security Management

IT risk management - Organization for security management

1 the business and functional managers

https://store.theartofservice.com/the-security-management-toolkit.html

Page 4: Security Management

IT risk management - Organization for security management

1 the Information System Security Officer (ISSO) or Chief information security officer

(CISO)

https://store.theartofservice.com/the-security-management-toolkit.html

Page 5: Security Management

IT risk management - Organization for security management

1 IT Security Practitioners

https://store.theartofservice.com/the-security-management-toolkit.html

Page 6: Security Management

Information Technology Infrastructure Library - Information security management system

1 The ITIL-process Security Management describes the

structured fitting of information security in the management

organization. ITIL security management is based on the code of

practice for information security management system (ISMS) now

known as ISO/IEC 27002.https://store.theartofservice.com/the-security-management-toolkit.html

Page 7: Security Management

Information Technology Infrastructure Library - Information security management system

1 A basic goal of security management is to ensure adequate information security. The

primary goal of information security, in turn, is to protect information assets against risks,

and thus to maintain their value to the organization. This is commonly expressed in

terms of ensuring their confidentiality, integrity and availability, along with related

properties or goals such as authenticity, accountability, non-repudiation and reliability.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 8: Security Management

Information Technology Infrastructure Library - Information security management system

1 Mounting pressure for many organizations to structure their

information security management systems in accordance with ISO/IEC

27001 requires revision of the ITIL v2 security management volume, which culminated in the release of the 2007

edition.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 9: Security Management

Network security - Security management

1 Security management for networks is different for all kinds of situations. A

home or small office may only require basic security while large

businesses may require high-maintenance and advanced software and hardware to prevent malicious

attacks from hacking and spamming.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 10: Security Management

Business continuity - Security management

1 In today's global business environment, security must be the top priority in

managing Information Technology. For most organizations, security is mandated

by law, and conformance to those mandates is investigated regularly in the

form of audits. Failure to pass security audits can have financial and

management changing impacts upon an organization.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 11: Security Management

Security - Security management in organizations

1 In the corporate world, various aspects of security were historically addressed

separately - notably by distinct and often noncommunicating departments for IT security, physical security, and fraud prevention. Today there is a greater

recognition of the interconnected nature of security requirements, an approach

variously known as holistic security, "all hazards" management, and other terms.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 12: Security Management

Security - Security management in organizations

1 Inciting factors in the convergence of security disciplines include the development of digital video

surveillance technologies (see Professional video over IP) and the

digitization and networking of physical control systems (see

SCADA)

https://store.theartofservice.com/the-security-management-toolkit.html

Page 13: Security Management

Security - Security management in organizations

1 Although the title supply chain is included, this Standard specifies the

requirements for a security management system, including those aspects critical to security assurance

for any organisation or enterprise wishing to management the security of the organisation and its activities

https://store.theartofservice.com/the-security-management-toolkit.html

Page 14: Security Management

Information security management

1 Information security

management

https://store.theartofservice.com/the-security-management-toolkit.html

Page 15: Security Management

Information security management

1 Information security (ISec) describes activities that relate to the protection

of information and information infrastructure assets against the risks

of loss, misuse, disclosure or damage. Information security management (ISM) describes

controls that an organization needs to implement to ensure that it is sensibly managing these risks.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 16: Security Management

Information security management

1 The risks to these assets can be calculated by analysis of the following issues:

https://store.theartofservice.com/the-security-management-toolkit.html

Page 17: Security Management

Information security management

1 Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets

https://store.theartofservice.com/the-security-management-toolkit.html

Page 18: Security Management

Information security management

1 Vulnerabilities. How susceptible your assets

are to attack

https://store.theartofservice.com/the-security-management-toolkit.html

Page 19: Security Management

Information security management

1 Impact. The magnitude of the potential loss or the seriousness of the

event.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 20: Security Management

Information security management

1 Standards that are available to assist organizations implement the appropriate programmes and

controls to mitigate these risks are for example BS7799/ISO 17799,

Information Technology Infrastructure Library and COBIT.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 21: Security Management

ITIL security management

1 The ITIL security management process describes the structured

fitting of security in the management organization.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 22: Security Management

ITIL security management

1 ISO/IEC 27001:2005 specifies the requirements for establishing,

implementing, operating, monitoring, reviewing, maintaining and

improving a documented Information Security Management System within

the context of the organization's overall business risks.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 23: Security Management

ITIL security management

1 It specifies requirements for the implementation of security controls

customized to the needs of individual organizations or parts thereof.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 24: Security Management

ITIL security management

1 ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties."

https://store.theartofservice.com/the-security-management-toolkit.html

Page 25: Security Management

ITIL security management

1 A basic concept of security management is the information

security.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 26: Security Management

ITIL security management

1 The primary goal of information security is to guarantee safety of

information. When protecting information it is the value of the

information that must be protected.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 27: Security Management

ITIL security management

1 These values are stipulated by the confidentiality, integrity and availability.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 28: Security Management

ITIL security management

1 The goal of the Security Management is split up in two

parts:

https://store.theartofservice.com/the-security-management-toolkit.html

Page 29: Security Management

ITIL security management

1 The realization of the security requirements defined in the service

level agreement (SLA) and other external requirements which are

specified in underpinning contracts, legislation and possible internal or

external imposed policies.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 30: Security Management

ITIL security management

1 The realization of a basic level of security.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 31: Security Management

ITIL security management

1 This is necessary to guarantee the continuity of the management organization.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 32: Security Management

ITIL security management

1 This is also necessary in order to reach a simplified service-level

management for the information security, as it happens to be easier

to manage a limited number of SLAs than it is to manage a large number

of SLAs.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 33: Security Management

ITIL security management

1 The input of the security management process is formed by the SLAs with the specified security requirements, legislation documents (if applicable) and other (external)

underpinning contracts.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 34: Security Management

ITIL security management

1 These requirements can also act as key performance indicators (KPIs) which can be used for the process

management and for the justification of the results of the security

management process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 35: Security Management

ITIL security management

1 The output gives justification information to the realization of the SLAs and a report with deviations

from the requirements.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 36: Security Management

ITIL security management

1 The security management process has relations with almost all other ITIL-processes.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 37: Security Management

ITIL security management

1 However, in this particular section the most obvious relations will be the

relations to the service level management process, the incident

management process and the Change Management process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 38: Security Management

ITIL security management - The security management process

1 The security management process consists of activities that are carried

out by the security management itself or activities that are controlled

by the security management.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 39: Security Management

ITIL security management - The security management process

1 Because organizations and their information systems constantly change, the activities within the

security management process must be revised continuously, in order to

stay up-to-date and effective. Security management is a

continuous process and it can be compared to W. Edwards Deming's

Quality Circle (Plan, Do, Check, Act).https://store.theartofservice.com/the-security-management-toolkit.html

Page 40: Security Management

ITIL security management - The security management process

1 The inputs are the requirements which are formed by the

clients

https://store.theartofservice.com/the-security-management-toolkit.html

Page 41: Security Management

ITIL security management - The security management process

1 The activities, results/products and the process are documented. External reports

are written and sent to the clients. The clients are then able to adapt their

requirements based on the information received through the reports. Furthermore, the service provider can adjust their plan or

the implementation based on their findings in order to satisfy all the requirements stated in

the SLA (including new requirements).

https://store.theartofservice.com/the-security-management-toolkit.html

Page 42: Security Management

ITIL security management - Control

1 The first activity in the security management process is the “Control” sub-process. The Control sub-process organizes and manages the security

management process itself. The Control sub-process defines the

processes, the allocation of responsibility the policy statements and the management framework.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 43: Security Management

ITIL security management - Control

1 The security management framework defines the sub-processes for: the development of security plans, the

implementation of the security plans, the evaluation and how the results of

the evaluations are translated into action plans. Furthermore, the

management framework defines how should be reported to clients.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 44: Security Management

ITIL security management - Control

1 The activities that take place in the Control process are summed up in the following table, which contains

the name of the (sub) activity and a short definition of the activity.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 45: Security Management

