all right now, just a little bit ago, I mentioned the idea of the desire states specifically versus current state state. And we usually talk about the term gap analysis, which means here's where we are. Here is where we want to be. What do we think about as far as how we can close the gap.
So when we talk about the current state, we only know that by doing assessments and documenting that information
now where do we want to be? What is the desired state? So, ultimately, what's our vision? Where do we want to be? We've got to think about all the conditions and how we're going to satisfy our ultimate goals. How do we get there?
Principles, policies, procedure, standards, guidelines, training of our individuals,
working towards making changes to those policies in addressing the areas where we fall short, Perhaps we might need to examine the foundational structure that led us to the wrong place in the first place. What I mean by that is, if we're not compliant or if we're not at the desired state,
somewhere along the line with Miss the more So one of the things that is frequently helpful is to go back and look at frameworks of organizations that have been successful and figure out how we can tailor those frameworks to our organization. So when we do talk about
security policies and looking at some well known security frameworks,
Ah, you're a handful that are very useful from the Security Forum. There's internationals Organization of Standards with 27,001 and two I. Sacha once again has co bit and co so and their numerous frameworks that air out here, I'm gonna mention just a couple of them
these air frameworks these air not written in stone these air not detailed step by step methodologies there the principles and the foundation on which to build a security program. So if you look at Kobe were on Co bit five right now,
the idea about Kobe it is that you start out with your organizational goals,
where do we want to be as an organization? And we mapped those along the hierarchy all the way to the point where we get to our information technology goals and we want to, and that that's the perfect solution, because again there's I t technology goals. Have to support the organizational goals.
So we do that mapping.
And again we're looking at benefits versus risks that cost benefit analysis. We're looking to secure the organization as a whole, not just I t. But taking these broad organizational enterprise goals
and achieving them each step of the way. So with Kobe that they have five principles with Kobe
and we start off meeting stakeholders needs because that's ultimately with the business is about satisfying our shareholders or stakeholders, making sure that our customers air happy. So we have to start by looking at those needs in a very broad sense. Um, then
the idea of covering the enterprise
into end, making sure that all the elements of our inter enterprise are in line with satisfying those objectives, meeting those needs of the stakeholders, this idea about applying a single integrated framework. This is a real benefit because
many times we have very disjointed operations between departments,
and one department might be following one Standard Department B might be following another standard. Kobe. It is a framework that applies to the organization as a whole. It's not just an I t framework,
um, and the idea of a holistic approach is tied in. We're looking at the organization as a whole rather than lots of little bits were viewing the enterprise as a complete
entity in and of itself. And then the final principle is separating governance from management. We've talked about that. The idea that governance is concerned with setting the direction of the organization
very broad, very high level directives where his management figures out how to accomplish those directives. So if you think of governance as what we're trying to do and management deals with how we get there and making sure neither oversteps their bounds. So those are the principles of Kobe, Kobe at five
and then just some additional information on it,
you know, again helping us figure out stakeholders needs Making sure that we're using a resource is effectively making sure I t is integrated into business functions. And not just I t. But information security as well,
making sure that it is cohesive and compatible with other frameworks that are out there like frameworks from the Project management body of knowledge
framework from ite ill or ice or any of those organizations. So we actually do have a course here. It's I bury on co bit that you might find helpful
aren't now I Till I tells very popular information technology, infrastructure library. And this really is the standard for service management, information technology service management. And there are five publications from I till that walk through strategy design
transition operation and then that phrase that we always think about continual improvement.
We can always get better. But how?
if you're taking a test for the certified says O or you're taking the schism exam or any of those others this these frameworks are not particularly testable. But man, from a knowledge standpoint in information technology high would't least be knowledgeable for each of thes frameworks
through at least the introductory level
or the foundational level with eye, too.
All right, opted. This is a risk assessment mechanism and what this does operationally critical threat asset vulnerability, evaluation. Those were really the elements that make up a risk so self directed because we feel like those internal to the organization probably have
best feel for the threats and the vulnerabilities that exist,
so they're set of tools and processes that go through identifying assets and the threats and vulnerabilities and then developing a strategy for mitigating so active all about risk management.
Now the ice 0 27,000 Siri's International organization of standards in their 27,000 Siri's. They have several documents that are particularly helpful. Tow us. Ah, the establishment, establishment, implementation control an improvement
oven information security management system
so ultimately should spend the life span off the ice M s. How do we implement how we monitor control? How do we improve it? And the idea is that your information security management system should follow the plan. Do check Act model meaning we're never complete.
We plan for security, we implement security, we check to see if it worked and then we act upon our findings.
So the idea that you're constantly involved in security management now, I said 27,000 to these were the best practices. So this is the practical how how are we going to implement these security controls? And it indicates 10 separate domains that we have to be concerned with
with information security management systems,
um, access control, business continuity, risk management, some of those other key elements that are part of security.
I 27,004 gets us some measurements that we consider implementing To make sure that we can evaluate our program. 27,005 looks at risk management, and then 27 7 99 looks at the strategies for protecting personal health information. So the ice or 27,000 Siri's
very, very useful as a framework that's been proven to be successful over and over again.
And here's just a little illustration of the plan Do Check Act model. This is sometimes referred to his Demings model cause W. Deming is really credited with popularizing this model. It was actually created by a gentleman named sure prior, but diming popularized this
and specifically he actually talked about this model in relation to
quality assurance. But if you've ever done any sort of project management, you know how your focus is on quality.
Well, in our environment, quality is security, right? You know, that's what we're trying to deliver a quality product, a secure product. So the plan do check act model works perfectly well here Now, another way, another framework or or, um,
additional guidance. Maybe on how we get to the desired state
is we look at the maturity of our processes. Many different entities have maturity models. The one that I'm showing is the capability maturity model integrated. And that comes to us from the Software Engineering Institute from Carnegie Mellon. And ultimately,
the philosophy is the more mature your project management,
the more mature you're process, the better your product will be. Now I'm paraphrasing a little bit, but that's the idea. So it focuses on maturing. Your project's over your processes. Rather, so they're five stages of evaluation, aura of maturity, starting at the very Louis, which is initial or initializing.
And that means that we're just getting started.
And in the reality we're not really managing projects were just producing stuff, you know, phrases like chaotic or requires heroic effort to be successful. So as you can guess, nobody's really striving for a Level one. But then we have repeatable. Then we go to defined,
measurable and then optimized,
and each one of these elements improves on the one before to the point where we get to optimize where the focus there is on continual process improvement, make the product or the process a little more efficient, a little higher quality