SlideShare a Scribd company logo
1 of 26
Download to read offline
A Model to Assess the Maturity Level
  of the Risk Management Process
       in Information Security
                           Janice Mayer
         Universidade do Vale do Rio dos Sinos (UNISINOS)
                      j.mayer@brturbo.com.br

                     Leonardo Lemes Fagundes
          Universidade do Vale do Rio dos Sinos (UNISINOS)
      llemes@unisinos.br | Fone: 55 51 35911100 - branch 1775



    4rd IFIP/IEEE International Workshop on BDIM - 9 June 2009
                                                                 1
Summary
Introduction


Risk Management


Risk Management Maturity Model In Information
Security (MMGRseg)


Case study


Conclusion

                                            2
Introduction
Information: one of the most valuable assets.

Risk Management(RM): an essential front.


Achieve compliance: laws, standards and
regulations.


Meet mandatory requirements for the certification of
an Information Security Management System.


                                                  3
Motivation
Companies need to implement RM.


There is no maturity model aimed at RM in
Information Security.


Maturity model identifies deficiencies in process
structure and management.


To provide improvements with the predictability,
control and effectiveness.

                                                    4
Objective
Describes the structure of a model for the
assessment of the maturity level of the RM process
in the realm of Information Security.




                                                 5
Risk Management




Risk Management Process, as per standard ISO/IEC 27005:2008
                                                              6
Risk Management Maturity Model
     In Information Security (MMGRseg)
MMGRseg is comprised of a set of requirements
and best practices, which provides a formal
structure.


Aligned with standard ISO/IEC 27005.




                                           7
Structure - MMGRseg
Comprised of:
  three stages;
  five maturity levels;
  forty-three control objectives;
  one control map;
  one assessment instrument relative to the maturity
  level of the activities of the RM process;
  an accountability matrix relative to each activity of the
  process; and
  a risk scorecard.

                                                         8
Stages - MMGRseg
Steered for three stages:


  Immaturity: processes are improvised.

  Maturity: processes are already defined,
  standardized and controlled.

  Excellence: optimized processes.



                                             9
Maturity levels - MMGRseg

M
A
T
U
R
I
T
Y

L
E
V
E
L
S



              STAGES            10
Control Objective - MMGRseg
CD1 Context Definition:
  CD1.1. Define the basic criteria for Risk Assessment

  CD1.2. Define the basic criteria for Impact Assessment

  CD1.3. Define the basic criteria for Risk Acceptance

  CD1.4. Establish the scope and the constraints of the risk management
  process

  CD1.5. Establish and maintain an organization

  CD1.6. Develop a risk management policy

  CD1.7. Establish a standard for RM processes

  CD1.8. Audit the Context Definition activity

  CD1.9. Collect and store information
                                                                    11
Control Objective - MMGRseg
AA1 Risk Analysis/Assessment:
  AA1.1. Identify the Risks

  AA1.2. Estimate the Risks

  AA1.3. Assess the Risks

  AA1.4. Standardize the Assessment process

  AA1.5. Automatize the Analysis/Assessment process

  AA1.6. Audit the Risk Analysis/Assessment activity

  AA1.7. Avoid rework

  AA1.8. Revise the process of risk estimation



                                                       12
Control Objective - MMGRseg
RT1. Risk treatment:
  RT1.1. Select an appropriate Treatment option

  RT1.2. Define a Risk Treatment plan

  RT1.3. Implement Risk Treatment plan

  RT1.4. Define how to measure the effectiveness of controls

  RT1.5. Calculate Residual Risks

  RT1.6. Standardize the Risk Treatment process

  RT1.7. Audit the Risk Treatment activity

  RT1.8. Improve the Risk Treatment process




                                                               13
Control Objective - MMGRseg
RA1. Risk Acceptance:
  RA1.1. Verify the description of the Treatment plan

  RA1.2. Analyze and approve the acceptance criteria

  RA1.3. Verify the residual risk

  RA1.4. List the accepted risks

  RA1.5. Standardize the Risk Acceptance process

  RA1.6. Audit the Risk Acceptance activity

  RA1.7. Revise the Risk Acceptance process




                                                        14
Control Objective - MMGRseg
RC1. Risk Communication:
  RC1.1. Implement awareness plan

  RC1.2. Make stakeholders able to identify and communicate risks

  RC1.3. Standardize the Risk Communication activity

  RC1.4. Audit the Risk Communication activity

  RC1.5. Exchange and/or share risk-related information

  RC1.6. Critical analysis of Risk Communication




                                                                    15
Control Objective - MMGRseg
MA1. Monitoring and Critical Analysis:
  MA1.1. Verify the alignment of the RM process with business objectives