ITIL security management - Control

1 Activities Sub-Activities

Descriptions

https://store.theartofservice.com/the-security-management-toolkit.html

Page 46: Security Management

ITIL security management - Control

1 Control Implement policies This process outlines the specific

requirements and rules that have to be met in order to implement

security management. The process ends with policy statement.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 47: Security Management

ITIL security management - Control

1 Setup the security organizationThis process sets up the organizations for information security. For example in

this process the structure the responsibilities are set up. This

process ends with security management framework.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 48: Security Management

ITIL security management - Control

1 Reporting In this process the whole targeting process is

documented in a specific way. This process ends with reports.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 49: Security Management

ITIL security management - Control

1 The meta-modeling technique was used in order to model the activities of the control

sub-process

https://store.theartofservice.com/the-security-management-toolkit.html

Page 50: Security Management

ITIL security management - Control

1 Furthermore, it is noticeable that the first two activities are not linked with an arrow and that there is a black stripe with an arrow

leading to the reporting activity. This means that the two first activities are not sequential. They are unordered activities and after these two activities have taken place the reporting activity will sequentially follow. For a more

extensive explanation of the meta-modeling technique consult the Meta-modeling wiki.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 51: Security Management

ITIL security management - Control

1 CONTROL DOCUMENTS CONTROL is a description of how SECURITY

MANAGEMENT will be organized and how it will be managed.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 52: Security Management

ITIL security management - Control

1 POLICY STATEMENTS POLICY STATEMENTS are documents that outlines specific requirements or

rules that must be met. In the information security realm, policies

are usually point-specific, covering a single area. For example, an

“Acceptable Use” policy would cover the rules and regulations for

appropriate use of the computing facilities.https://store.theartofservice.com/the-security-management-toolkit.html

Page 53: Security Management

ITIL security management - Control

1 SECURITY MANAGEMENT FRAMEWORK SECURITY

MANAGEMENT FRAMEWORK is an established management framework

to initiate and control the implementation of information

security within your organization and to manage ongoing information

security provision.https://store.theartofservice.com/the-security-management-toolkit.html

Page 54: Security Management

ITIL security management - Control

1 The meta-data model of the control sub-process is based on a UML class diagram. In figure 2.1.2 is the meta-

data model of the control sub-process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 55: Security Management

ITIL security management - Control

1 The CONTROL rectangle with a white shadow is an open complex concept.

This means that the CONTROL rectangle consists of a collection of (sub) concepts and these concepts

are expanded in this particular context.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 56: Security Management

ITIL security management - Plan

1 The Plan sub-process contains activities that in cooperation with the

Service Level Management lead to the (information) Security section in

the SLA.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 57: Security Management

ITIL security management - Plan

1 Furthermore, the Plan sub-process contains activities that are related to the underpinning contracts which are

specific for (information) security.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 58: Security Management

ITIL security management - Plan

1 In the Plan sub-process the goals formulated in the SLA are specified in

the form of Operational Level Agreements (OLA).

https://store.theartofservice.com/the-security-management-toolkit.html

Page 59: Security Management

ITIL security management - Plan

1 These OLA’s can be defined as security plans for a specific internal

organization entity of the service provider.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 60: Security Management

ITIL security management - Plan

1 Besides the input of the SLA, the Plan sub-process also works with the policy statements of the service

provider itself.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 61: Security Management

ITIL security management - Plan

1 As said earlier these policy statements are defined in the control sub-process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 62: Security Management

ITIL security management - Plan

1 The Operational Level Agreements for information security are set up and implemented based on the ITIL

process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 63: Security Management

ITIL security management - Plan

1 For example if the security management wishes to change the IT

infrastructure in order to achieve maximum security, these changes

will only be done through the Change Management process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 64: Security Management

ITIL security management - Plan

1 The Security Management will deliver the input (Request for change) for this change.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 65: Security Management

ITIL security management - Plan

1 PlanCreate Security section for SLAThis process contains activities that

lead to the security agreements paragraph in the service level

agreements.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 66: Security Management

ITIL security management - Plan

1 At the end of this process the Security section of the service level agreement is created.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 67: Security Management

ITIL security management - Plan

1 Create underpinning Contracts This process contains activities that lead

to UNDERPINNING CONTRACTS.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 68: Security Management

ITIL security management - Plan

1 These contracts are specific for security.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 69: Security Management

ITIL security management - Plan

1 Create Operational level agreementsThe general formulated goals in

the SLA are specified in operational level agreements.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 70: Security Management

ITIL security management - Plan

1 plans for specific organization units.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 71: Security Management

ITIL security management - Plan

1 Reporting In this process the whole Create plan process is documented in a specific way.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 72: Security Management

ITIL security management - Plan

1 As well as for the Control sub-process the Plan sub-process has been

modeled using the meta-modeling technique.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 73: Security Management

ITIL security management - Plan

1 On the right side of figure 2.2.1 the meta-process model of the Plan sub-process is

given.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 74: Security Management

ITIL security management - Plan

1 As you can see the Plan sub-process consists of a combination of unordered and ordered (sub)

activities.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 75: Security Management

ITIL security management - Plan

1 Furthermore, it is noticeable that the sub-process contains three complex

activities which are all closed activities and one standard activity.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 76: Security Management

ITIL security management - Plan

1 Table 2.2.1 consists of concepts that are created or adjusted during the plan sub-

process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 77: Security Management

ITIL security management - Plan

1 PLAN Formulated schemes for the

security agreements.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 78: Security Management

ITIL security management - Plan

1 Security section of the security level agreements The security

agreements paragraph in the written agreements between a Service

Provider and the customer(s) that documents agreed Service Levels for

a service.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 79: Security Management

ITIL security management - Plan

1 UNDERPINNING CONTRACTS A contract with an external supplier covering delivery of services that

support the IT organisation in their delivery of services.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 80: Security Management

ITIL security management - Plan

1 OPERATIONAL LEVEL AGREEMENTSAn internal agreement covering the delivery of services which support

the IT organization in their delivery of services.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 81: Security Management

ITIL security management - Plan

1 The two closed concepts are not expanded in this particular

context.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 82: Security Management

ITIL security management - Plan

1 The following picture (figure 2.2.1) is the process-data diagram of the Plan sub-process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 83: Security Management

ITIL security management - Plan

1 This picture shows the integration of the two models.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 84: Security Management

ITIL security management - Plan

1 The dotted arrows indicate which concepts are created or adjusted in the corresponding activities of the

Plan sub-process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 85: Security Management

ITIL security management - Implementation

1 The Implementation sub-process makes sure that all measures, as

specified in the plans, are properly implemented.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 86: Security Management

ITIL security management - Implementation

1 During the Implementation sub-process no (new) measures are defined nor changed.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 87: Security Management

ITIL security management - Implementation

1 The definition or change of measures will take place in the Plan sub-process in cooperation with the Change Management Process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 88: Security Management

ITIL security management - Implementation

1 The activities that take place in the implementation sub-process are summed up in the following table

(table 2.3.1).

https://store.theartofservice.com/the-security-management-toolkit.html

Page 89: Security Management

ITIL security management - Implementation

1 The table contains the name of the (sub) activity and a short definition of the activity.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 90: Security Management

ITIL security management - Implementation

1 Implement Classifying and managing of IT applications

Process of formally grouping configuration items by type, e.g.,

software, hardware, documentation, environment, application.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 91: Security Management

ITIL security management - Implementation

1 Process of formally identifying changes by type e.g., project scope change request, validation change

request, infrastructure change request this process leads to asset

classification and control documents.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 92: Security Management

ITIL security management - Implementation

1 Implement personnel security Here measures are adopted in order to

give personnel safety and confidence and measures to prevent a

crime/fraud.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 93: Security Management

ITIL security management - Implementation

1 Implement security management In this process specific security

requirements and/or security rules that must be met are outlined and

documented.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 94: Security Management

ITIL security management - Implementation

1 Implement access control In this process specific access security

requirements and/or access security rules that must be met are outlined

and documented.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 95: Security Management

ITIL security management - Implementation

1 Reporting In this process the whole implement as planned process is documented

in a specific way.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 96: Security Management

