As I go through the month I am hoping to post some blog about the content of the material for the three certifications. However just review some of my favourite news sites including InfoSec Island and I came across the blog by Brent Huston on Information Security is More than Prevention
http://www.infosecisland.com/blogview/20942-Information-Security-is-More-than-Prevention.html
Friday, May 04, 2012 which echoed I lot of what I had been saying on the course, he also referred back to one of his prior posts The Detection in Depth Focus Model & Example http://stateofsecurity.com/?p=1958 Posted on November 16, 2011 which I thought is a good point to cover when discussing defence in depth the detection mechanism also work at depth within a well implemented security policy.
The certifications I have mention are those that a infosec professional is likely to have when working on an information security management system (ISMS). A company that has an inmature ISMS is likely to be reactive rather than proactive as Brent Huston points out in his blog entry.
The ISMS within a company can be classified using a maturity model approach with the following levels.
|
Level 0 |
Ad-hoc |
No implementation |
|
Level 1 |
Reactive |
Reactive security arrangements, no overall polices |
|
Level 2 |
Defined |
A information security policy has been defined and agreed with stakeholder |
|
Level 3 |
Proactive |
Proactive system, developed lifecycle approach |
|
Level 4 |
Optimised |
Full mature system with auditing, periodic review of information security
and business requirements |
The PDCA (Plan, Do, Check, and Act) cycle from ISO 27001 will provide an overall plan for an ISMS will drive forward the maturity within ISMS towards an optimised solution.
No comments:
Post a Comment