- 1. Open Information Security Management Maturity Model An
Overview 25th May, 2011 Presented by : Sudarsan Jayaraman, CISA,
CISM, ITIL V3 Expert, ISO 20000 (C), ISO 27001 LA, COBIT (F)
Director Technology Risk Services
2. Todays Discussion Points
- Current Information Security Management Practices
- Open Information Security Management Maturity Model (O-ISM3) An
Overview
- Implementation Approach and Potential Benefits?
3. Do you agree ? QUESTION: Does Information Security Compliance
Projects improve the security posture of an organization? 4. Do you
agree ? ANSWER:NO , Information Security Compliance Projects are
not helping the organization and it is more of documentation of
controls rather than security implementation. QUESTION: Does
Information Security Compliance Projects improve the security
posture of an organization? 5. Organization Concerns
- Inadequate view of Information security functioning
- Increase in number security incidents
- High cost of Information security and low ROI
- Lack of knowledge of critical systems
- Information Security not measurable
- No clear view on business requirements
- Budget cuts and less IT spending
- Deliver projects to meet business growth
- Compliance requirements from various agencies
- Demonstrate value to business
- Improve security and privacy controls
- Improving quality of Information security delivery
6. Governance A Balancing act
-
-
- Improving profitability, efficiency, effectiveness, and
growth
-
-
- Adhering to legislation, internal policies, and audit
requirements
Conformance Performance 7. What is Information Security
Governance? 8. International Standards in Information Security
- ISO/IEC 27001 Series Information Technology Security Techniques
- Information Security Management SystemRequirements
- O ISM3 Open Group Information Security Management Maturity
Model
- Standard of Good Practice for Information Security from
Information Security Forum
9. Common issues in the current standard Metrics allow finding
incidents and faults in the process, enabling continuous
improvement. Yes No Metrics Incident: Breach of a security
objective Incident: Breach of CIA
Attacks prevention Information Quality should focus on
addressing business interests
Link between business goals and information security Focus on
business objectives/goals and derive security objectives and
targets from business requirement Top - Down Bottom-up Business
approach Process based management is easier to integrate with
Cobit, ISO 9001 and ITIL Controls dont have defined output, but
processes do. This means processes can be managed using metrics of
the outputs. Process Based Controls Based Paradigm Implications
Requirements Current ISMS Criteria 10. IT Standards and FrameworkIT
Governance COBIT ISO 27000/ Open ISM3/ ISF series ITIL Business
Requirements WHAT HOW VAL ITIT Service Management ISO/IEC 20000
ISO/IEC38500 Project Management PMI - PMBOK 11. Characteristics of
a Framework Has General Acceptability Among Organizations Helps
Meet Regulatory Requirements Control Framework Defines a Common
Language Provides Sharper Business Focus Ensures Process
Orientation 12. O-ISM3 Information Security Management Maturity
Model
- O-ISM3main characteristics are:
O-ISM3 Framework Characteristics 13. About Open ISM3
- ISM3 was developed by ISM3 consortium and it is developed by
team headed byMr. Vicente Aceituno
- The ISM3 is now adopted by Open Group and the latest version is
released on Feb 2011
- The Open Group is a vendor- and technology-neutral
consortium.
- Other standards - The Open Group Architecture Framework( TOGAF
)
14. Highlights of O-ISM3
- Enable the creation of ISM systems that are fully aligned with
the business mission and compliance needs.
- Applicable to any organization regardless of size, context and
resources.
- Enable organizations to prioritize and optimize their
investment in information security.
- Enable continuous improvement of ISM systems using metrics
15. ISM3 Process
- GP-1 Knowledge Management
- GP-2 ISM and BusinessAudit
- GP-3 ISM Design and Evolution
Generic Practices Strategic Practices
- SSP-1 Report to Stakeholders
- SSP-4 Define Division of Duties rules
- SSP-6 Allocate Resources for Information Security
Tactical Practices
- TSP-1 Report to Strategic Management
- TSP-2 Manage Allocated Resources
- TSP-3 Define Security Targets and Security Objectives
- TSP-4 Service Level Management
- TSP-6 Security Architecture
- TSP-9 Security Personnel Training
- TSP-10 Disciplinary Process
- TSP-11 Security Awareness
- TSP-13 Insurance Management
- TSP-14 Information Operations
16. ISM3 Process - Operational Practices
- OSP-1 Report to Tactical Management
- OSP-2 Security Procurement
- OSP-3 Inventory Management
- OSP-4 Information Systems IT Managed Domain Change Control
- OSP-5 IT Managed Domain Patching
- OSP-6 IT Managed Domain Clearing
- OSP-7 IT Managed Domain Hardening
- OSP-8 Software Development Life-cycle Control
- OSP-9 Security Measures Change Control
- OSP-16 Segmentation and Filtering Management
- OSP-17 Malware Protection Management
Operational Practices
- Access and Environmental Control
- OSP-14 Physical Environment Protection Management
- OSP-15 Operations Continuity Management
- OSP-26 Enhanced Reliability and Availability Management
- OSP-27 Archiving Management
- OSP-16 Segmentation and Filtering Management
- OSP-19 Internal Technical Audit
- OSP-20 Incident Emulation
- OSP-21 Information Quality and Compliance Assessment
- OSP-23 Internal Events Detection and Analysis
- OSP-28 External Events Detection and Analysis
- OSP-24 Handling of incidents and near-incidents
17. Sample Process Description.. Project Quant Related
methodologies OSP-4: Information Systems IT Managed Domain Change
Control OSP-9: Security Measures Change Control Related processes
Supervisor: TSP-14 Process Owner Process Owner: Information Systems
Management Responsibilities
- Update level, calculated as follows:
- The update level for a specific information system is equal to
the sum of the days outstandingfor all pending security
patches.