ITIL security management - Implementation

1 Table 2.3.1: (Sub) activities and descriptions Implementation sub-process ITIL Security

Management

https://store.theartofservice.com/the-security-management-toolkit.html

Page 97: Security Management

ITIL security management - Implementation

1 The left side of figure 2.3.1 is the meta-process model of the Implementation phase.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 98: Security Management

ITIL security management - Implementation

1 The four labels with a black shadow mean that these activities are closed concepts and they are not expanded

in this context.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 99: Security Management

ITIL security management - Implementation

1 It is also noticeable that there are no arrows connecting these four

activities this means that these activities are unordered and the

reporting will be carried out after the completion of al the four activities.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 100: Security Management

ITIL security management - Implementation

1 During the implementation phase there are a number of concepts that are created and /or

adjusted.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 101: Security Management

ITIL security management - Implementation

1 Implementation Accomplished security management according to the security

management plan.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 102: Security Management

ITIL security management - Implementation

1 Asset classification and control documents A comprehensive

inventory of assets with responsibility assigned to ensure that

effective security protection is maintained.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 103: Security Management

ITIL security management - Implementation

1 Personnel security Well defined job descriptions for all staff outlining

security roles and responsibilities.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 104: Security Management

ITIL security management - Implementation

1 Security policies Security policies are documents that outlines specific

security requirements or security rules that must be met.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 105: Security Management

ITIL security management - Implementation

1 Access control Network management to ensure that only

those with the appropriate responsibility have access to

information in the networks and the protection of the supporting

infrastructure.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 106: Security Management

ITIL security management - Implementation

1 Table 2.3.2: Concept and definition Implementation sub-process Security

management

https://store.theartofservice.com/the-security-management-toolkit.html

Page 107: Security Management

ITIL security management - Implementation

1 The concepts created and/or adjusted are modeled using the meta-modeling technique.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 108: Security Management

ITIL security management - Implementation

1 The right side of figure 2.3.1 is the meta-data model of the implementation sub-process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 109: Security Management

ITIL security management - Implementation

1 The implementation documents are an open concept and is expanded upon in this context.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 110: Security Management

ITIL security management - Implementation

1 It consists of four closed concepts which are not expanded because

they are irrelevant in this particular context.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 111: Security Management

ITIL security management - Implementation

1 In order to make the relations between the two models clearer the

integration of the two models are illustrated in figure 2.3.1.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 112: Security Management

ITIL security management - Implementation

1 The dotted arrows running from the activities to the concepts illustrate

which concepts are created/ adjusted in the corresponding activities.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 113: Security Management

ITIL security management - Implementation

1 Figure 2.3.1: Process-data model

Implementation sub-process

https://store.theartofservice.com/the-security-management-toolkit.html

Page 114: Security Management

ITIL security management - Evaluation

1 The evaluation of the implementation and the plans is very important.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 115: Security Management

ITIL security management - Evaluation

1 The evaluation is necessary to measure the success of the implementation and the

Security plans.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 116: Security Management

ITIL security management - Evaluation

1 The evaluation is also very important for the clients (and possibly third parties).

https://store.theartofservice.com/the-security-management-toolkit.html

Page 117: Security Management

ITIL security management - Evaluation

1 The results of the Evaluation sub-process are used to maintain the

agreed measures and the implementation itself.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 118: Security Management

ITIL security management - Evaluation

1 Evaluation results can lead to new requirements and so lead to a Request for

Change.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 119: Security Management

ITIL security management - Evaluation

1 The request for change is then defined and it is then send to the Change Management

process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 120: Security Management

ITIL security management - Evaluation

1 Mainly there are three sorts of evaluation; the Self-assessment; internal audit, and external audit.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 121: Security Management

ITIL security management - Evaluation

1 The self-assessment is mainly carried out in the organization of the processes.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 122: Security Management

ITIL security management - Evaluation

1 The internal audits are carried out by internal IT-auditors and the external audits are carried out by external

independent IT-auditors.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 123: Security Management

ITIL security management - Evaluation

1 Besides, the evaluations already mentioned an evaluation based on

the communicated security incidents will also take place.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 124: Security Management

ITIL security management - Evaluation

1 The most important activities for this evaluation are the security

monitoring of IT-systems; verify if the security legislation and the

implementation of the security plans are complied; trace and react to

undesirable use of the IT-supplies.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 125: Security Management

ITIL security management - Evaluation

1 The activities that take place in the evaluation sub-process are summed

up in the following table (Table 2.4.1).

https://store.theartofservice.com/the-security-management-toolkit.html

Page 126: Security Management

ITIL security management - Evaluation

1 EvaluateSelf-assessment In this process an examination of the

implemented security agreements is done by the organization of the

process itself.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 127: Security Management

ITIL security management - Evaluation

1 The result of this process is SELF ASSESSMENT DOCUMENTS.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 128: Security Management

ITIL security management - Evaluation

1 Internal Audit In this process an examination of the implemented

security agreements is done by an internal EDP auditor.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 129: Security Management

ITIL security management - Evaluation

1 External audit In this process an examination of the implemented

security agreements is done by an external EDP auditor.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 130: Security Management

ITIL security management - Evaluation

1 Evaluation based on security incidents In this process an

examination of the implemented security agreements is done based on security events which is not part

of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the

quality of that service. https://store.theartofservice.com/the-security-management-toolkit.html

Page 131: Security Management

ITIL security management - Evaluation

1 Reporting In this process the whole Evaluate implementation

process is documented in a specific way.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 132: Security Management

ITIL security management - Evaluation

1 Table 2.4.1: (Sub) activities and descriptions Evaluation sub-process ITIL Security

Management

https://store.theartofservice.com/the-security-management-toolkit.html

Page 133: Security Management

ITIL security management - Evaluation

1 Figure 2.4.1: Process-data model Evaluation sub-process

https://store.theartofservice.com/the-security-management-toolkit.html

Page 134: Security Management

ITIL security management - Evaluation

1 The process-data diagram illustrated in the figure 2.4.1 consists of a meta-

process model and a meta-data model.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 135: Security Management

ITIL security management - Evaluation

1 The Evaluation sub-process was

modeled using the meta-modeling

technique. https://store.theartofservice.com/the-security-management-toolkit.html

Page 136: Security Management

ITIL security management - Evaluation

1 The dotted arrows running from the meta-process diagram (left) to the meta-data diagram (right) indicate

which concepts are created/ adjusted in the corresponding activities.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 137: Security Management

ITIL security management - Evaluation

1 All of the activities in the evaluation phase are standard

activities.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 138: Security Management

ITIL security management - Evaluation

1 For a short description of the Evaluation phase concepts see Table 2.4.2 where the concepts are listed

and defined.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 139: Security Management

ITIL security management - Evaluation

1 EVALUATIONEvaluated/checked implementation.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 140: Security Management

ITIL security management - Evaluation

1 RESULTSThe outcome of the evaluated

implementation.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 141: Security Management

ITIL security management - Evaluation

1 SELF ASSESSMENT DOCUMENTSResult of the examination of the

security management by the organization of the process itself.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 142: Security Management

ITIL security management - Evaluation

1 INTERNAL AUDIT Result of the examination of the security management by

the internal EDP auditor.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 143: Security Management

ITIL security management - Evaluation

1 EXTERNAL AUDIT Result of the examination of the security management by

the external EDP auditor.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 144: Security Management

ITIL security management - Evaluation

1 SECURITY INCIDENTS DOCUMENTSResults of evaluating security events

which is not part of the standard operation of a service and which

causes, or may cause, an interruption to, or a reduction in, the

quality of that service.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 145: Security Management

ITIL security management - Evaluation

1 Table 2.4.2: Concept and definition evaluation sub-process Security management

https://store.theartofservice.com/the-security-management-toolkit.html

Page 146: Security Management

ITIL security management - Maintenance

1 It is necessary for the security to be

maintained.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 147: Security Management

ITIL security management - Maintenance

1 Because of changes in the IT-infrastructure and changes in the

organization itself security risks are bound to change over time.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 148: Security Management

ITIL security management - Maintenance

1 The maintenance of the security concerns both the maintenance of the security section of the service level agreements and the more

detailed security plans.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 149: Security Management

