Focus on Resiliency: A Process Improvement Approach to Security

Similar documents
Risk and Resilience: Considerations for Information Security Risk Assessment and Management

Improving Operational Resilience Processes

CERT Resilience Management Model

Inside of a ring or out, ain t nothing wrong with going down. It s staying down that s wrong. Muhammad Ali

An Overview of the Smart Grid Maturity Model (SGMM)

Applying CERT-RMM: Users Group Workshop Experiences. 12 th Annual CMMI Technology Conference and User Group

Defining a Maturity Scale for Governing Operational Resilience

Update Observations of the Relationships between CMMI and ISO 9001:2000

CERT Resilience Management Model, Version 1.2

Lesson Learned from Cross Constellations and Multi Models Process Improvement Initiatives

Going Global using EPM to optimise strategic execution

Understanding Model Representations and Levels: What Do They Mean?

Organizational Synthesis - CMMI, The Glue That Binds

CARNEGIE MELLON UNIVERSITY

A Global Overview of The Structure

Security Today. Shon Harris. Security consultant, educator, author

Global Headquarters: 5 Speen Street Framingham, MA USA P F

CMMI-DEV V1.3 CMMI for Development Version 1.3 Quick Reference Guide

PM Architecture Design as a Critical Success Factor in CMMI Model Implementation

Contents. viii. List of figures List of tables OGC s foreword Chief Architect s foreword. 5 Continual Service Improvement methods and techniques 93

BC & RISK MANAGEMENT: CONVERGENCE IS REAL David Halford Forsythe Solutions Group Frank Perlmutter Strategic BCP

Introducing the CERT Resiliency Engineering Framework: Improving the Security and Sustainability Processes

CERT Resilience Management Model, Version 1.2

Business Resilience: Proactive measures for forward-looking enterprises

Texas Tech University System

Complexity and Software: How to Meet the Challenge. NDIA CMMI Technology Conference

Practical Risk Management: Framework and Methods

CMMI for Services Quick Reference

Application of the CERT Resilience Management Model at Lockheed Martin

Introduction to Software Product Lines Patrick Donohoe Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

COMPLIANCE TRUMPS RISK

CGEIT Certification Job Practice

Patricia A Eglin David Consulting Group

Benchmarking Software Assurance Implementation. Michele Moss SSTC Conference May 18, 2011

Plans for a Balanced Scorecard Approach to Information Security Metrics

Dr. Nader Mehravari Research Scientist, CERT Division

Benchmarking Compliance Effectiveness:

CMMI-SVC V1.3 CMMI for Services Version 1.3 Quick Reference Guide

Staged Representation Considered Harmful?

Business Continuity Maturity Model Margaret D. Langsett Executive Vice President Virtual Corporation

When Recognition Matters WHITEPAPER OCTAVE RISK ASSESSMENT WITH OCTAVE.

Customer Experience and Analytics Maturity Model.

Mission Success in Complex Environments (MSCE)

September 17, 2012 Pittsburgh ISACA Chapter

Software Process Assessment

Presentation for INCC LUMS 2008 May 2, 2008 Presented by Shahed Latif, KPMG LLP, Silicon Valley

CMMI for Services (CMMI -SVC) Process Areas

ENTERPRISE RISK MANAGEMENT LESSONS LEARNED FROM ERM IN A PUBLIC SECTOR ORGANIZATION

CMMI DEVELOPMENT V2.0. Driving Performance Through Capability

Aligning IT risk management with strategic business goals

Building A Holistic and Risk-Based Insider Threat Program

The Business Value of Enterprise Architecture

Contents. viii. List of figures. List of tables. OGC s foreword. 6 Organizing for Service Transition 177. Chief Architect s foreword.

An Overview of the AWS Cloud Adoption Framework

CMMI for Services: The Strategic Landscape for IT

IBM Service Management solutions To support your IT objectives. Create and manage value throughout the entire service management life cycle.

SCAMPI V1.1 Method Overview

An IT Governance Journey April Disclaimer: opinion being those of presenter(s) and not necessarily State Farm

Measuring Operational Resilience Using the CERT Resilience Management Model

What s New in V1.3. Judah Mogilensky Process Enhancement Partners, Inc.

