Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITSG-33 Practical Implementation Colin MacLeod Simpson, CISSP, ITILv3 Acacia Informatics Corporation

Similar presentations


Presentation on theme: "ITSG-33 Practical Implementation Colin MacLeod Simpson, CISSP, ITILv3 Acacia Informatics Corporation"— Presentation transcript:

1 ITSG-33 Practical Implementation Colin MacLeod Simpson, CISSP, ITILv3 Acacia Informatics Corporation http://acacia-informatics.ca csimpson@acacia-informatics.ca 2016-02-02 Version: 6.0

2 Annex-3, Security Control Catalogue (SCC), based on NIST 800-53 Annex-3, Security Control Catalogue (SCC), based on NIST 800-53 Annex-2, Information Systems Security Implementation Process (ISSIP) Annex-2, Information Systems Security Implementation Process (ISSIP)

3 Pros: detailed explanations provides Supplemental Guidance 600 + Controls & Enhancements all optional depending upon the application (or infrastructure) Cons: too many words spreadsheets provided no good for reporting

4 Solution: provide MS Word format with tables instead of spreadsheet reduce the words from verbose to précis See: [13] Security Requirements Baseline, at http://acacia-informatics.ca http://acacia-informatics.ca

5 Pros: provides executive process overview flowcharts (limited to high level) names 43 artefacts to consider as part of Security Evidence Package Cons: lots of artefacts BUT no definitions no detailed procedures no RACI, approvers, producers vaigue proscribed scalability

6 System Security Life-Cycle (SSLC) defines purpose of artefacts provides detailed process and flowchart provides RACI, approvers, and producers synchronized with SDLC phase-by-phase (RUP) provides post production processes defines when production Phases can re-start SA&A process, such as system migration, change management, etc. scalable to four Assurance Levels

7 every Department needs one some big some small SSLC Cadillac to SSLC - Lite repeatable re-useable standardized

8

9 Web page published one size fits all 22 artefacts includes TRA includes the whole SCC briefly defines most artefacts “B+” effort

10

11 SSLC robust with 4 assurance levels as opposed to ITSG-33, 3 + 2 assurance levels SSLC – Lite, with 7 artefacts for Protected “A” and 9 artefacts for Protected “B” templates currently for SSLC only

12

13

14 CONOPSBIASRR

15 Threats evolve so quickly so isn’t it just a big paper tiger? Perhaps but Risk Management provides a paper trail that demonstrates due diligence. In turn that provides the government plausible deniability. supported by continual improvement

16 http://acacia-informatics.ca provides the following information: http://acacia-informatics.ca SSLC business process (example), every Department should build its own templates for 40+ artefacts Visio flowchart, diagrams, and design template artefact RACI fancy Rainbow chart

17


Download ppt "ITSG-33 Practical Implementation Colin MacLeod Simpson, CISSP, ITILv3 Acacia Informatics Corporation"

Similar presentations


Ads by Google