ITIL security management - Maintenance

1 The maintenance is based on the results of the Evaluation sub-process

and insight in the changing risks.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 150: Security Management

ITIL security management - Maintenance

1 These activities will only produce proposals.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 151: Security Management

ITIL security management - Maintenance

1 The proposals serve as inputs for the plan sub-process and will go through the whole cycle or the proposals can be taken in the maintenance of the

service level agreements.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 152: Security Management

ITIL security management - Maintenance

1 In both cases the proposals could lead

to activities in the action plan.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 153: Security Management

ITIL security management - Maintenance

1 The actual changes will be carried by the Change Management process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 154: Security Management

ITIL security management - Maintenance

1 For more information about the Change Management Process consult the Change

Management Wiki.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 155: Security Management

ITIL security management - Maintenance

1 The activities that take place in the maintain sub-process are summed up in the following table (Table 2.5.1).

https://store.theartofservice.com/the-security-management-toolkit.html

Page 156: Security Management

ITIL security management - Maintenance

1 Request for change to SLA and/or OLARequest for a change to the SLA and/or OLA is

formulated.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 157: Security Management

ITIL security management - Maintenance

1 Reporting In this process the whole maintain implemented

security policies process is documented in a specific way.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 158: Security Management

ITIL security management - Maintenance

1 Table 2.5.1: (Sub) activities and descriptions Maintenance sub-process ITIL Security

Management

https://store.theartofservice.com/the-security-management-toolkit.html

Page 159: Security Management

ITIL security management - Maintenance

1 Figure 2.5.1 is the process-data

diagram of the implementation sub-

process. https://store.theartofservice.com/the-security-management-toolkit.html

Page 160: Security Management

ITIL security management - Maintenance

1 This picture shows the integration of the meta-process model (left) and

the meta-data model (right).

https://store.theartofservice.com/the-security-management-toolkit.html

Page 161: Security Management

ITIL security management - Maintenance

1 Figure 2.5.1: Process-data model Maintenance

sub-process

https://store.theartofservice.com/the-security-management-toolkit.html

Page 162: Security Management

ITIL security management - Maintenance

1 The maintenance sub-process starts with the maintenance of the service

level agreements and the maintenance of the operational level

agreements.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 163: Security Management

ITIL security management - Maintenance

1 After these activities take place (in no particular order) and there is a

request for a change the request for change activity will take place and

after the request for change activity is concluded the reporting activity

starts.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 164: Security Management

ITIL security management - Maintenance

1 If there is no request for a change then the reporting activity will start directly after the first two activities.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 165: Security Management

ITIL security management - Maintenance

1 The concepts in the meta-data model are created/ adjusted during the maintenance

phase.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 166: Security Management

ITIL security management - Maintenance

1 MAINTENANCE DOCUMENTS

Agreements kept in proper condition.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 167: Security Management

ITIL security management - Maintenance

1 MAINTAINED SERVICE LEVEL AGREEMENTS Service Level

Agreements(security paragraph) kept in proper condition.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 168: Security Management

ITIL security management - Maintenance

1 REQUEST FOR CHANGE Form, or screen, used to record details of a

request for a change to the SLA/OLA.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 169: Security Management

ITIL security management - Maintenance

1 Table 2.5.2: Concept and definition Plan sub-

process Security management

https://store.theartofservice.com/the-security-management-toolkit.html

Page 170: Security Management

ITIL security management - Complete process-data model

1 The following picture shows the complete process-data model of the Security Management process. This

means that the complete meta-process model and the complete

meta-data model and the integrations of the two models of the

Security Management process are shown.https://store.theartofservice.com/the-security-management-toolkit.html

Page 171: Security Management

ITIL security management - Complete process-data model

1 Figure 2.6.1: Process-data model

Security Management

processhttps://store.theartofservice.com/the-security-management-toolkit.html

Page 172: Security Management

ITIL security management - Relations with other ITIL processes

1 The security Management Process, as stated in the introduction, has

relations with almost all other ITIL-processes.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 173: Security Management

ITIL security management - Relations with other ITIL processes

1 IT Customer Relationship Management

https://store.theartofservice.com/the-security-management-toolkit.html

Page 174: Security Management

ITIL security management - Relations with other ITIL processes

1 IT Service Continuity Management

https://store.theartofservice.com/the-security-management-toolkit.html

Page 175: Security Management

ITIL security management - Relations with other ITIL processes

1 Within these processes there are a couple of activities concerning

security that have to take place.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 176: Security Management

ITIL security management - Relations with other ITIL processes

1 However, the Security Management will give indications to the

concerning process on how these (security specific) activities should be

structured.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 177: Security Management

ITIL security management - Example

1 The use of internal e-mail in an organization has a lot of security

risks. So if an organization chooses to use e-mail as a means of

communication, it is highly needed that the organization implements a

well thought e-mail security plan/policies. In this example the ITIL

security Management approach is used to implement e-mail policies in

an organization.https://store.theartofservice.com/the-security-management-toolkit.html

Page 178: Security Management

ITIL security management - Example

1 First of the Security management team is formed and the guidelines, of

how the process should be carried out, are formulated and made clear

to all employees and provider concerned. These actions are carried

out in the Control phase of the Security Management process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 179: Security Management

ITIL security management - Example

1 The next step in to process to implement e-mail policies is the Planning. In the Plan

phase of the process the policies are formulated. Besides the policies that are

already written in the Service Level Agreements the policies that are specific for

the e-mail security are formulated and added to the service level agreements. At

the end of this phase the entire plan is formulated and is ready to be implemented.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 180: Security Management

ITIL security management - Example

1 The following phase in the process is the actual implementation of the e-mail policies. The implementation is

done according to the plan which was formulated in the preceding

phase (Plan phase).

https://store.theartofservice.com/the-security-management-toolkit.html

Page 181: Security Management

ITIL security management - Example

1 After the actual implementation the e-mail policies will be evaluated. In order to evaluate the implemented

policies the organization will perform;

https://store.theartofservice.com/the-security-management-toolkit.html

Page 182: Security Management

ITIL security management - Example

1 The last phase is the maintenance phase. In the maintenance phase the

implemented e-mail policies are maintained. The organization now knows which policies are properly

implemented and are properly followed and, which policies need

more work in order to help the security plan of the organization and, if there are new policies that have to be implemented. At the end of this process the Request for change are

formulated (if needed) and the e-mail policies are properly maintained.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 183: Security Management

ITIL security management - Example

1 In order for the organization to keep its security plan up-to-date the

organization will have to perform the security management process

continuously. There is no end to this process an organization can always

better its security.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 184: Security Management

Security management

1 Security management is the identification of an organization's

assets (including information assets), followed by the development,

documentation, and implementation of policies and procedures for

protecting these assets.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 185: Security Management

Security management

1 An organisation uses such security management procedures as

information classification, risk assessment, and risk analysis to

identify threats, categorise assets, and rate system vulnerabilities so that they can implement effective

controls.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 186: Security Management

Security management - Loss prevention

1 Loss prevention focuses on what your critical assets are and how you are going to protect them. A key component to loss prevention is

assessing the potential threats to the successful achievement of the goal. This

must include the potential opportunities that further the object (why take the risk unless there's an upside?) Balance probability and impact determine and implement measures

to minimize or eliminate those threats.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 187: Security Management

Security management - Security risk management

1 Management of security risks applies the principles of risk management to the

management of security threats. It consists of identifying threats (or risk causes), assessing the effectiveness of existing

controls to face those threats, determining the risks' consequence(s), prioritising the risks by rating the likelihood and impact,

classifying the type of risk and selecting and appropriate risk option or risk response.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 188: Security Management

