The ISM-Community

Risk Assessment Methodology Update

rybolov — Wed, 11 Jul 2007 11:28:00 GMT

With a couple of volunteers, work on the RA Methodology has been moving forward. I spent some of the last week working on the front and back of it, adding in the niceties like the license snippet, links to other risk assessment/management guides, etc.

While I can crank out the various sections myself, I would like a couple more volunteers to help out, especially people who will "adopt" one of the following sections and commit to getting it to 75% done:

Determine Threats
Determine Countermeasures
Determine Vulnerabilities
Determine Risk

I've found that with more people working on the document, it gets a very different flavor than if there is one sole author.

Until next time

--Rybolov

The T10

tsmith — Sat, 30 Jun 2007 23:41:00 GMT

As you would have no doubt seen, the Top Ten was released last week in an absolute media frenzy :) Great to get it out there and thanks to everyone who contributed. I think it serves as a good basic guideline and hopefully offers food for thought with the 'Tips and Tricks' provided by industry veterans at the end of each section. I will get back to some more regular posting now. Thanks again to all who contributed to the Top Ten.

ISM-Community Releases Top Ten for IT Security Management

rybolov — Fri, 29 Jun 2007 20:22:00 GMT

Press Release for the ISM Top Ten List:

ISM-Community Releases Top Ten for IT Security Management

Worldwide community of information security managers cuts through the FUD to offer the fundamentals

Washington, DC June 28^th, 2007 — The Non-Profit Information Security Management Community (http: //www.ism-community.org/) today announced its ISM-Community Top Ten list, an awareness document that describes a series of key issues that effect today’s information security managers.

Taking a refreshing break from the typical fear, uncertainty, and doubt that information security managers are deluged with on a daily basis, the ISM-Community presents a simple, easily-understood, pragmatic approach towards managing information security.

"The ISM Community Top 10 will provide security management and professionals with guiding principles to build a solid program within any organization. It also serves as a great reminder to managers of existing programs to focus on the fundamentals."--Ed Bellis, CISO Orbitz Worldwide, ISM-Community Top Ten Contributor

The Top Ten list describes key concepts that should be part of any effective information security program. Organizations can quickly compare their current information security program against the Top Ten list and determine if and whether they need to improve.

“The ISM-Community Top Ten offers invaluable insight into how to get security management embedded into your organization – advice from some of the top InfoSec people in the industry.” --Tim Smith, Director Bridge Point Communication, Top Ten Main Author

The Top Ten list is released under a Creative Commons license and can be downloaded for free from the ISM-Community website at http://www.ism-community.org/files/ .

"The Chief Security Officers and Chief Information Security Officers that I’ve talked to about the ISM Top Ten have told me, ‘Finally, some home truths and straight-talking advice from real world security people and not thinly disguised marketing or spin from people wanting you to buy products’" –Mark Curphey, ISM-Community Founder

The ISM-Community is developing other projects along the lines of the Top Ten to be released throughout the upcoming months touching on 5 key focus areas: identity and privacy, risk management, policies and standards, training and awareness, and information security management commons.

"If the Top Ten is an indicator, the ISM-Community shows real promise to become the thought leaders in information security management. The Top Ten is an excellent starting point, and future projects will only build upon the foundation that the Top Ten provides.”—Michael Smith, ISM-Community Leader

For additional information or inquiries contact: Michael Smith at 703.855.0890 (Not for Publication), info.ismcommunity@gmail.com or http://www.ism-community.org/ .

