Download presentation
Presentation is loading. Please wait.
Published byClarence O’Brien’ Modified over 9 years ago
1
ITSG-33 Practical Implementation Colin MacLeod Simpson, CISSP, ITILv3 Acacia Informatics Corporation http://acacia-informatics.ca csimpson@acacia-informatics.ca 2016-02-02 Version: 6.0
2
Annex-3, Security Control Catalogue (SCC), based on NIST 800-53 Annex-3, Security Control Catalogue (SCC), based on NIST 800-53 Annex-2, Information Systems Security Implementation Process (ISSIP) Annex-2, Information Systems Security Implementation Process (ISSIP)
3
Pros: detailed explanations provides Supplemental Guidance 600 + Controls & Enhancements all optional depending upon the application (or infrastructure) Cons: too many words spreadsheets provided no good for reporting
4
Solution: provide MS Word format with tables instead of spreadsheet reduce the words from verbose to précis See: [13] Security Requirements Baseline, at http://acacia-informatics.ca http://acacia-informatics.ca
5
Pros: provides executive process overview flowcharts (limited to high level) names 43 artefacts to consider as part of Security Evidence Package Cons: lots of artefacts BUT no definitions no detailed procedures no RACI, approvers, producers vaigue proscribed scalability
6
System Security Life-Cycle (SSLC) defines purpose of artefacts provides detailed process and flowchart provides RACI, approvers, and producers synchronized with SDLC phase-by-phase (RUP) provides post production processes defines when production Phases can re-start SA&A process, such as system migration, change management, etc. scalable to four Assurance Levels
7
every Department needs one some big some small SSLC Cadillac to SSLC - Lite repeatable re-useable standardized
9
Web page published one size fits all 22 artefacts includes TRA includes the whole SCC briefly defines most artefacts “B+” effort
11
SSLC robust with 4 assurance levels as opposed to ITSG-33, 3 + 2 assurance levels SSLC – Lite, with 7 artefacts for Protected “A” and 9 artefacts for Protected “B” templates currently for SSLC only
14
CONOPSBIASRR
15
Threats evolve so quickly so isn’t it just a big paper tiger? Perhaps but Risk Management provides a paper trail that demonstrates due diligence. In turn that provides the government plausible deniability. supported by continual improvement
16
http://acacia-informatics.ca provides the following information: http://acacia-informatics.ca SSLC business process (example), every Department should build its own templates for 40+ artefacts Visio flowchart, diagrams, and design template artefact RACI fancy Rainbow chart
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.