Security management - External

1 Strategic: like competition and

customer demand

https://store.theartofservice.com/the-security-management-toolkit.html

Page 189: Security Management

Security management - External

1 Operational: Regulation, suppliers, contracts

https://store.theartofservice.com/the-security-management-toolkit.html

Page 190: Security Management

Security management - External

1 Compliance: new regulatory or legal requirements are introduced, or

existing ones are changed, exposing the organisation to a non-compliance

risk if measures are not taken to ensure compliance

https://store.theartofservice.com/the-security-management-toolkit.html

Page 191: Security Management

Security management - Internal

1 Hazard: Safety and security; employees and equipment

https://store.theartofservice.com/the-security-management-toolkit.html

Page 192: Security Management

Security management - Internal

1 Compliance: Actual or potential changes in the organisation's

systems, processes, suppliers, etc. may create exposure to a legal or

regulatory non-compliance.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 193: Security Management

Security management - Risk avoidance

1 The first choice to be considered. The possibility of eliminating the existence of

criminal opportunity or avoiding the creation of such an opportunity is always the best

solution, when additional considerations or factors are not created as a result of this

action that would create a greater risk. As an example, removing all the cash from a retail outlet would eliminate the opportunity for

stealing the cash–but it would also eliminate the ability to conduct business.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 194: Security Management

Security management - Risk reduction

1 When avoiding or eliminating the criminal opportunity conflicts with the ability to conduct business, the

next step is the reduction of the opportunity and potential loss to the

lowest level consistent with the function of the business. In the

example above, the application of risk reduction might result in the

business keeping only enough cash on hand for one day’s operation.https://store.theartofservice.com/the-security-management-toolkit.html

Page 195: Security Management

Security management - Risk spreading

1 Assets that remain exposed after the application of reduction and

avoidance are the subjects of risk spreading. This is the concept that

limits loss or potential losses by exposing the perpetrator to the

probability of detection and apprehension prior to the

consummation of the crime through the application of perimeter lighting,

barred windows and intrusion detection systems. The idea here is to reduce the time available to steal

assets and escape without apprehension.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 196: Security Management

Security management - Risk transfer

1 Transferring risks to other alternatives when those risks have

not been reduced to acceptable levels. The two primary methods of accomplishing risk transfer are to insure the assets or raise prices to

cover the loss in the event of a criminal act. Generally speaking,

when the first three steps have been properly applied, the cost of

transferring risks are much lower.https://store.theartofservice.com/the-security-management-toolkit.html

Page 197: Security Management

Security management - Risk acceptance

1 All remaining risks must simply be assumed by the business as a risk of doing business. Included with these

accepted losses are deductibles which have been made as part of the

insurance coverage.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 198: Security Management

Security management - Access control

1 Locks, simple or sophisticated, such as biometric authentication and keycard locks

https://store.theartofservice.com/the-security-management-toolkit.html

Page 199: Security Management

Security management - Physical security

1 Security guards (armed or unarmed) with wireless communication devices (e.g., two-

way radio)

https://store.theartofservice.com/the-security-management-toolkit.html

Page 200: Security Management

Federal Information Security Management Act of 2002

1 Federal Information Security Management Act of

2002

https://store.theartofservice.com/the-security-management-toolkit.html

Page 201: Security Management

Federal Information Security Management Act of 2002

1 The Federal Information Security Management

Act of 2002 ("FISMA", 44 U.S.C

https://store.theartofservice.com/the-security-management-toolkit.html

Page 202: Security Management

Federal Information Security Management Act of 2002

1 FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security." FISMA requires

agency program officials, chief information officers, and inspectors

general (IGs) to conduct annual reviews of the agency’s information security program

and report the results to Office of Management and Budget (OMB)

https://store.theartofservice.com/the-security-management-toolkit.html

Page 203: Security Management

Federal Information Security Management Act of 2002 - Purpose of the act

1 FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the

head of each agency to implement policies and procedures to cost-effectively

reduce information technology security risks to an acceptable level.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 204: Security Management

Federal Information Security Management Act of 2002 - Purpose of the act

1 According to FISMA, the term information security means protecting information and information systems from

unauthorized access, use, disclosure, disruption, modification, or

destruction in order to provide integrity, confidentiality and

availability.https://store.theartofservice.com/the-security-management-toolkit.html

Page 205: Security Management

Federal Information Security Management Act of 2002 - Implementation of FISMA

1 In accordance with FISMA, NIST is responsible for developing standards, guidelines, and associated methods

and techniques for providing adequate information security for all

agency operations and assets, excluding national security systems

https://store.theartofservice.com/the-security-management-toolkit.html

Page 206: Security Management

Federal Information Security Management Act of 2002 - Implementation of FISMA

1 Information Security Automation Program

(ISAP)

https://store.theartofservice.com/the-security-management-toolkit.html

Page 207: Security Management

Federal Information Security Management Act of 2002 - Implementation of FISMA

1 National Vulnerability Database (NVD) – the U.S. government content repository for ISAP and SCAP. NVD is the U.S. government repository of

standards based vulnerability management data. This data enables

automation of vulnerability management, security

measurement, and compliance (e.g., FISMA)https://store.theartofservice.com/the-security-management-toolkit.html

Page 208: Security Management

Federal Information Security Management Act of 2002 - Compliance framework defined by FISMA and supporting standards

1 FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other

organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines

developed by National Institute of Standards and Technology|NIST.The 2002 Federal Information

Security Management Act (FISMA)

https://store.theartofservice.com/the-security-management-toolkit.html

Page 209: Security Management

Federal Information Security Management Act of 2002 - Inventory of information systems

1 FISMA requires that agencies have in place an information systems

inventory

https://store.theartofservice.com/the-security-management-toolkit.html

Page 210: Security Management

Federal Information Security Management Act of 2002 - Categorize information and information systems according to risk level

1 All information and information systems should be categorized based

on the objectives of providing appropriate levels of information

security according to a range of risk levels

https://store.theartofservice.com/the-security-management-toolkit.html

Page 211: Security Management

Federal Information Security Management Act of 2002 - Categorize information and information systems according to risk level

1 The first mandatory security standard required by the FISMA

legislation, FIPS 199 Standards for Security Categorization of Federal

Information and Information Systems provides the definitions of security

categories. The guidelines are provided by NIST SP 800-60 Guide for

Mapping Types of Information and Information Systems to Security

Categories.https://store.theartofservice.com/the-security-management-toolkit.html

Page 212: Security Management

Federal Information Security Management Act of 2002 - Categorize information and information systems according to risk level

1 The overall FIPS 199 system categorization is the high water mark

for the impact rating of any of the criteria for information types resident

in a system. For example, if one information type in the system has a

rating of Low for confidentiality, integrity, and availability, and

another type has a rating of Low for confidentiality and availability but a rating of Moderate for integrity, then

the entire system has a FIPS 199 categorization of Moderate.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 213: Security Management

Federal Information Security Management Act of 2002 - Security controls

1 Federal information systems must meet the minimum security

requirements. These requirements are defined in the second mandatory

security standard required by the FISMA legislation, FIPS 200 Minimum

Security Requirements for Federal Information and Information

Systems.https://store.theartofservice.com/the-security-management-toolkit.html

Page 214: Security Management

Federal Information Security Management Act of 2002 - Security controls

1 Organizations must meet the minimum security requirements by selecting the appropriate security

controls and assurance requirements as described in NIST Special

Publication 800-53, Recommended Security Controls for Federal

Information Systems

https://store.theartofservice.com/the-security-management-toolkit.html

Page 215: Security Management

Federal Information Security Management Act of 2002 - Security controls

1 Agencies have flexibility in applying the baseline security controls in

accordance with the tailoring guidance provided in Special

Publication 800-53. This allows agencies to adjust the security controls to more closely fit their

mission requirements and operational environments.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 216: Security Management

Federal Information Security Management Act of 2002 - Security controls

1 The controls selected or planned must be documented in the System Security Plan.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 217: Security Management

Federal Information Security Management Act of 2002 - Risk assessment

1 The combination of FIPS 200 and NIST Special Publication 800-53 requires a foundational level of

security for all federal information and information systems

https://store.theartofservice.com/the-security-management-toolkit.html

Page 218: Security Management

Federal Information Security Management Act of 2002 - Risk assessment

1 A risk assessment starts by identifying potential threat

(computer)|threats and vulnerability (computing)|vulnerabilities and mapping implemented security

control|controls to individual vulnerabilities

https://store.theartofservice.com/the-security-management-toolkit.html

Page 219: Security Management

Federal Information Security Management Act of 2002 - Risk assessment

1 NIST also initiated the Information Security Automation Program (ISAP)

and Security Content Automation Protocol (SCAP) that support and

complement the approach for achieving consistent, cost-effective

security control assessments.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 220: Security Management