About ISM-Community:

The ISM-Community, founded in 2006 by a group of information security managers, is a “Community of Practice” where people can collaborate on information security both online and in person, creating and sharing things that improve everyone’s collective working life and that everyone can use for free, without conditions. We don’t want the baggage of formal organizations, politics or hidden agendas but do want a sensible amount of organization and structure. More information can be found on our website at http://www.ism-community.org/aboutus.aspx

Downloadable .doc

Mailing Lists Coming to ISM-Community.org

mcurphey — Wed, 27 Jun 2007 17:38:14 GMT

You might well notice some changes on the home page today. The portal hasn't really had much TLC for a while and its been hard to find things and participate. That is changing. Today I installed the enterprise email gateway. This allows you to subscribe to a forum as if it were a mailing list. In fact its the best of both worlds, its both a mailing list and a forum. You can start, receive and reply to discussions using email or online via the web site and even both at the same time. It's your choice. We are having some configuration challenges with receiving and processing mail so the upgrade is not complete but you can subscribe to receive new threads via email for the Risk Management forum now and within a few days I am sure well have it all ironed out. As soon as we have this major upgrade completed I will send out an email and we enable it on all the forums.

http://www.ism-community.org/forums/ForumSubscriptions.aspx

ISM-Community Combined Feed

rybolov — Sat, 23 Jun 2007 00:30:00 GMT

With some coaching and Yahoo! Pipes non-wizardry (it's CISO-proof, all drag-n-drop programming), I have thrown together a combined blog feed that contains the feed for the "official" ISM-Community blog feeds plus the personal/work/$foo blogs from community members. If you feel slighted that I didn't include your feed, please don't send me poison-pen email letters, just drop me a nice email and I'll add you in. =) I know there are people that I missed, but I'm trying to add them as I can.

The combined blog feed is linked to from here. It's not necessarily all ISM-Related (I go off about zombies and flyfishing from time to time, Curphey talks about the varieties of grapes in his vineyard, etc) so there might be some noise that you're not so keen on.

The "official feed is linked to from here. This is a feed from the 5 focus areas and hardly has any noise at all.

Cheers
--Mike

Getting Back on the Horse

rybolov — Fri, 22 Jun 2007 02:25:00 GMT

"First we said it was too cold and that the fish were not feeding. Then we said it was too sunny and the fish were scared. Then we discovered that the fish had gone elsewhere. When we found the fish, we started casting to them with nice juicy baitfish flies."

So also is the story of the ISM Community Risk Assessment Methodology. After more than a few false-starts (Curphey changing the server platform, some flirtation with FAIR, almost scoring a free methodology to have and to hold, the apparent ADHD of the project lead), we are continuing down the merry path of creating our own risk assessment methodology.

Now that we're back to casting for trout, I would like to issue an Internet-wide call for volunteers. What I'm looking for is about a dozen people who know Risk Assessment and simultaneously know how to write well.

Really the methodology consists of several parts:

A document that describes the process (partially started)
A set of artifacts to assist in the process such as inventory spreadsheets and a risk register (partially done)
Reference implementations where we take the process and test it out (not yet, we need the process first)
References and similar projects
Glossary
Foo

I have a handy-dandy spreadsheet to track status. If you are interested in helping out, go to the RA forum at http://www.ism-community.org/forums/t/564.aspx (it's broken right now, I tried to upload the spreadsheet and it bombed out on me) or shoot me an email with a description of what you would like to help out with.

Cheers
--Mike

New Project Leader for Policies and Standards Focus Area

mcurphey — Fri, 08 Jun 2007 12:41:01 GMT

Ciske van Oosten has agreed to take over the Policies and Standards project at the ISM Community. Ciske runs a great blog focused on policies and standards at http://infosec-risk.blogspot.com/.

The idea behind the Policies and Standards project is to build and maintain a comprehensive and well written free set of policies and standards. These things are rarely competitive advantages to any company and so collaboration can benefit everyone. There are some documents now floating around as donations from various companies which is also great.

Ciske has written a great guide to policies and standards and has some great ideas and passion to make this project happen.

The discussion forum is here http://www.ism-community.org/forums/68.aspx and I am sure Ciske will be sending some updates and have a project plan via the ISM blog for the project here http://www.ism-community.org/focusareas/21/PoliciesAndStandardsBlog/focusarea.aspx

If you have any policies and standards you would donated as baseline documents please contact Ciske via the forums.

