Here is something interesting for you process-oriented types ... I recently learned of this new security "best practices" framework (some call them governance frameworks), called "Information Security Management Maturity Model" or IS(M)3.
"ISM3 aims to:
- Enable the creation of ISM systems that are fully aligned with the business mission.
- Be applicable to any organization regardless of size, context and resources.
- Enable organisations to prioritize and optimize their investment in information security.
- Enable continuous improvement of ISM systems.
- Support the outsourcing of security processes."
It is also claimed to work - whatever "works" means in case of something as generic - well with other existing frameworks, such as various ISOs, CMU's CMM and other IT management and security management frameworks.
There is also a neat summary presentation, if you are curious. You can get the full framework document.
It does mention logging and audit logs, but IMHO, nowhere near enough to be a credible governance framework. Specifically, it has a single reference to logging that goes like this: "Access Control includes Authentication of users or services, Authorization of users or services and Logging of access and use of services, repositories, channels and interfaces."
tags: security, governance, standards, security management
No comments:
Post a Comment