Federal Information Security Management Act of 2002 - System security plan

1 Agencies should develop policy on the system security planning

process. NIST SP-800-18 introduces the concept of a System Security

Plan. System security plans are living documents that require periodic

review, modification, and plans of action and milestones for

implementing security controls. Procedures should be in place

outlining who reviews the plans, keeps the plan current, and follows

up on planned security controls.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 221: Security Management

Federal Information Security Management Act of 2002 - System security plan

1 The System security plan is the major input to the security

certification and accreditation process for the system

https://store.theartofservice.com/the-security-management-toolkit.html

Page 222: Security Management

Federal Information Security Management Act of 2002 - Certification and accreditation

1 Once the system documentation and risk assessment has been completed,

the system's controls must be reviewed and certified to be

functioning appropriately. Based on the results of the review, the

information system is accredited. The certification and accreditation

process is defined in NIST SP 800-37 Guide for the Security Certification

and Accreditation of Federal Information Systems.NIST SP 800-37

Guide for Applying the Risk Management Framework to Federal

Information Systems

https://store.theartofservice.com/the-security-management-toolkit.html

Page 223: Security Management

Federal Information Security Management Act of 2002 - Certification and accreditation

1 Security accreditation is the official management decision given by a senior agency official to authorize

operation of an information system and to explicitly accept the risk to

agency operations, agency assets, or individuals based on the

implementation of an agreed-upon set of security controls

https://store.theartofservice.com/the-security-management-toolkit.html

Page 224: Security Management

Federal Information Security Management Act of 2002 - Certification and accreditation

1 The information and supporting evidence needed for security

accreditation is developed during a detailed security review of an

information system, typically referred to as security certification

https://store.theartofservice.com/the-security-management-toolkit.html

Page 225: Security Management

Federal Information Security Management Act of 2002 - Continuous monitoring

1 All accredited systems are required to monitor a selected set of security

controls and the system documentation is updated to reflect

changes and modifications to the system. Large changes to the

security profile of the system should trigger an updated risk assessment, and controls that are significantly

modified may need to be re-certified.https://store.theartofservice.com/the-security-management-toolkit.html

Page 226: Security Management

Federal Information Security Management Act of 2002 - Continuous monitoring

1 Continuous monitoring activities include configuration management and control of information system

components, security impact analyses of changes to the system,

ongoing assessment of security controls, and status reporting

https://store.theartofservice.com/the-security-management-toolkit.html

Page 227: Security Management

Federal Information Security Management Act of 2002 - Critique

1 Security experts Bruce Brody, a former federal chief information security officer, and Alan Paller, director of research for the SANS

Institute – have described FISMA as a well-intentioned but fundamentally

flawed tool, and argued that the compliance and reporting

methodology mandated by FISMA measures security planning rather

than measuring information securityhttps://store.theartofservice.com/the-security-management-toolkit.html

Page 228: Security Management

Information security management system

1 An information security management system (ISMS) is a set of policies

concerned with information security management or IT related risks. The

idioms arose primarily out of BS 7799.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 229: Security Management

Information security management system

1 The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information

security risk.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 230: Security Management

Information security management system - ISMS description

1 As with all management processes, an ISMS must remain effective and

efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or

Deming cycle, approach:

https://store.theartofservice.com/the-security-management-toolkit.html

Page 231: Security Management

Information security management system - ISMS description

1 The Plan phase is about designing the ISMS, assessing information

security risks and selecting appropriate controls.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 232: Security Management

Information security management system - ISMS description

1 The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the

ISMS.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 233: Security Management

Information security management system - ISMS description

1 ISO/IEC 27001:2005 is a risk based information security standard, which

means that organizations need to have a risk management process in place. The risk management process

fits into the PDCA model given above.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 234: Security Management

Information security management system - ISMS description

1 However, the latest standard, ISO/IEC 27001:2013, does not use this cycle.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 235: Security Management

Information security management system - ISMS description

1 Another competing ISMS is Information Security Forum's

Standard of Good Practice (SOGP). It is more best practice-based as it

comes from ISF's industry experiences.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 236: Security Management

Information security management system - ISMS description

1 Some other best known ISMSs include Common Criteria (CC) international standard and IT

Security Evaluation Criteria (ITSEC)

https://store.theartofservice.com/the-security-management-toolkit.html

Page 237: Security Management

Information security management system - ISMS description

1 Some nations use their own ISMS, e.g., Department of Defense(DoD) Information

Technology Security Certification and Accreditation Process (DITSCAP) of USA,

Department of Defense Information Assurance Certification and Accreditation Process(DIACAP) of USA, Trusted Computer System Evaluation Criteria (TCSEC) of USA, IT Baseline Protection

Manual (ITBPM) of Germany, ISMS of Japan, ISMS of Korea, Information Security Check

Service (ISCS) of Korea.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 238: Security Management

Information security management system - ISMS description

1 Other frameworks such as COBIT and ITIL touch on security issues, but are

mainly geared toward creating a governance framework for

information and IT more generally. COBIT has a companion framework

Risk IT dedicated to Information security.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 239: Security Management

Information security management system - ISMS description

1 Below table illustrate the certification structure comparison of some best known

ISMSs:

https://store.theartofservice.com/the-security-management-toolkit.html

Page 240: Security Management

Information security management system - ISMS description

1 BS 7799 Common Criteria(CC) IT Security

Evaluation Criteria(ITSEC)

https://store.theartofservice.com/the-security-management-toolkit.html

Page 241: Security Management

Information security management system - ISMS description

1 Operation AreaEngland About 25 Countries European

Countries

https://store.theartofservice.com/the-security-management-toolkit.html

Page 242: Security Management

Information security management system - ISMS description

1 - 11 Security domains

https://store.theartofservice.com/the-security-management-toolkit.html

Page 243: Security Management

Information security management system - ISMS description

1 - 133 Security controls - 3 Parts

https://store.theartofservice.com/the-security-management-toolkit.html

Page 244: Security Management

Information security management system - ISMS description

1 - 11 Security functional requirements

https://store.theartofservice.com/the-security-management-toolkit.html

Page 245: Security Management

Information security management system - ISMS description

1 6- Prepare a statement of applicability 1- PP/ST

introduction

https://store.theartofservice.com/the-security-management-toolkit.html

Page 246: Security Management

Information security management system - ISMS description

1 7- TOE summary specification

https://store.theartofservice.com/the-security-management-toolkit.html

Page 247: Security Management

Information security management system - ISMS description

1 Difference of Process Emphasis on managerial security Emphasis on

technical securityEmphasis on managerial security

https://store.theartofservice.com/the-security-management-toolkit.html

Page 248: Security Management

Information security management system - ISMS description

1 Specification Control Point Provide best code of practice for information

security management Provide common set of requirements for the security functionality of IT productsProvide common set of requirements

for the security functionality of IT products

https://store.theartofservice.com/the-security-management-toolkit.html

Page 249: Security Management

Information security management system - ISMS description

1 Evaluation Method Use the PDAC model cycle Follow each certification

evaluation procedure Follow commission of European

communities

https://store.theartofservice.com/the-security-management-toolkit.html

Page 250: Security Management

Information security management system - ISMS description

1 There are a number of initiatives focused to the governance and

organizational issues of securing information systems having in mind that it is business and organizational

problem, not only a technical problem:

https://store.theartofservice.com/the-security-management-toolkit.html

Page 251: Security Management

Information security management system - ISMS description

1 Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 that recognized the importance of

information security to the economic and national security interests of the

United States

https://store.theartofservice.com/the-security-management-toolkit.html

Page 252: Security Management

Information security management system - ISMS description

1 Governing for Enterprise Security Implementation Guide of the

Carnegie Mellon University Software Engineering Institute CERT is

designed to help business leaders implement an effective program to govern information technology (IT)

and information security.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 253: Security Management