Cheers,

Mark

ISM Community Top Ten - Draft

mcurphey — Mon, 04 Jun 2007 14:43:48 GMT

I have just uploaded the ISM Community Top Ten Draft here. The intention of the T10 is to provide a short and concise awareness document. In the same genre as the SANS Top 20 and OWASP Top Ten it can be used by business managers as well as information security professionals to provoke thought about their current information security programs.

We plan to release the final document next week. There have been several volunteers who have kindly offered to translate it into other languages. The current draft requires some final touches and if anyone has some time today or tomorrow please download it, edit it with tracking turned on (important) and email it to me (mark at curphey dot com).

What is required is;

1. Proof reading (grammar, accuracy and completeness)

2. Tips and Tricks from the field added to sections 8, 9 and 10

Any major changes we can consider for an updated version later this year.

Cheers.

A quiet week....

klo — Mon, 28 May 2007 09:08:00 GMT

Since my flurry of activity a week ago and subsequent blog posting and creation of new threads, the Identity and Privacy forum has been VERY quiet....

I am not sure if it's because there was just too much information posted at one time? Or because nobody has anything to say?

Agenda this week is that I pull together the framework for the 'identity and privacy' guide. That I promised before the end of May, and just realised that this is Thursday this week! Time passes fast when it's fun!

Any suggestions on how I can 'spice' up forum activity appreciated?

I am still looking for volunteers that have legal experience in IT to help us unravel the complexities when it comes to global privacy laws. I have created to threads for this in the forums space of identity and privacy.

Karen

What is an identity?

klo — Mon, 21 May 2007 18:56:00 GMT

Hi, here comes the weekly update.... I am trying to post on during the weekend, but didn't make it this weekend. However I do have a very nice new home office that materialized over the weekend, so feeling it was pretty productive, means I have a more comfortable environment on which to sit and post away on this ISM-community :-)

It has started raining this evening, so also very good weather today to be sitting indoors! Pity I can't send some of this 'down-under', according to Tim they're having a bad time through lack of rain there, and here is so lovely and wet!

OK, so updates during the week are as follows:

1. What is an identity? It doesn't matter how may virtual identities you have, whether they are alias or not, they all count as your identity and can have an impact on your reputation -your real reputation and your virtual. Check out the forum to understand how we got here. If you dispute these conclusions, then you are welcome to post.

2. There have been agreements also concerning the definitions of 'identification' and 'authentication'. Check out the glossary being compiled by Mark in the downloads space. If you want to understand how we got here take a visit to the forum. We are also in agreedmentconcerning what is meant by authorization surprisingly! Although there maybe some subtle re-wording later.

3. A standard Privacy Policy has been uploaded into the download space. Although this is just one of several. I plan to add additional policies that include 'opt-in' and 'opt-out' as defaults. Check out the privacy forum for more information on what I mean here.

4. There are 2 new threads looking at privacy legislation. The first thread on adoption of the DPA in the EU on a local country level, the second thread in on differences in legislation between the EU and the US. Each of these threads are looking pretty empty right now, so please go in there and start posting!

This is all for now, have fun posting and look forward to meeting you there!

Karen

Weekly update - privacy policy donated and definition for AuthN

klo — Sun, 13 May 2007 16:40:00 GMT

We have a standard privacy policy donated by SourceClear. Check out the following http://www.ism-community.org/forums/t/551.aspx.

And there have been some lively discussions concerning definitions on identity, identification, authentication and authorization that apart from being lively have been fun and got some of us thinking...

We have a glossary definition for AuthN: http://www.ism-community.org/blogs/commonsblog/archive/2007/05/10/it-s-all-about-semantics.aspx

We are ready to roll out more.... although my apologies the last week that I haven't been so active as I have had other committments.

Looking forward to another fun week!

Karen

Another week...

tsmith — Sun, 13 May 2007 10:58:00 GMT

Another top ten review... This time, the entire ISM top ten is being put into one overall document and into a bit more of a logical flow. I'm awating the esteemed members of the Steering Commitee to review and we will re-publish. Each individual item in the top ten has been downloaded a few times but solid feedback has been somewhat lacking - hoping this will change that.

