Mindmapping ISO17799:2005
As I move along with security within my organization I have been wondering how I am going to set up a security plan. I know that I want to follow some type of framework so when the auditors come calling I can use it to demonstrate direction but, in addition to that, it just makes sense to utilize an organized approach to security. As is obvious from the title of the post I decided to move ahead with ISO 17799:2005. I choose this mainly because it is probably the most recognized and it has been around for a while. Because of these reasons I also thought that I would find many people who could help me down the road. Although many people have been very helpful with specific problems, I have not found anybody who is really able or capable of helping me plan out the implementation of this framework.
Up until this point, however, I have not really had to worry about it. I have been moving forward with the immediate tasks as well as some firefighting. But, as we all know, this type of approach does not make for a complete and effective security program. So I have forced myself out of the usual tasks and really started thinking about how I am going to start developing a good security plan. After kicking a few ideas around I remembered a project at the Security Catalyst site. This project utilized mind-mapping to determine the “Advancement of How We Practice Security.” Specifically the project used an online service called MindMeister. This web application allows a person to begin with a central idea and start adding related elements. The mind-mapping processes really help with the creation of new ideas while also tying old ideas together and even expanding upon them. Now, mind-mapping is not a new thing but it is something that I have not used in the past. And, after a couple conversations I found a few good mind-mapping resources that installed on Windows, LInux, or OSX.
The first program I was pointed to is called FreeMind. FreeMind is an open sourced Java application that provides quite a bit of extended functionality over MindMeister. A few of the extras include: prioritization, attachments, flags, and emoticons. These extras allow the editors to add emphasis, link to other projects, or point to additional documentation.
The next program I was pointed to is called MindManager by Mindjet. This product appears to add the additional functionality like FreeMind but it goes one step further by integrating with Microsoft Office, Outlook, Project, and Visio. These are the capabilities of the Professional version. The Basic version only includes support for Microsoft Office excluding Outlook. Additionally, I have it on good account that the OS X version should be avoided at all costs. Apparently it does not provide the functionality and ease of use as provided by the Windows version.
With the mind-mapping products out of the way, let’s explore how these applications can help with applying the ISO 17799:2005 framework. Well, it is very simple. I will use the interface provided by MindMeister as an example. To start with I pulled my organization’s copy of the ISO 17799:2005 document off the book shelf. After a little refresher I decided to map out the ten prime sections as the children of the overall security plan. Once the ten prime sections were in place I started expanding on them with any information that I already know and with ideas for future efforts. The following image shows my initial effort. With the interest of time and space I did not drill extensively into every subject but I believe you will get the gist of this process from this image. (I know the image is very big. Shrinking the image could make the text illegible.)
Although a nice starting point I believe that I will ultimately start using MindManager so that I can integrate with all of the Microsoft products and, hopefully, start managing my organization’s security direction a little bit better. Of course, it does not always make sense to follow the prime sections contained within the ISO 17799:2005. In fact, just about every organization will combine efforts in some form or fashion. This is where, I believe, mind-mapping really becomes powerful and will show its effectiveness during the development and implementation of the security plan. This type of documentation lets managers and auditors see the relationships of different efforts whereas normally they would just stand alone as individual efforts creating additional work and eating up valuable man-hours.
Hopefully this all works out. I am sure this is just one method in many for tracking the ISO 17799:2005 framework. If you have success with this method, success or failure with another method, or anything else, please leave a comment.
Go forth and do good things,
Cutaway
Technorati Tags: Security Ripcord, mind mapping, MindMeister, FreeMind, MindManager, ISO 17799:2005, security plan
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
March 24th, 2008 at 2:19 am
[...] The resulting map is available on MindMeister or in PDF format. Don C. Weber, Information Assurance Director at Ultimate Solutions, Inc. and a member of the Security Catalyst community, was inspired to use mind mapping to help him develop a security plan based on the ISO 17799:2005 standard. Don discusses his use of both the open source FreeMind and the commercial MindManager software. He also discusses the steps he went through to map ISO 17799:2005 in his posting “Mindmapping ISO17799:2005.” [...]
May 4th, 2008 at 8:39 am
[...] to know that their companies should be following industry standards like ISO 27001:2005 as I have already pointed out. But have we really started providing them with the abilities to integrate this into ITIL or CMMI. [...]