(c) 2009 Christopher Paidhrin / cpaidhri@swmedicalcenter.

org

Standards
Meta Security
Open Source Standards
SSO, Federated Identity Identity and Access
Management (IAM) ISO 20000 / ISO 27001(2005) / ISF / CobiT-COSO / ITIL / MOF - Best Practices
Password Management and Security Administrative CMMI / PMBOK / NIST / ITPI / Six Sigma (Lean) - DMADDI
Security
Prevention / Assessment / Detection Threat Management Critical Infrastructure Protection Planning
Design (see Portfolio - Program -Application - Code Lifecycle Management
Firewalls / Telecom (VOIP) / SOA Meta Security)
Infrastructure / Information Architecture (PO 2)
Wireless Security / Access Points (NAC) / Mobile Media & Devices (Integrated and Layered
Defense / Countermeasures Topology / PLM / Security Requirements Analysis and Specification
Intrusion Detection and Prevention Systems (IDS/IPS) Technical & Semantic SOA
-- see details below)
Logical Security Platforms Standards / High Availability / Virtualization / Synergies
Audit & Log -- Systems & Processes Security Information/Event
Real-Time Assessment (Sniffers) Management (SIEM) Standards / Licensing / Audits / Migration / Management (AI 6 & 7)
Software (AI 2)
Vulnerability Assessment (Scanners)
U.S. Compliance -- SOX-COSO / ARRA-HITECH-HIPAA / SAS 70 / GLBA / FCPA / FIPS PUB-200 (Gov.)
Access Controls Physical &
Environmental Security International Compliance -- DPA, IP, HAS - UK / PIPEDA - Can / BIS / 8thDirCons / Basel II
Personnel Security
Management

Business objectives alignment &

requirements / Concept Process Assessment (see Process, Tech & Ops. Mgmt.)
Formulation / BPM / Goals (ME 3) Scope of services - Goals & Metrics: Dashboards
Culture of Excellence / Anticipation -- Agility / Tactics
Strategic
Threats Planning Integration / Automation (AI 1)
(PO 1) Assurance / Process Review / Quality Control /
Workforce abuse / fraud / theft / error / omission Maturity Model / Outcome & Agility metrics (PO 8)
Viruses, Worms, Malware, Trojans Mission / Information Valuation - Intellectual Property (IP) /
Vision and Market Awareness / Competition
Rogue devices (see Physical Threats below) Internal
Steering
Temporary & Emergency Access (visitor, contractor, vendor) (PO 5) Cost Management / Return
Governance / on Investment (ROI)
Social Engineering / Phishing Organizational Capital & Enterprise Resource Planning (ERP) Business Intelligence (BI) / Anticipation
Mobile device loss, theft, hacking Requirements -- trend/cycle/contingencies
Remote Workforce abuse / neglect (PO 6) (ME 4)
Governance / Executive Champions /
Probes, Attacks, Denial of Service (DoS) Information Ownership / Stewardship Social and community responsibilities
Cyber-threats / Criminals / Hackers / Blackhats External
Phishing / Pharming / SPAM / Fraud / Theft
Environmental Event / Disaster / Loss of Utilities & Services Control Framework / Informatics
Management Systems Requirements
Legal compromise / Loss of reputation Taxonomy / Glossary / Acronyms

Physical Access Controls Corporate Compliance, Legal Stake holders / Shareholders / Employees
and Regulatory Management Remediation / Reports
Asset security, encryption & management Physical Internal Investigation, Audit, Quality Control
Unauthorized hosts & sniffers, taps, unmanaged network ports
Risk Management (PO 9) Fraud / Reputation / Assets / Value
Topology Planning / Methodology /
Standards / Service Standards (see root topic)
Firewall / VPN (See layered defense Design, Modeling &
Rules & Access Control Lists (ACLs) Research / Process Topology (see root topic)
& Network Architecture), IDS / IPS,
Process, Technology and Operations
XML networks / gateways Content filters, NAC , SSO Evaluations / Assurance / Control Processes & Practices (Change, Access, ...)
Security Controls Management: Service Strategy, Scope,
SAML / SOAP / WS-Security & Devices Controls & Metrics (PO 3) Ontology, Taxonomy, Definitions,
Service Management
Switches, Routers & Access / data ports / protocol controls Measures, Models [ BPM ] (AI 4) (DS 13)