I am trying to get together a list of Security Awareness online courses. Is anyone working on any open source versions at the moment that are SCORM compliant? Would love to se somethign we could start to use maybe to take the top ten to the next level - having an online distribution model.

Please assist!

Policies and Standards -Week Deux

mcurphey — Thu, 10 May 2007 14:33:14 GMT

The summer is finally here in the South of France. Its 86 today and from this point until the end of Sept it should be sunny and hot.

We had a few offers for some policy documents but sadly most had strings attached that meant they would not be suitable for everyone to consume so it looks like well just need to start from the ground up.

My plan is as follows.

This week: review a stack of links I have to whitepapers, blogs etc about policies and standards and summarize them along with some notes. From this we can then create a plan that solves the problems and develop a list of tasks.

Anyone volunteer to help me write some content?

Jason made some interesting points about writing policies and cited his blog.

http://infosecalways.com/2007/05/08/roles-responsibilities-in-policy/

From the comments in his blog it seems there is some interest in defining roles and responsibilities in Information Security.

I have so much going on I forgot to post this and ask for a volunteer to get this idea off the ground. How about if we created an org chart of a few typical security departs (reporting up through the CIO, through legal and compliance, via another route etc) and defined a set of roles and responsibilities for the actors. I think this would be a valuable resource for many reasons. Any volunteers? I have a user persona template form which to start and I'll buy you as much beer as you can drink in a 24 hour sitting!

It's all About Semantics

mcurphey — Thu, 10 May 2007 14:18:32 GMT

As you can see from the rolling titles on the front page of the ISM Community just getting agreement on simple terminology is not as simple as it could be. Thanks to some great contributions from ebreece, jason and dave we are starting to roll.

I have added a definition block to the Glossary working document that looks like this and when we are happy with the first set of definitions I will add them.

Title

Authentication

Definition

The process of determining whether someone or something is, in fact, who or what it has declared itself to be.

Examples

User KLO is authenticated as she was able to provide her secret pass code.

I checked the dollar bill to authenticate that is was indeed real.

References

Insert them here

Notes

Insert them here

ISM Community Discussion URL

http://www.ism-community.org/forums/t/542.aspx

As always if anyone would like to volunteer to own updating the glossary and can commit to doing so in a regular basis please drop myself or Paul Zedeck an email.

What you don't see can't hurt you, my son

tsmith — Sat, 05 May 2007 14:31:40 GMT

Things are a little strange in the State of Queensland. We are on level 5 water restrictions meaning no car washing (suits me), 4 minute showers (thats 3.45 minutes over what I have anyway), I can't even put any more water in the swimming pool so you can see this is pretty serious. 100kms North of Brisbane lies the Sunshine Coast area - these boys have their dams at 80% capacity! Laughing and joking as they water their car, garden, flush the toilet 20 times - they probably even water the water that's how much water they have.

In a week where our esteemed prime minister, Little Johnny Howard told us to all pray for rain, you might think that perhaps we have lost a few marbles in this very very brown land. I've just found out that there's a national rain day here in Canberra on the 8th May. Mr McCallum of Melbourne, said National Rain Day involved people standing on the earth barefoot and being led through a guided short visualisation at 11am on the day. “The process is a prayer of attracting rain through raising collective consciousness, as opposed to attracting the lackof rain by acknowledging it,” Mr McCallum said. “This is a powerful tool that everyone can use to create positive change. Many successful sports people and ancient races use visualisation.”

Well, I can visualise a lot of press for McCallum, a speaker and meditation leader of 17 years who helps people create the life they want to live with the law of attraction and quantum physics. “When you hold a thought with emotion for one minute and 11 seconds, you will attract that which you think about. Well, I vote we get some sponsorship at the ISM Community and get Mr McCallum around to a few of our cleints to give him the ultimate test - not easy stuff like making it rain but writing a series of policies and procedures that people read, get and follow. I can visualise Mr McCallum a beaten man and I further see me madly visualising for my alloted one minute and 11 seconds and still not understanding why any one would support Tottenham Hotspur.