- The IT managed domain update level is equal to the sum of the
individual update levels, dividedby the number of information
systems.
- The lower this metric, the better. This metric allows checking
of the progress of the patching process,
- and comparison of the update level of different IT managed
domains.
Quality Up-to-date services in every IT managed domain Services
Update Level Report (OSP-4) Metrics Report (TSP-4) Outputs
Inventory of Assets (OSP-3) Inputs OSP-051: Services update level
report template OSP-052: Services Patching Management procedure
Documentation Patching prevents incidents arising from the
exploitation of known weaknesses in services. Value This process
covers the ongoing update of services to prevent incidents related
to known weaknesses, enhancing the reliability of the updated
systems. Description OSP-5:IT Managed Domain Patching Process 18.
O-ISM3 Goals Prevent and mitigateIncidents ,Optimisethe use of
information,money, people, timeand infrastructure. GenericGoals
Defines SecurityObjectivesconsistentwith
organizationalobjectives,protectingstakeholdersInterests.
StrategicGoals Provide feedback toStrategicManagement; Manage
budget,people and otherresources allocatedto informationsecurity
TacticalGoals Provide feedback toTacticalManagement,Carry out
processesfor incidentprevention,Detection, And mitigation.
OperationalGoals 19. O ISM3 An Information Security Management
Maturity Model
- O-ISM3 is a framework for managing information security in the
context of business objectives.
- Business objectives and security objectives are aligned,
information security becomes a key contributor to the common goal
of achieving the business objectives.
- Security objectives and security targets are expressed in
tangible, specific, and measurable terms.
BusinessObjectives Security Objectives Security Targets 20.
O-ISM3 Security Management Levels
- Strategic Management: Managers involved in the long-term
alignment of IT with business needs
- Tactical Management: Managers involved in the allocation of
resources and the configuration and management of the ISMS.
- Operational Management: Managers involved in setting up,
operating, and monitoring specific processes.
Strategic Managers Tactical Managers Operational Managers
Stakeholders Report Report Report 21. Significant Features of
O-ISM3
- The significant features of O-ISM3 are:
- Metrics for Information Security
22. O-ISM3 Capability Levels
- Capability is a property of how a process is managed
- Process capability is determined by the metrics the process
produces.
* * * * * * * Documentation * * * * * * Activity Metric Type * *
* * * * Scope * * * * * * Effectiveness * * * * * * Unavailability
* * * * * Load * * Quality * Efficiency Planning Benefits
realization Optimization Optimized Assessment Controlled Monitor
Managed Test Defined Audit, Certify Initial Management practices
Enabled Capability Level 23. O-ISM3 ImplementationOperational
BusinessObjectives (Objectives, Security Targets) Dependency
Analysis Operationalized Security Objectives (Objectives, Security
Targets) Priority (Objectives,Security Targets) Durability
(Objectives,Security Targets) Quality (Objectives,Security Targets)
Access Control (Objectives,Security Targets) Technical
(Objectives,Security Targets) OSP -15, OSP-26, Others OSP -6,
OSP-10, OSP-27, Others OSP-21, Others OSP -3, OSP-11,OSP-12,
OSP-14, Others OSP -5, OSP-7,OSP-16, OSP-17, Others Business
Objectivesand Incidents Security Objectivesand Incidents ISM3
Processes and Metrics 24. Typical Implementation Approach Open
ISM3Implementation Approach 25. Potential Benefits
- Maturity Levels make easier to prioritize and optimize
investment in information security.
- It scales to small and big organizations. The use of separate
process in every environment prevents using procedures for
restrictive environments all over the organization.
- Manageable (with Metrics)
- Compatible (ITIL, ISO27001, ISO9001, Cobit)
- Open Standard, readily available
26.
27.
- Thank you for your participation
28.