Service Ports / DNS Accountability / Internal

Servers and appliances Continuous Improvement / Quality Control / Benchmarks
Domain Controllers & proxy servers, SSO, Federated IAM Audits and Reporting (ME 2)
Balanced Scorecards (BSC)
Modems, Fax, VOIP Access Points Remediation Management Planning & Logistics
Telecom
Smart-Cell phones & Devices
Business Continuity Management (COOP) (DS 4) Disaster Recovery Management (DRBC)
Blackberry, Bluetooth
Network & Wireless Access Points (NAPs/WAPs) Wireless m-logistics / UC Capacity & Storage Management (DS 3)
Laptop, Tablet, PDA, Pager, USB -- encryption Budgeting and Accounting (DS 6)
IRC, Twitter, Text Public & Secure Messaging Policies and Procedures / Assurance Measures
Business, Partner and Vendor Relations (PO 4)
Workstations, mobile devices, kiosks & printers LAN Assets Workforce Awareness & Training (see below)
Communications Management Human Resources liaison, processes, reporting (PO 7)
Websites / URLs / SMTP / POP3
Evidence-based evaluations
Java / JavaScript / Active Internet Feedback processes and performance metrics (ME 1)
X / SAML / WS-Sec Documentation / Distribution
Firewalls / Encryption -- SSL / IPSEC VPN / FTPS External Workforce Awareness and Training (DS 7)
ExtraNets / Portals / SOA / SaaS / Workflow & efficiency practices
vendors / remote workforce Security Zones /
Domain Knowledge Management Technology & Information Life-cycle Management (see Service Mgmt.)
Cloud / Grid / Distributed Computing -- remote sites Segmentation
Information Privacy Management
IP / XML Gateways & Firewalls
DMZ segments Experience Management / workforce interface
Authentication & DMZ Servers
Asset / Software / Technology Management / Acquisition-Auditing-Disposition (AI 3 & 5)
IPS / IDS / VLANs / Subnets / Service Differentiation
Problems (DS 10) Incid ents
SSO / Access Control Lists / Privileged Access Internal Service Support (Help Desk)
Intranet / Shared Network Resources Service Delivery (Workforce) (Work
Orders and Service Requests) (DS 8) Change
Policies / Procedures / Processes / Controls Configuration (DS 9)
Domain Administration Release Processes
Audits & Monitoring of Alarms and Logs Resolution Processes / Surveys and Feedback /Support Quality Control
Role-based Access Control (RBAC) Rules / Roles / Responsibilities
IT Service Continuity and DRBC (see Planning & Process) / Critical resource management
Context / Criteria / Federation Access Control (AIM) Contingency Management
Downtime Procedures / Fail-safe
Network Access Control (NAC)
Critical systems and resource planning
ISP / Water / Electricity / Gas /Diesel Utilities
Service Level Vendor, Outsourcing & Partner Services (DS 2) QA - (ISO) secure practices
Agreements and Metrics
Workforce access & control
Critical Service Availability Requirements
Fire & emergency response liaison Targets & SLA criteria Metrics / Compliance / Analysis / Flow Control
Facilities Infrastructure Delivery /
Environmental Resources - HVAC Protection Implementation
Availability Management
Emergency Response Team / Planning & Controls (Organizational)
Data Center & Perimeter Security Capacity Management

Standards Financial Management

Test and Development environments IT Security Management Mission & Function Protection

Server / Device Hardening Availability

Acquisition, Delivery, Installation, Deployment
Redundancy / High availability Operations / Infrastructure Management Architecture, Integration, Operations & Maintenance
Service & Resource
Network Administration Management (DS 1)
Decommissioning, Asset Management