The Top Ten is Complete

tsmith — Fri, 04 May 2007 12:10:43 GMT

The ISM Top Ten is now complete! All ten now uploaded for everyone's pleasure. Please check them out and give me your opinions.

Welcome to the Identity and Privacy Blog!

klo — Thu, 03 May 2007 10:28:00 GMT

Welcome to the Identity and Privacy Focus Area. I plan to blog post here weekly with news of progress for those that don't want to delve into the forums / mailing lists. You can subscribe to these updates via RSS at the side bar.

A lot of research needs to be done: firstly we need to see what is going on already in this space. Typical examples are Liberty Alliance, Higgins and Eclipse, and FRAME projects, all in the space of identity and privacy. We need to understand these projects what they offer and how they differentiate. What can we take from there and re-use? What can we offer in addition to help clear the confusion that we all feel when presented with yet another ideal solution to resolve the identity management nightmare. In addition we need to dive into the changing landscape of identity and privacy, keep abreast of what's happening out there, as it affects every one of us. Check out my blog to have an idea of what I mean here.

1. The first project I have started as part of this Focus Area is to agree on definitions for common terminology used in the identity and privacy space. For example when we talk about identity what are we talking about? A couple of threads have been started in the forum area for identity and privacy to encourage discussion. Take a look... the idea is not that there is a right or wrong answer, the point is that when we are in the future discussing identity, authentication or authorization or whatever, that we all are talking the same language. A tip: when we are discussing these fundamentals, try and get back to basics. The result from these discussions will provide the foundation for all subsequent discussions and projects.

2. A parallel project will be the creation of a standard Privacy Policy. I have not started this yet. If you would like to volunteer to help please post to the identity and privacy forum. I will start a thread later today. Of course it goes without saying that if any company would like to donate their policies and standards or anyone has anything which would make a solid base then please contact me. We can make sure there is nothing sensitive and all identifying data is stripped out before they are placed online.

Welcome and look forward to meeting you online!

Karen

State of Risk Management in ISM-Community

rybolov — Wed, 02 May 2007 15:50:00 GMT

ISM-Community was originally created and the steering committee formed in Fall of 2006. During that time, one of our key activities was to come up with a list of projects that were worthwhile, and that list became somewhat of a direction for us to move in.

One of the first priorities has been to develop a risk assessment methodology. Me being of a US Government mindset, my first question was "What's wrong with NIST SP 800-30?" Well, 800-30 is a good start, but like I've said before, there are some things such as templates, examples, and suggestions that NIST can't give you because then all the auditors take it as gospel/doctrine instead of implementation technique. We want to bridge that gap.

We traveled down the RA Methodology road over the past 6 months or so and due to a handful of factors, mostly time constraints (find me a security person worth anything at all and they're up to their eyeballs in projects) and a couple of false paths we've gone down (FAIR was a good one, but we had a philosophy/licensing issue), the project has stuttered.

What remains to be done? Well, this is my roadmap for the near- to moderate-term future:

Finish off the remaining RA Methodology sections
Creation of artifacts/templates/examples to support the methodology
Field-testing to validate the methodology

At some point, the artifacts will suffer from scope-creep as they become a set of ISM . That's OK.

In true NPO form, I'm asking for volunteers who can help out. The first step is to look at the existing incarnation of the RA Methodology and make recommendations.

One more to go

tsmith — Wed, 02 May 2007 12:23:00 GMT

Took some advice and have blasted 9 of the ISM Top Ten up for review. The 10th and final one, 'Make it easy for people to do the right thing (Polices and Proceudres Matter) will follow real soon.

First of the ISM Top Ten - Use, Adopt and Align to Industry Standards

tsmith — Wed, 02 May 2007 01:26:00 GMT

I've just published the first guidline out of the ISM Top Ten as referenced in my previous blog post. Look forward to some feedback, in the meantime, I'll keep them coming on a weekly basis!

TS.