CMMI ACQUISITION MODEL (CMMI-ACQ):

Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

MEASURING PROCESS CAPABILITY VERSUS ORGANIZATIONAL PROCESS MATURITY

Business Process Improvement Guided by the BPMM i

CMMI for Services: Re-introducing the CMMI for Services Constellation

How to Assure your Subcontractors Quality with Cross Constellations and Multi Models Inspiration Continues Process Improvement Initiatives

INFORMATION SERVICES FY 2018 FY 2020

DORNERWORKS QUALITY SYSTEM

Advanced Engineering Environments for Small Manufacturing Enterprises

Information and Communication Technology

CMMI V2.0 MODEL AT-A-GLANCE. Including the following views: Development Services Supplier Management. CMMI V2.0 outline BOOKLET FOR print.

John Liuzzi, CBCP, CBRITP National Director, Business Continuity Southern Glazer s Wine and Spirits

PRM - IT IBM Process Reference Model for IT

The Potential for Lean Acquisition of Software Intensive Systems

Using the Equity in AS9100C to Implement CMMI-DEV Maturity Level 3

IT as a Service. Bryan Zigler Boeing 9/27/2016

Highlights of CMMI and SCAMPI 1.2 Changes

M. Lynn Penn Lockheed Martin Integrated Systems and Solutions November 2004

Taking ERM to a. 6 GRC Today / October 2015

Assessment of IT Operations. Frameworks* An Overview

Process Quality Levels of ISO/IEC 15504, CMMI and K-model

Operational Excellence in Healthcare. Creating a Culture of High Reliability: Driving Culture Change

Beyond IPPD: Distributed collaboration in a Systems-of-Systems (SoS)- context

ISO 28002: RESILIENCE IN THE SUPPLY CHAIN: REQUIREMENTS WITH GUIDANCE FOR USE

Executive Teams and the Use of ISO in Decision Making. Scott Wightman, ARM-E National Director Gallagher ERM Practice

Generating Supportive Hypotheses

San Francisco Chapter. Presented by Scott Perry - Slalom Consulting

FDA Case for Quality MDDA Pilot. November 15, 2017 Rob Becker Director, Quality Edwards Lifesciences

Leading a Successful DevOps Transition Lessons from the Trenches. Randy Shoup Consulting CTO

9/24/2011 Sof o tw t a w re e P roc o e c s e s s s Mo M d o e d l e s l 1 Wh W a h t t i s i s a Pr P oc o ess s 2 1

Braindumps COBIT5 50q

CMM,,mproving and,ntegrating

ENTERPRISE RISK MANAGEMENT USING DATA ANALYTICS. Dan Julevich and Chris Dawes April 17, 2015

Selftestengine COBIT5 36q

Surviving and thriving in the face of change

What is ITIL 4. Contents

CERT Resilience Management Model Capability Appraisal Method (CAM) Version 1.1

A Real-Life Example of Appraising and Interpreting CMMI Services Maturity Level 2

ITIL CSI Intermediate. How to pass the exam

MBA BADM559 Enterprise IT Governance 12/15/2008. Enterprise Architecture is a holistic view of an enterprise s processes, information and

Transcription:

Focus on Resiliency: A Process Improvement Approach to Security Introducing the Resiliency Engineering Framework Rich Caralli & Lisa Young Software Engineering Institute CSI 33 rd Annual Security Conference and Exhibition 06 November 2006

Software Engineering Institute Established in 1984 Federally Funded Research and Development Center (FFRDC) College-level unit of Carnegie Mellon University Includes five technical programs aimed at helping defense,. government, industry, and academic organizations to continually improve software-intensive systems Widely-known brands CERT Coordination Center Capability Maturity Model Integration (CMMI) 2

Agenda An evolving view of security Operational resiliency Embracing a process view Introducing the Summary and questions 3

A new operational environment -1 No operational boundaries Pervasiveness of technology Expanding and rapidly changing risk profile High dependency on upstream partners Successes are short-lived Skills have shorter longevity Less resources, more demands 4

A new operational environment -2 Increasing regulatory requirements Criticality of data and information Distributed workforce Heightened threat level and increasing uncertainty Insurance costs Poses a new environment in which security must be effective and efficient 5

The problem with security management Poorly planned and executed function Business units not involved Usually bolted on as an afterthought Security seen as technical problem Searching for magic bullet: CobiT, ITIL, ISO17799 Poorly defined and measured goals Funding model reactive, not strategic Not connected to continuity of operations planning 6

Organizational impact False sense of accomplishment Misalignment of operational and security goals Reinforcement of silos Less-than-resilient assets, processes, services Misalignment with business objectives Wasted human and financial resources Compliance at the expense of effectiveness Failure to manage operational risk. 7

