Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITSG-33 Practical Implementation Colin MacLeod Simpson, CISSP, ITILv3 Acacia Informatics Corporation

Published byClarence O’Brien’ Modified over 9 years ago

Similar presentations

Presentation on theme: "ITSG-33 Practical Implementation Colin MacLeod Simpson, CISSP, ITILv3 Acacia Informatics Corporation"— Presentation transcript:

1 ITSG-33 Practical Implementation Colin MacLeod Simpson, CISSP, ITILv3 Acacia Informatics Corporation http://acacia-informatics.ca csimpson@acacia-informatics.ca 2016-02-02 Version: 6.0

2 Annex-3, Security Control Catalogue (SCC), based on NIST 800-53 Annex-3, Security Control Catalogue (SCC), based on NIST 800-53 Annex-2, Information Systems Security Implementation Process (ISSIP) Annex-2, Information Systems Security Implementation Process (ISSIP)

3 Pros: detailed explanations provides Supplemental Guidance 600 + Controls & Enhancements all optional depending upon the application (or infrastructure) Cons: too many words spreadsheets provided no good for reporting

4 Solution: provide MS Word format with tables instead of spreadsheet reduce the words from verbose to précis See: [13] Security Requirements Baseline, at http://acacia-informatics.ca http://acacia-informatics.ca

5 Pros: provides executive process overview flowcharts (limited to high level) names 43 artefacts to consider as part of Security Evidence Package Cons: lots of artefacts BUT no definitions no detailed procedures no RACI, approvers, producers vaigue proscribed scalability

6 System Security Life-Cycle (SSLC) defines purpose of artefacts provides detailed process and flowchart provides RACI, approvers, and producers synchronized with SDLC phase-by-phase (RUP) provides post production processes defines when production Phases can re-start SA&A process, such as system migration, change management, etc. scalable to four Assurance Levels

7 every Department needs one some big some small SSLC Cadillac to SSLC - Lite repeatable re-useable standardized

8

9 Web page published one size fits all 22 artefacts includes TRA includes the whole SCC briefly defines most artefacts “B+” effort

10

11 SSLC robust with 4 assurance levels as opposed to ITSG-33, 3 + 2 assurance levels SSLC – Lite, with 7 artefacts for Protected “A” and 9 artefacts for Protected “B” templates currently for SSLC only

12

13

14 CONOPSBIASRR

15 Threats evolve so quickly so isn’t it just a big paper tiger? Perhaps but Risk Management provides a paper trail that demonstrates due diligence. In turn that provides the government plausible deniability. supported by continual improvement

16 http://acacia-informatics.ca provides the following information: http://acacia-informatics.ca SSLC business process (example), every Department should build its own templates for 40+ artefacts Visio flowchart, diagrams, and design template artefact RACI fancy Rainbow chart

17

Download ppt "ITSG-33 Practical Implementation Colin MacLeod Simpson, CISSP, ITILv3 Acacia Informatics Corporation"

Similar presentations

Jump to first page NIST 800-30 Risk Management Guide for Information Technology Systems Reference:

Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:
How Many Ways Can You Connect To The Internet?

How Many Ways Can You Connect To The Internet?
HP Quality Center Overview.

HP Quality Center Overview.
<<Date>><<SDLC Phase>>

<<Date>><<SDLC Phase>>
Chapter 3 Project Initiation

Chapter 3 Project Initiation
Chapter 14 Maintaining Information Systems Modern Systems Analysis and Design Seventh Edition Jeffrey A. Hoffer Joey F. George Joseph S. Valacich.

Chapter 14 Maintaining Information Systems Modern Systems Analysis and Design Seventh Edition Jeffrey A. Hoffer Joey F. George Joseph S. Valacich.
Lab/Sessional -CSE-374. SYSTEM DEVELOPMENT LIFE CYCLE.

Lab/Sessional -CSE-374. SYSTEM DEVELOPMENT LIFE CYCLE.
University of Southern California Enterprise Wide Information Systems Instructor: Richard W. Vawter.

University of Southern California Enterprise Wide Information Systems Instructor: Richard W. Vawter.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
AD description template definition Marián Mlynarovič FIIT Lectures 2006.

AD description template definition Marián Mlynarovič FIIT Lectures 2006.
Project Initiation Meeting Presented By: > > Office of the Chief Information Officer >

Project Initiation Meeting Presented By: > > Office of the Chief Information Officer >
Examine Quality Assurance/Quality Control Documentation

Examine Quality Assurance/Quality Control Documentation
Chapter 3 Project Initiation. The stages of a project  Project concept  Project proposal request  Project proposal  Project green light  Project.

Chapter 3 Project Initiation. The stages of a project  Project concept  Project proposal request  Project proposal  Project green light  Project.
Chapter 14 Maintaining Information Systems

Chapter 14 Maintaining Information Systems
Copyright 2002 Prentice-Hall, Inc. Modern Systems Analysis and Design Third Edition Jeffrey A. Hoffer Joey F. George Joseph S. Valacich Chapter 18 Maintaining.

Copyright 2002 Prentice-Hall, Inc. Modern Systems Analysis and Design Third Edition Jeffrey A. Hoffer Joey F. George Joseph S. Valacich Chapter 18 Maintaining.
Welcome to CMPE003 Personal Computer Concepts: Hardware and Software Winter 2003 UC Santa Cruz Instructor: Guy Cox.

Welcome to CMPE003 Personal Computer Concepts: Hardware and Software Winter 2003 UC Santa Cruz Instructor: Guy Cox.
Enterprise Architecture

Enterprise Architecture
Proposed MITHI Concept Paper

Proposed MITHI Concept Paper
Project Management Phases Class 6. Initiation & Planning – Agenda Overview of the project management phases Midterm paper details.

Project Management Phases Class 6. Initiation & Planning – Agenda Overview of the project management phases Midterm paper details.
Www.methoda.com MethodECMS © כל הזכויות שמורות. Methoda Computers Ltd 2 MethodECMS  MethodECMS is a proactive package that enables the establishment.

MethodECMS © כל הזכויות שמורות. Methoda Computers Ltd 2 MethodECMS  MethodECMS is a proactive package that enables the establishment.

Similar presentations

Ads by Google