Information security management system - ISMS description

1 A Capability Maturity Model (CMM) for system security engineering was

standardized in ISO/IEC 21827.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 254: Security Management

Information security management system - ISMS description

1 ISM3 is a standard for security management (how to achieve the organizations mission despite of

errors, attacks and accidents with a given budget)

https://store.theartofservice.com/the-security-management-toolkit.html

Page 255: Security Management

Information security management system - Need for an ISMS

1 Security experts say and statistics confirm that:

https://store.theartofservice.com/the-security-management-toolkit.html

Page 256: Security Management

Information security management system - Need for an ISMS

1 information technology security administrators should expect to

devote approximately one-third of their time addressing technical

aspects. The remaining two-thirds should be spent developing policies and procedures, performing security

reviews and analyzing risk, addressing contingency planning and

promoting security awareness;https://store.theartofservice.com/the-security-management-toolkit.html

Page 257: Security Management

Information security management system - Need for an ISMS

1 security depends on people more than on

technology;

https://store.theartofservice.com/the-security-management-toolkit.html

Page 258: Security Management

Information security management system - Need for an ISMS

1 employees are a far greater threat to information security

than outsiders;

https://store.theartofservice.com/the-security-management-toolkit.html

Page 259: Security Management

Information security management system - Need for an ISMS

1 security is like a chain. It is only as strong as its

weakest link;

https://store.theartofservice.com/the-security-management-toolkit.html

Page 260: Security Management

Information security management system - Need for an ISMS

1 the degree of security depends on three factors: the risk you are willing

to take, the functionality of the system and the costs you are

prepared to pay;

https://store.theartofservice.com/the-security-management-toolkit.html

Page 261: Security Management

Information security management system - Need for an ISMS

1 security is not a status or a snapshot, but a

running process.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 262: Security Management

Information security management system - Need for an ISMS

1 These facts inevitably lead to the conclusion that security

administration is a management issue, and not a purely technical

issue.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 263: Security Management

Information security management system - Need for an ISMS

1 The establishment, maintenance and continuous update of an ISMS

provide a strong indication that a company is using a systematic approach for the identification,

assessment and management of information security risks. Critical

factors of ISMS:

https://store.theartofservice.com/the-security-management-toolkit.html

Page 264: Security Management

Information security management system - Need for an ISMS

1 Confidentiality: Protecting

information from unauthorized

parties.https://store.theartofservice.com/the-security-management-toolkit.html

Page 265: Security Management

Information security management system - Need for an ISMS

1 Integrity: Protecting information from modification

by unauthorized users.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 266: Security Management

Information security management system - Need for an ISMS

1 Availability: Making the information

available to authorized users.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 267: Security Management

Information security management system - Need for an ISMS

1 A company will be capable of successfully addressing information

confidentiality, integrity and availability requirements which in

turn have implications:

https://store.theartofservice.com/the-security-management-toolkit.html

Page 268: Security Management

Information security management system - Need for an ISMS

1 In doing so, information security management will enable

implementing the desirable qualitative characteristics of the

services offered by the organization (i.e

https://store.theartofservice.com/the-security-management-toolkit.html

Page 269: Security Management

Information security management system - Need for an ISMS

1 Large organizations or organizations such as banks and financial institutes,

telecommunication operators, hospital and health institutes and public or governmental

bodies have many reasons for addressing information security very seriously. Legal and

regulatory requirements which aim at protecting sensitive or personal data as well

as general public security requirements impel them to devote the utmost attention and

priority to information security risks.https://store.theartofservice.com/the-security-management-toolkit.html

Page 270: Security Management

Information security management system - Need for an ISMS

1 Under these circumstances the development and implementation of

a separate and independent management process namely an

Information Security Management System is the one and only

alternative.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 271: Security Management

Information security management system - Critical success factors for ISMS

1 have the continuous, unshakeable and visible support and commitment

of the organization’s top management;

https://store.theartofservice.com/the-security-management-toolkit.html

Page 272: Security Management

Information security management system - Critical success factors for ISMS

1 be an integral part of the overall management of the organization

related to and reflecting the organization’s approach to risk

management, the control objectives and controls and the degree of

assurance required;

https://store.theartofservice.com/the-security-management-toolkit.html

Page 273: Security Management

Information security management system - Critical success factors for ISMS

1 have security objectives and activities be based on business

objectives and requirements and led by business management;

https://store.theartofservice.com/the-security-management-toolkit.html

Page 274: Security Management

Information security management system - Critical success factors for ISMS

1 undertake only necessary tasks and avoiding over-control and waste of valuable resources;

https://store.theartofservice.com/the-security-management-toolkit.html

Page 275: Security Management

Information security management system - Critical success factors for ISMS

1 fully comply with the organization philosophy and mindset by providing a system that instead of preventing

people from doing what they are employed to do, it will enable them to do it in control and demonstrate

their fulfilled accountabilities;

https://store.theartofservice.com/the-security-management-toolkit.html

Page 276: Security Management

Information security management system - Critical success factors for ISMS

1 be based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police”

or “military” practices;

https://store.theartofservice.com/the-security-management-toolkit.html

Page 277: Security Management

Information security management system - Dynamic issues in ISMS

1 There are three main problems which lead to uncertainty in information

security management systems (ISMS):

https://store.theartofservice.com/the-security-management-toolkit.html

Page 278: Security Management

Information security management system - Dynamic issues in ISMS

1 Dynamically changing security requirements of an

organization

https://store.theartofservice.com/the-security-management-toolkit.html

Page 279: Security Management

Information security management system - Dynamic issues in ISMS

1 Rapid technological development raises new security concerns for

organizations. The existing security measures and requirements become obsolete as new vulnerabilities arise with the development in technology.

To overcome this issue, the ISMS should organize and manage

dynamically changing requirements and keep the system up-to-date.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 280: Security Management

Information security management system - Dynamic issues in ISMS

1 Externality is an economic concept for the effects borne by the party that is not directly involved in a

transaction

https://store.theartofservice.com/the-security-management-toolkit.html

Page 281: Security Management

Information security management system - Dynamic issues in ISMS

1 Obsolete evaluation of security concerns

https://store.theartofservice.com/the-security-management-toolkit.html

Page 282: Security Management

Information security management system - Dynamic issues in ISMS

1 The evaluations of security concerns used in ISMS become obsolete as the

technology progresses and new threats and vulnerabilities arise

https://store.theartofservice.com/the-security-management-toolkit.html

Page 283: Security Management

ITIL - Information security management system

1 A basic goal of security management is to ensure adequate information security

https://store.theartofservice.com/the-security-management-toolkit.html

Page 284: Security Management

Security systems - Security management in organizations

1 Inciting factors in the convergence of security disciplines include the development of digital video surveillance technologies (see

Professional video over IP) and the digitization and networking of physical control systems (see SCADA).[

http://www.csoonline.com/read/090402/beast.html Taming the Two-Headed Beast], CSOonline, September 2002[

http://www.csoonline.com/read/041505/constellation.html Security 2.0], CSOonline, April 2005 Greater interdisciplinary cooperation is further evidenced by the February 2005 creation of the Alliance for

Enterprise Security Risk Management, a joint venture including leading associations in security (ASIS International|ASIS),

information security (Information Systems Security Association|ISSA, the Information Systems Security Association), and IT audit (ISACA, the Information Systems Audit and Control Association).

https://store.theartofservice.com/the-security-management-toolkit.html

Page 285: Security Management

Fraud Squad - NHS Counter Fraud and Security Management Service

1 The National Health Service|NHS Counter Fraud and Security Management Service is an

independent Division of the NHS Business Services Authority and has responsibility for all policy and operational matters relating to

the prevention, detection and investigation of fraud and corruption and the management of

security in the National Health Service.[http://www.cfsms.nhs.uk/ NHS Counter Fraud and Security Management Service (accessed

20/152/06)]https://store.theartofservice.com/the-security-management-toolkit.html