An evolving view of security -1 Security is an operational risk management activity Security has two purposes: Prevent disruption to core business drivers Sustain the survivability of the organization s mission. Security is not an end, but a means to achieving higher organizational goals 8

An evolving view of security -2. 9

Operational risk and resiliency Operational risk is the risk that results from Failed internal processes Inadvertent or deliberate actions of people Problems with systems and technology External events Operational resiliency is the organization s ability to sustain the mission in the face of these risks 10

Operational resiliency is an emergent property Operational resiliency depends on effective management of core ORM activities Security is one.. but so are Business Continuity and IT Operations Management Operational resiliency emerges from how well these activities are coordinated and executed toward a common goal 11

Security and operational resiliency Focus on keeping critical assets safe from harm Limiting threats and managing impacts Manage confidentiality, integrity, and availability Manage condition 12

Business continuity and operational resiliency Limit unwanted effects of realized risk Ensure availability and recoverability Manage consequence 13

IT Operations Management and operational resiliency Limit vulnerabilities and threats that originate in the technical infrastructure Ensure availability and recoverability of technology 14

Collaborating toward a common goal. 15

Operational resiliency in practice. 16

An emerging holistic view Organization is dependent on the productivity of four assets: People Information Technology. ASSET Facilities Each asset must be protected and sustainable PROTECT SUSTAIN 17

A holistic risk perspective 18

Collaborating toward a common goal Resiliency means managing the conditions and consequences of risk balanced. against business drivers and costs 19

A mission focus SERVICE ORGANIZATIONAL MISSION Business Process 1 Business Process 2 PROCESS MISSION. SERVICE MISSION PROCESS MISSION PEOPLE INFO TECH FACILITY 20

How does an organization achieve this? Organizations are not structured today to facilitate collaboration toward a common goal of resiliency Deficient funding models Management direction and oversight lacking Practice-driven Compliance-focused Need to view resiliency as a definable, manageable, enterprise-wide process 21

Embracing a Process View of Security and Operational Resiliency

Defining a process approach Elevating the management and coordination of operational-resiliency focused activities to the enterprise level Shared goals and resources Elimination of redundancy and stovepipes Elimination of framework quagmire through practice integration Measuring process effectiveness Moving toward process improvement 23

How does process differ from practice? Process Describes the what Set and achieve process goals Manage process to requirements Select practices based on process goals Can be defined, communicated, measured, and controlled Practice Prescribes the how No practice goals Tends toward set and forget. mentality Reinforces domain-driven approach One size does not fit all Regulatory vehicle 24

The lure of best practices -1 Best practices are effective ways to approach improvement in a critical organizational activity, like security Best practices ARE NOT a substitute for an actively planned and managed process 25

The lure of best practices -2 Best practices... Are often industry or discipline-specific Change/evolve frequently Don t have process improvement or management aspects built-in Don t provide long-term, sustainable success Can reinforce stove-piping and silos People still must implement and manage them Can create a management quagmire 26

The relationship between process and practice. 27

Embracing process improvement Improvement in meeting resiliency goals is dependent on the active management of the process Process maturity increases capability for meeting goals and sustaining the process Are we resilient? or Are we secure? is answered in the context of goal achievement rather than what hasn t happened Facilitates meaningful, purposeful selection and implementation of practices 28

How mature are your processes? Most organizations have some process (implicit or explicit) for resiliency engineering, but it may not be effective for meeting goals. Thanks to www.betterproductdesign.net/maturity.htm for the generic categories. 29

Lack of process No process defined or performed Anarchy and heroics No awareness of benefits of process-orientation AD-HOC Common attributes: Focus on events Ambiguous lines of responsibility Funding sporadic No alignment to strategic drivers Highly dependent on people No governance structure 30

Partial process Process recognized Still functionally focused (not enterprise-wide) Not repeatable or actively managed VULNERABILITY-DRIVEN Common attributes: Focus on vulnerabilities Responsibility emanates from IT Considered an expense or burden Awareness of strategic drivers Still dependent on people and vul catalogs Informal governance 31

Formal process Performed and managed Repeatable Spans enterprise Not completely ingrained in culture RISK-DRIVEN Common attributes: Focus on critical assets Responsibility of key organizational managers and IT Funded as an expense Implicit alignment to strategic drivers Dependent on localized risk management Informal governance, possibly CRM 32