  MA1.2. Monitor, critically analyze and improve the risk management
  processs

  MA1.3. Standardize the Monitoring and Critical Analysis activity

  MA1.4. Audit the Monitoring and Critical Analysis activity

  MA1.5. Improve the Risk Management process




                                                                       16
Control Map - MMGRseg
Risk Management
    activities                            Maturity Levels

                       Level 1        Level 2      Level 3       Level 4   Level 5
Context definition   No control is    CD1.1,       CD1.4,
                     implemented     CD1.2 and   CD1.5, CD1.6    CD1.8     CD1.9
                                      CD1.3       and CD1.7
Risk Analysis/       No control is
Assessment           implemented     AA1.1 and   AA1.3, AA1.4    AA1.6     AA1.7
                                      AA1.2       and AA1.5                 and
                                                                           AA1.8
Risk Treatment       No control is               RT1.2, RT1.3,
                     implemented      RT1.1      RT1.4, RT1.5    RT1.7     RT1.8
                                                  and RT1.6
Risk Acceptance      No control is
                     implemented     RA1.1 and   RA1.3, RA1.4    RA1.6     RA1.7
                                      RA1.2       and RA1.5
Risk                 No control is
Communication        implemented      RC1.1       RC1.2 and      RC1.4     RC1.6
                                                   RC1.3          and
                                                                 RC1.5
Monitoring and       No control is
Critical Risk        implemented      MA1.1       MA1.2 and      MA1.4     MA1.5
Analysis                                           MA1.3

                                                                                17
Assessment perspective - MMGRseg
Continuous representation.

Each one of the six activities of the Risk
Management process is assessed individually.

The company is able to verify which activity
needs to receive greater focus

Provides specific guidance for each activity in
regards to the necessary steps for an upper
maturity level to be achieved.

                                                  18
Assessment perspective - MMGRseg




Examples of assessment hypothesis of the Maturity
            Level through MMGRseg
                                                    19
Accountability Matrix - MMGRseg
 Controls



            CEO

                   CFO

                         Executive
                         Business

                                     CIO

                                           Management
                                           Business Senior


                                                             Head Operations


                                                                               Chief Architect

                                                                                                 Development
                                                                                                 Head
                                                                                                               Administration
                                                                                                               Head IT

                                                                                                                                Security
                                                                                                                                Audit, Risk and
                                                                                                                                Compliance,
 CD1.1                                             R/A                                   C           C                C                 I
 CD1.2                                             R/A                                   C           C                C                 I
 CD1.3                                             R/A                                   C           C                C                 I
 CD1.4                                             R/A
 CD1.5                                             R/A
 CD1.6        I     C        R        C            R/A                    C              C           C                C                C
 CD1.7                                             R/A
 CD1.8                                                A

R=Responsible; A=Accountable, C=Consulted and I=Informed.                                                                                     20
Risk Scorecard - MMGRseg
Every process must have defined goals and aims
making it possible to measure the degree of success
in their execution.

In so doing, metrics need to be defined according to
the SMARRT model (Specific, Measurable,
Actionable, Realistic, Results-oriented and Timely).

In the MMGRSeg model, the measurement of all the
six activities of the risk management process must
be based on SMARRT.



                                                  21
Case study - MMGRseg
  Designed as a questionnaire – based on the
  control objectives;

  35 questions, uses the Likert scale
                   CD            AA           RT            RA           RC            MA


   Level 2         Q3            Q9           Q15          Q21           Q26          Q31


   Level 3       Q4, Q5,     Q10, Q11,     Q16, Q17,    Q22, Q23      Q27, Q28      Q32, Q33
                   Q6          Q12           Q18

   Level 4         Q7           Q13           Q19          Q24           Q29          Q34


   Level 5         Q8           Q14           Q20          Q25           Q30          Q35


CD = Context definition, AA = Risk Analysis/Assessment, RT = Risk Treatment, RA = Risk
Acceptance, RC = Risk Communication and MA = Monitoring and Critical Analysis of the Risk.
                                                                                             22
Case study - MMGRseg
The latter was sent as a convenience sample
comprised of 31 companies;

Feedback was received from 12 of them;

Only 3 out of the 12 respondent companies
managed to achieve above level 1;

The remaining respondent companies could only
achieve maturity level 1 in the six activities of the
RM process for IS.

                                                  23
Conclusion
This is a meaningful contribution to the development to the
field of information security, aligned with ISO/IEC 27005;

It is comprised of a set of requirements and best practices:
   three stages: immaturity, maturity e excellence;

   five maturity levels: Initial, Known, Standardized, Managed and Optimized;

   forty-three control objectives;

   one control map;

   one assessment instrument relative to the maturity level of the activities of
   the RM process;

   an accountability matrix relative to each activity of the process; and

   a risk scorecard.
                                                                            24
Conclusion
All this can be used by the organization to:

   identify the weaknesses and/or deficiencies and the possibilities for
   improvements in the process, guiding investments in IS;

   directing the investments in Information Security;

   foster segmented benchmarking;

   disseminate the risk management culture all over the company;

   achieve effectiveness in the continuous improvement process of Risk
   Management in Information Security; and

   advise certification projects of Information Security Management
   Systems (ISMS) and Business Continuity.




                                                                           25
Thank you.



j.mayer@brturbo.com.br   | llemes@unisinos.br

                                                26

More Related Content

What's hot

S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfieldNASAPMC
 
Delivering Business Value By Applying Agile Principles To Business Continuity...
Delivering Business Value By Applying Agile Principles To Business Continuity...Delivering Business Value By Applying Agile Principles To Business Continuity...
Delivering Business Value By Applying Agile Principles To Business Continuity...Ken Collins
 
Information Technology Risk Management
Information Technology Risk ManagementInformation Technology Risk Management
Information Technology Risk ManagementGlen Alleman
 
Softexpert ERM Kurumsal Risk Yönetimi
Softexpert ERM Kurumsal Risk YönetimiSoftexpert ERM Kurumsal Risk Yönetimi
Softexpert ERM Kurumsal Risk YönetimiHydron Consulting Grup
 
Anju drolia
Anju droliaAnju drolia
Anju droliaPMI2011
 
Improving Cm Programs (Melbourne, 2008)
Improving Cm Programs (Melbourne, 2008)Improving Cm Programs (Melbourne, 2008)
Improving Cm Programs (Melbourne, 2008)Chad Moffiet
 
Solvency II IT Impacts
Solvency II   IT ImpactsSolvency II   IT Impacts
Solvency II IT ImpactsAli BELCAID
 
Andrew.george
Andrew.georgeAndrew.george
Andrew.georgeNASAPMC
 
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Ahmed Al Enizi
 
Doug brown
Doug brownDoug brown
Doug brownNASAPMC
 
Qualified Audit Partners Governance, Audit It, Audit Training
Qualified Audit Partners Governance, Audit It, Audit TrainingQualified Audit Partners Governance, Audit It, Audit Training
Qualified Audit Partners Governance, Audit It, Audit TrainingPatrick Soenen
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyLindsey Landolfi
 
Homayoon.dezfuli
Homayoon.dezfuliHomayoon.dezfuli
Homayoon.dezfuliNASAPMC
 
John.marinaro
John.marinaroJohn.marinaro
John.marinaroNASAPMC
 

What's hot (20)

S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfield
 
Delivering Business Value By Applying Agile Principles To Business Continuity...
Delivering Business Value By Applying Agile Principles To Business Continuity...Delivering Business Value By Applying Agile Principles To Business Continuity...
Delivering Business Value By Applying Agile Principles To Business Continuity...
 
Handling risk
Handling riskHandling risk
Handling risk
 
Information Technology Risk Management
Information Technology Risk ManagementInformation Technology Risk Management
Information Technology Risk Management
 
Softexpert ERM Kurumsal Risk Yönetimi
Softexpert ERM Kurumsal Risk YönetimiSoftexpert ERM Kurumsal Risk Yönetimi
Softexpert ERM Kurumsal Risk Yönetimi
 
Anju drolia
Anju droliaAnju drolia
Anju drolia
 
Improving Cm Programs (Melbourne, 2008)
Improving Cm Programs (Melbourne, 2008)Improving Cm Programs (Melbourne, 2008)
Improving Cm Programs (Melbourne, 2008)
 
Solvency II IT Impacts
Solvency II   IT ImpactsSolvency II   IT Impacts
Solvency II IT Impacts
 
Andrew.george
Andrew.georgeAndrew.george
Andrew.george
 
MOE MOP TPM KPP
MOE MOP TPM KPPMOE MOP TPM KPP
MOE MOP TPM KPP
 
RM Maturity Level Development 2002
RM Maturity Level Development 2002RM Maturity Level Development 2002
RM Maturity Level Development 2002
 