Page 286: Security Management

Fraud Squad - NHS Counter Fraud and Security Management Service

1 * NHS Counter Fraud Service established in September 1998

https://store.theartofservice.com/the-security-management-toolkit.html

Page 287: Security Management

Fraud Squad - NHS Counter Fraud and Security Management Service

1 * NHS Security Management Service was established in 2003 to form the

NHS Counter Fraud and Security Management Service.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 288: Security Management

Fraud Squad - NHS Counter Fraud and Security Management Service

1 * To reduce fraud to an absolute minimum and hold it permanently at

that level, releasing resources for better patient care and services

https://store.theartofservice.com/the-security-management-toolkit.html

Page 289: Security Management

Fraud Squad - NHS Counter Fraud and Security Management Service

1 * With the delivery of an environment for those who use or work in the NHS which is properly secure so that the highest possible standard of clinical

care can be made available to patients.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 290: Security Management

Federal Information Security Management Act of 2002

1 The 'Federal Information Security Management Act of 2002' ('FISMA', , et seq.) is a United States federal law enacted in 2002 as Title III of the E-

Government Act of 2002 (, )

https://store.theartofservice.com/the-security-management-toolkit.html

Page 291: Security Management

Federal Information Security Management Act of 2002

1 OMB uses this data to assist in its oversight responsibilities and to prepare this annual report

to Congress on agency compliance with the act.FY 2005 Report to Congress on Implementation of The

Federal Information Security Management Act of 2002 In FY 2008, federal agencies spent $6.2

billion securing the government’s total information technology investment of approximately $68

billion or about 9.2 percent of the total information technology portfolio.FY 2008 Report to Congress on Implementation of The Federal Information

Security Management Act of 2002

https://store.theartofservice.com/the-security-management-toolkit.html

Page 292: Security Management

Federal Information Security Management Act of 2002 - Purpose of the act

1 FISMA assigns specific responsibilities to Government agency#Government agencies in

the United States|federal agencies, the National Institute of Standards and Technology

(NIST) and the Office of Management and Budget (OMB) in order to strengthen

information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology

security risks to an acceptable level.https://store.theartofservice.com/the-security-management-toolkit.html

Page 293: Security Management

Federal Information Security Management Act of 2002 - Implementation of FISMA

1 In accordance with FISMA, National Institute of Standards and

Technology|NIST is responsible for developing standards, guidelines,

and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding

national security systemshttps://store.theartofservice.com/the-security-management-toolkit.html

Page 294: Security Management

Federal Information Security Management Act of 2002 - Implementation of FISMA

1 * Information Security Automation

Program (ISAP)

https://store.theartofservice.com/the-security-management-toolkit.html

Page 295: Security Management

Federal Information Security Management Act of 2002 - Implementation of FISMA

1 * National Vulnerability Database (NVD) – the U.S. government content

repository for ISAP and Security Content Automation Protocol|SCAP.

NVD is the U.S. government repository of standards based

vulnerability management data. This data enables automation of

vulnerability management, security measurement, and compliance (e.g.,

FISMA)https://store.theartofservice.com/the-security-management-toolkit.html

Page 296: Security Management

Federal Information Security Management Act of 2002 - Inventory of information systems

1 The identification of information systems in an inventory under this

subsection shall include an identification of the interfaces

between each such system and all other systems or networks, including those not operated by or under the

control of the agency

https://store.theartofservice.com/the-security-management-toolkit.html

Page 297: Security Management

Information Security Management Certified Professional

1 'Information Security Management Certified Professional (ISMCP) ' is a designation awarded by INFINIDOX.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 298: Security Management

Information Security Management Certified Professional

1 Relevant information security background, both theoretical and practical, is required to pass the

ISMCP http://www.infinidox.com/?a=ismcp examination.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 299: Security Management

Information Security Management Certified Professional

1 * Security administration

https://store.theartofservice.com/the-security-management-toolkit.html

Page 300: Security Management

Information Security Management Certified Professional

1 * Communication systems security

https://store.theartofservice.com/the-security-management-toolkit.html

Page 301: Security Management

Information Security Management Certified Professional

1 * Applications security

https://store.theartofservice.com/the-security-management-toolkit.html

Page 302: Security Management

Information Security Management Certified Professional

1 Candidates are recommended to have a minimum of 5 years of

experience in one or more of the six topic areas that the exam covers.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 303: Security Management

FCAPS - Security management

1 Security management is the process of controlling access to assets in the

network. Data security can be achieved mainly with authentication and encryption. Authorization to it

configured with Operating system|OS and Database management system|

DBMS access control settings.

https://store.theartofservice.com/the-security-management-toolkit.html

Page 304: Security Management

FCAPS - Security management

1 Security management functions include managing network

authentication, authorization, and auditing, such that both internal and external users only have access to

appropriate network resources

https://store.theartofservice.com/the-security-management-toolkit.html

Page 305: Security Management

Total Security Management

1 'Total Security Management' ('TSM') is the business practice of

developing and implementing comprehensive risk management and security practices for a firm’s

entire value chain

https://store.theartofservice.com/the-security-management-toolkit.html

Page 306: Security Management

Total Security Management

1 TSM encourages companies to manage security initiatives as

investments with a measurable return and seeks to transform

security from a net cost to a net benefit

https://store.theartofservice.com/the-security-management-toolkit.html

Page 307: Security Management

Total Security Management - Formulation

1 The concept of Total Security Management was first introduced in

the book Securing Global Transportation Networks: A Total Security Management Approach, published by McGraw Hill in 2006

https://store.theartofservice.com/the-security-management-toolkit.html

Page 308: Security Management

Total Security Management - Formulation

1 According to Dr

https://store.theartofservice.com/the-security-management-toolkit.html

Page 309: Security Management

Total Security Management - Formulation

1 The TSM approach built upon scholarly research on the issue that stressed the importance of security as a key component of the supply

chain

https://store.theartofservice.com/the-security-management-toolkit.html

Page 310: Security Management

Total Security Management - Relation to Total Quality Management

1 The TSM name borrows from the management concept Total Quality Management (TQM), an approach made famous by the work of W

https://store.theartofservice.com/the-security-management-toolkit.html

Page 311: Security Management

Total Security Management - Relation to Total Quality Management

1 I suspect that there are many professionals in the transportation

industry today who may not endorse security management as a core

business function that can create value

https://store.theartofservice.com/the-security-management-toolkit.html

Page 312: Security Management

Total Security Management - Companies employing TSM

1 A company using the TSM methodology is meant to be able to

establish a framework of focus points, metrics and feedback loops in

order to elevate risk management from a non-core objective to an

essential business function

https://store.theartofservice.com/the-security-management-toolkit.html

Page 313: Security Management

Total Security Management - Companies employing TSM

1 Securing Global Transportation Networks details case studies of many large companies that benefited from the

implementation of aspects of the TSM approach, including FedEx, Home Depot, Hutchison Port Holdings, Maersk, Procter Gamble, and Target Corporation|Target,

amongst others.McGraw Hill, Book Release, October 2006, http://www.manhattan-

institute.org/securing_networks/, 5/5/10

https://store.theartofservice.com/the-security-management-toolkit.html

Page 314: Security Management

Total Security Management - Criticism

1 There are some useful ideas in the book, but the overall program may be too ambitious for many corporations to realistically consider,”

writes Ross Johnson in a 2007 Security Management review.Ross Johnson, Security Management: Book Review, October 2007,

http://www.securitymanagement.com/article/securing-global-transportation-networks-

total-security-management-approach, 5/5/10

https://store.theartofservice.com/the-security-management-toolkit.html

Page 315: Security Management

Total Security Management - Other developments

1 33-9089, 2009, http://www.sec.gov/rules/final/2009/33-9089.pdf,

5/5/10 In January 2010, ISO 28000 (ISO/PAS 28000 – Specification for security management systems for the supply chain) was updated to include an

explicit reference to the Plan-Do-Check-Act model of quality management popularized by

Deming.Continuity Compliance, ISO 28002 – What’s The Buzz About?, October 2009,

http://www.continuitycompliance.org/information/organizational-resiliency/iso-28002-whats-the-buzz-

about/, 5/5/10

https://store.theartofservice.com/the-security-management-toolkit.html