Cultural Performed and managed Repeatable and proactive Spans and involves enterprise Process continually measured and improving Fundamental to organizational success ENTERPRISE-DRIVEN Common attributes: Focus on critical assets, processes, strategic drivers Responsibility of high-level executive Capitalized Explicit alignment to strategic drivers Reliant upon enterprise capabilities Formal governance and feedback 33

Increasing levels of competency 34

Maturity from a security perspective Technical problem Owned by IT Expense-driven Practice-centric Security and survivability Business problem Owned by organization Investment-driven Process-centric Enterprise resiliency 35

Toward continuous improvement 36

Introducing the Resiliency Engineering Framework

What is resiliency engineering? The process by which an organization establishes, develops, implements, and manages the operational resiliency of services, related business processes, and associated assets Requirements-driven security and business continuity Building resiliency into assets/processes/services and managing to an appropriate level of adequacy 38

The A framework of practice for integration of security and business continuity activities toward achievement of operational resiliency Defines basic process areas and provides guidelines for security and BC/DR process improvement Captures vital linkages between security, BC/DR, and I/T ops in the process definition Addresses operational risk management through process management Establishes a capability benchmark 39

Project history and evolution. 40

Development history OCTAVE development and fieldwork Affinity analysis of 750 practices Identification of capabilities Identification of processes Development of process goals and practices Exploration of maturity concepts Exploration of assessment methodologies 41

Framework architecture Represents processes that span four basic areas: Enterprise management Engineering Operations management Process management Considers the resiliency of people, information, technology, and facilities in the context of services and business objectives 42

Enterprise management processes Enterprise capabilities that are essential to supporting the resiliency engineering process RSKM Risk Management EF Enterprise Focus COMP Compliance Management FRM Financial Resource Management HRM Human Resource Management 43

Operations management processes Capabilities focused on sustaining an adequate level of operational resiliency SAM Supplier Agreement Management SRM Supplier Relationship Management AMC Access Management and Control IMC Incident Management and Control VM Vulnerability Management EC Environmental Control KIM Knowledge and Information Management SOM Security Operations Management ITOPS IT Operations Management 44

Engineering processes Capabilities focused on establishing and implementing resiliency for organizational assets, business processes, and services RD Requirements Definition RM Requirements Management AM Asset Management COOP Continuity of Operations Planning REST Restoration of Operations Planning CSI Control Selection and Implementation RAD Resilient Architecture Development 45

Process management processes Enterprise capabilities related to defining, planning, deploying, implementing, monitoring, controlling, appraising, measuring, and improving processes OT Organizational Training OPF Organizational Process Focus OPD Organizational Process Definition MA Measurement and Analysis MON - Monitoring 46

Using the framework Establish current level of capability Set forward-looking resiliency goals and targets Develop plans to close identified gaps Build resiliency into important assets/processes/services and architectures Reduce reactionary activities; shift to directing and controlling activities Align common practices with processes to achieve process goals. 47

Collaborating with industry Eighteen month collaboration with Financial Services Technology Consortium Identify mature practices in mature industries: banking and financial services Two phases of work capability identification and process definition 48

Financial Services Technology Consortium Established in 1993 Member-owned consortium for collaboration between financial services-focused organization Explore new technologies and methodologies to address today s business requirements Projects: Technology Review Compliance Business Continuity Maturity Model 49

FSTC Project Members Ameriprise Bank of America Carnegie Mellon Capital Group Citicorp Discover DRII DRJ IBM JPMorgan Chase Key Bank KPMG MasterCard Marshall and IIsley NY Federal Reserve Bank SunGard Trizec Properties US Bank Wachovia 50

Where do we go from here? Release REF v0.9 in October 2006 for comments Establish guidelines for improving the security and business continuity processes Phase III expansion of model development and piloting Exploration of integration with other existing models Development of appraisal methodology to measure capability for managing resiliency 51

Summary and questions Operational resiliency must be actively managed Security, BC/DR, and IT Ops must collaborate Model-based process improvement brings defined, systematic, repeatable, consistent, and improvable processes Approach must be flexible and adaptable No one-size-fits-all solution 52

Contact Us Speakers Richard Caralli rcaralli@cert.org Lisa Young lry@sei.cmu.edu Phone 412-268-5800 (8:30 a.m. - 4:30 p.m. EST) Web http://www.cert.org http://www.cert.org/nav/index_green.ht ml Postal Mail Software Engineering Institute ATTN: Customer Relations Carnegie Mellon University Pittsburgh, PA 15213-3890 53

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback