background preloader

Security Management

Facebook Twitter

Tackling ISO27001 - A Project to Build an ISMS was part of David Henning’s GIAC Certified Project Manager Gold certification.

The paper describes the implementation of an ISO/IEC 27001-compliant ISMS using the Project Management Institute’s Project Management Body of Knowledge (PMBOK) within a satellite broadband company subject to PCI-DSS. There are excellent pointers here for others implementing an ISMS. Icelandic information security consultancy Stiki ehf has released a series of short case studies on ISO/IEC 27001/2 implementations: Please thank Stiki for kindly allowing us to share these case studies with you. French language ISO27k white papers ISO 27000: Le nouveau nirvana de la sécurité? And ISO 2700x: une famille de normes pour la gouvernance sécurité were co-written by a member of the ISO27k Forum whose organization was certified compliant with ISO/IEC 27001. Terms and conditions of use. Nearly 40 “ISO27k” standards are planned, more than half of which have been published and are on sale from various official ISO/IEC outlets (not us!)

: ISO/IEC 27000:2014 - provides an overview/introduction to the ISO27k standards plus a glossary for the specialist vocabulary. ISO/IEC 27001:2013 is the Information Security Management System (ISMS) requirements standard, a formal specification for an ISMS. ISO/IEC 27002:2013 is the code of practice for information security controls describing good practice information security control objectives and controls. Ey-spm-framework.jpg (JPEG Image, 1000 × 537 pixels)

OIG_15-16_Dec14. Implementing Knowledge Management, Part I: Concepts & Approach Page 2. Phase 3: Define high-level process - To facilitate the effective management of your organization's knowledge assets, you must begin to layout a high-level KM process.

Implementing Knowledge Management, Part I: Concepts & Approach Page 2

The process can be progressively developed with detailed procedures and work instructions throughout phases 4, 5, and 6, but must be finalized and approved prior to "Phase 7: Implement Knowledge Management Program. " Organizations that overlook or loosely define the KM process will not realize the full potential of their KM objectives. How knowledge is identified, captured, categorized, and disseminated will be ad hoc at best. There are a number of KM best practices, all of which comprise similar activities.

In general, these activities include knowledge strategy, creation, identification, classification, capture, validation, transfer, maintenance, archival, measurement, and reporting. Implementing Knowledge Management, Part I: Concepts & Approach Page 1. By Robert Simmons of the Forsythe Solutions Group A winning knowledge management program (KMP), one that increases staff productivity, product and service quality, and deliverable consistency by capitalizing upon codified intellectual and knowledge-based assets, cannot subsist on technology solutions alone, It must also consider people, processes, structure, and culture.

Implementing Knowledge Management, Part I: Concepts & Approach Page 1

Many organizations leap into a knowledge management (KM) solution (document management, data mining, blogging, community forums, and the like) without first considering the purpose or objectives they wish to fulfill or how the organization will adopt and follow best practices for managing its knowledge assets long term. This is the first in a series of three articles in which I will present a phased approach for implementing and sustaining a successful KMP. Part I introduces some key KM terms and concepts and then presents the eight-phase approach at a high level. Terminology and Concepts Eight Phases. Frameworx Process: ITIL Service Catalogue Management.

Description; Explanatory; Associations. The Poor Business Analyst The Rich Business Analyst. I have had the opportunity to be a developer before becoming a business analyst.

The Poor Business Analyst The Rich Business Analyst

Why do I say opportunity? Well in truth, the word was carefully picked. I can honestly say that I found out what not to do as a BA as opposed to what to be as a BA whilst I was a developer. My gripe is how can business users and developers, who are both stakeholders for the BA in IT areas, respect BA as a profession when some BAs’ practices do not contribute to what the end goal of business analysis strives to achieve, which is to provide value. Finally! A Proven Framework to Implement Value-Based Business Analysis. The 21st Century Challenge These are tumultuous times.

Finally! A Proven Framework to Implement Value-Based Business Analysis

Businesses are faced with unprecedented challenges in the hyper-connected 21st century global economy. Extraordinary gale-force winds of change are swirling faster than ever before, causing us to rethink our approach to business, project, and performance management. The Integrated Economy Everyone is feeling the effects of the global integrated economy, and BAs are no exception. The Technology and Information Explosion IT applications have also impacted U.S. jobs by automating repetitive activities, often increasing the quality and predictability of outcomes. Get your Requirements Off to the Right Start with these 5 Steps! It’s project kick-off time!

Get your Requirements Off to the Right Start with these 5 Steps!

February, more than any other month, tends to be the time when organizations transition from planning to action. New initiatives have been prioritized, dollars have been allocated and teams are being formed—everyone is ready to get to work. BAs being assigned to these projects often working with new PMs or new leaders and sometimes leaders expect BAs to jump in and start detailed requirements, like NOW! BAs are often asked to begin gathering requirements before solution scope and context are defined.

The project scope might be defined, but that does not mean the solution scope is defined. ITIL for BAs - Part VII; What Makes a Service Valuable? So much of a BA's life revolves around functional requirements that the non-functional aka supplemental aka Quality of Service (QoS) requirements do not receive the necessary attention.

ITIL for BAs - Part VII; What Makes a Service Valuable?

ITIL V3 defines the value of an IT Service as consisting of: Utility - the degree to which the service's attributes have a positive effect on the execution of the customers' tasks (e.g., steps in a business process), either by providing needed performance (functionality) or removing constraints; and Warranty - the robustness of the service with respect to availability, capacity, security, and continuity (that is, availability as a result of a catastrophic incident) The diagram below depicts the relationships between warranty, utility, and their respective elements:

Reference Models A framework can help articulate the expression of appropriate IT governance for the organization - who makes what kinds of decisions with regard to information technology.

Most frameworks offer some specialization in governance eg., ITIL offers guidance on decisions surrounding operations and service management). Many authors argue that "organizations should never simply choose a single framework, but instead try to use what they can from each"R. This implies that no single framework has all the answers - "The issue broadly speaking is that Service Management needs to bridge with the other Core process areas and also with the support and enabling process areas"R. In this section I look at three kinds of frameworks: In "Multiple View Models" I suggest that the models can be seen from more than a single perspective - following the principles enunciated by Zachmann.


SDLC. VM - Information security fundamentals. 2.1 Risk management policy Management of information security risks is part of an organisation’s compre­hensive risk management. Integration of risk management into management sys­tems substantially improves an organisation’s ability to respond to various infor­mation security, and other, threats. The principles of risk management include the introduction, maintenance and updating of the management system. Effective risk management reduces and alleviates losses and other damage that threaten an organisation. It involves systematic, continuous development to identify, evaluate and control threats. Risk management policy formulates management as a whole and creates policies for its handling and development.

With the aid of risk management policy, risk management is integrated into the management system and its annual schedule. The risk management policy is approved by the organisation’s senior man­agement and it is based on statutes and ministerial instructions. Table 1. Table 2. Table 3.


Risk. Frameworks. Standards. P3M3. Government. Cobit5.