CXO Summaries
Password and two-factor management
Reporting Network and Services status
Privileged Access & Rights / Temporary & Emergency Accounts Management Reports
Incident reports
Service & Support Accounts
Remediation Management - Delivery & Compliance
Identification, Authentication, Authorization (RBAC / xBAC)
Architecture, Network, Systems, Application and Information
SSO, Federated IAM life-cycle planning, development and support / SDLC Feedback mechanisms & reporting
Transport Controls / RFID
Security Controls Culture of Security
Passive/Active ID Cards / Badges, Tokens, Biometrics
IT Security Awareness Learning & Innovation
Hardening Standards Configuration Control Roles and
Responsibilities Guidance Documentation
Audit Logs / Forensics Network-Server-Workstation
& mobile device Management Transfer of skills and learning
Asset Management / Refresh Training / certifications
Privileged Access / Segmentation Staff Training and Background Assessment, Drug Testing
Management /
Testing / Validation / Verification / Certification & back-out Quality Leadership Separation of Duties
Accountability
Installations, Distributions and rollout management Release Control Productivity metrics
Performance Measurement
Security & Compatibility Testing, Evaluation & Reporting Competence Assessment
Patches, Hotfixes, Updates Security / Hardening Standards Access controls / badges / keys / time clock
System Software (Asset) Workforce Access controls &
Management (Release) Change Control Service Provisioning / Logical Separation of duties / RBAC
Licensing Management & Controls
Delivery (Network) (AI )
Human Resources (HR) collaboration
Lifecycle Management & Version control & auditing

Patches, Hotfixes, Updates Threats -- Unified Threat Management ( UTM) / Integrated IT Security Strategy
Security / Hardening Standards Meta Security --
Application log monitoring Risk and Threat Security Impact and Privacy Analysis National and Global IT Security engagement
Database Management Application Management & Assessment and
Controls (Release) (AC) Management Vulnerability assessments, audits, testing, review / Penetration testing
Licensing Management & Controls
Remediation Planning - Management - Projects
Application - Code Lifecycle Management
Proactive Model and Process Assessment
& Version control & auditing
-- Anticipation (Risk/Operational)
Information Backup and Restoration / DLP / Archiving and Destruction / MDM / Indexing Planning & Processes
IT Security Architecture / Design / Posture (see Network & Security Architecture)
Asset Tagged-Audits-logging-reports / Refresh Plan and Disposal
Network, Operational & Physical Security Management
Media Control / Movement & Rotation / Storage / Disposal Asset and Resource Protection & Management (Operational)
Policies & Procedures Standards
Virtualization / Services / Servers / Workstations / Mobile Devices

Security Incident Response & Remediation

Security Incident Management
ITSM Best Practices are part of the ideal all IT executives and personnel strive toward. The effort is never ending. Reporting and Trending / Loss calculation
Security Storage, Archiving, Retention, Deduplication
Collectively, ITSM Best Practices represent the framework(s) and functional integration of standards, policies, Management (DS 5) Data Integration /
Master Data Records Management - Taxonomy
procedures, organizational structure, tools, skills, knowledge and resources that provide optimal value to an Management (MDM) Data Quality / Information Integrity assessment
organization: The Value Proposition.
Information / Data Flow Control Code Control / Error Review
From an administrative perspective, the central values are cost effectiveness, service orientation (usability and
Information Security and Classification and Controls - Intellectual Property (IP)
functionality), security, risk management, enhanced productivity and growth/profitability. - Confidentiality & Privacy
Assurance Management (DS 11)
Blue text Transmission and Disclosure / E-mail, FTP, Messaging
From a workforce member perspective, the central values are privacy, accessibility, and experience satisfaction. indicates Data Loss Prevention [ DLP ] Encryption / Cryptography / Certificates / TPM
resilience and Residual Information Protection & Disposal
From an IT security perspective, the central values are confidentiality, integrity, availability and trust.
metric elements Trust relationships

CobIT Model: high level Icon tagged Red text indicates Workforce Behavior / Appropriate Use / Fraud
Underlined text
in green: low level in text indicates ISO 20000 Monitoring / Auditing / Investigations (see Security Incident management)
indicates ISO Evaluation (Operational)
(parans) ITIL Domains Domains 27002 Domains Audit Logs & Log Management / Network traffic monitoring
Alerts & Alarms / Reporting and Trending

ITSM Best Practices _11x17_2010_1.mmap - 12.12.2009 - Christopher Paidhrin