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
 
Doug brown
Doug brownDoug brown
Doug brown
 
Qualified Audit Partners Governance, Audit It, Audit Training
Qualified Audit Partners Governance, Audit It, Audit TrainingQualified Audit Partners Governance, Audit It, Audit Training
Qualified Audit Partners Governance, Audit It, Audit Training
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security Strategy
 
Homayoon.dezfuli
Homayoon.dezfuliHomayoon.dezfuli
Homayoon.dezfuli
 
John.marinaro
John.marinaroJohn.marinaro
John.marinaro
 
EAM Continuum
EAM ContinuumEAM Continuum
EAM Continuum
 
Chap5
Chap5Chap5
Chap5
 
Risk 2012 Walenta 120926 sanitized
Risk 2012 Walenta 120926 sanitizedRisk 2012 Walenta 120926 sanitized
Risk 2012 Walenta 120926 sanitized
 

Viewers also liked

LogRhythm Operations Use Case
LogRhythm Operations Use CaseLogRhythm Operations Use Case
LogRhythm Operations Use Casejordagro
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Source Conference
 
risk management: a better approach
risk management: a better approachrisk management: a better approach
risk management: a better approachMadhumanti Samaddar
 
Risk Management: Achieving Higher Maturity & Capability Levels through the LE...
Risk Management: Achieving Higher Maturity & Capability Levels through the LE...Risk Management: Achieving Higher Maturity & Capability Levels through the LE...
Risk Management: Achieving Higher Maturity & Capability Levels through the LE...Luigi Buglione
 
Overview of the P&G Social Media Lab
Overview of the  P&G Social Media LabOverview of the  P&G Social Media Lab
Overview of the P&G Social Media Labdeb schultz
 
VCE Business Management powerpoint from Beechworth
VCE Business Management powerpoint from BeechworthVCE Business Management powerpoint from Beechworth
VCE Business Management powerpoint from BeechworthCatherine Hill
 
Zee Global Program
Zee Global ProgramZee Global Program
Zee Global Programatoneplace
 
Operations Int 2
Operations Int 2Operations Int 2
Operations Int 2Marcus9000
 
Business and management chapter 4
Business and management chapter 4Business and management chapter 4
Business and management chapter 4t-MBA Digital
 
Js gta 5 script complete
Js gta 5 script completeJs gta 5 script complete
Js gta 5 script completeJordanSmith96
 
Pki guide v1.0a_aka
Pki guide v1.0a_akaPki guide v1.0a_aka
Pki guide v1.0a_akaWASecurity
 
Business Management System (BMS) Slides
Business Management System (BMS) SlidesBusiness Management System (BMS) Slides
Business Management System (BMS) SlidesLarry Saytee
 
Maths. topic 2,3,4,5
Maths. topic 2,3,4,5Maths. topic 2,3,4,5
Maths. topic 2,3,4,5emailtoshahed
 
Human Resource Management Int 2
Human Resource Management Int 2Human Resource Management Int 2
Human Resource Management Int 2Marcus9000
 
Internal Organisation Int 2
Internal Organisation Int 2Internal Organisation Int 2
Internal Organisation Int 2Marcus9000
 
MBA suggested books
MBA suggested booksMBA suggested books
MBA suggested booksGuruhr
 

Viewers also liked (20)

Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 
LogRhythm Operations Use Case
LogRhythm Operations Use CaseLogRhythm Operations Use Case
LogRhythm Operations Use Case
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
 
risk management: a better approach
risk management: a better approachrisk management: a better approach
risk management: a better approach
 
Risk Management: Achieving Higher Maturity & Capability Levels through the LE...
Risk Management: Achieving Higher Maturity & Capability Levels through the LE...Risk Management: Achieving Higher Maturity & Capability Levels through the LE...
Risk Management: Achieving Higher Maturity & Capability Levels through the LE...
 
Overview of the P&G Social Media Lab
Overview of the  P&G Social Media LabOverview of the  P&G Social Media Lab
Overview of the P&G Social Media Lab
 
VCE Business Management powerpoint from Beechworth
VCE Business Management powerpoint from BeechworthVCE Business Management powerpoint from Beechworth
VCE Business Management powerpoint from Beechworth
 
Zee Global Program
Zee Global ProgramZee Global Program
Zee Global Program
 
Operations Int 2
Operations Int 2Operations Int 2
Operations Int 2
 
Chapter 5: Social and Ethical Responsibility
Chapter 5: Social and Ethical ResponsibilityChapter 5: Social and Ethical Responsibility
Chapter 5: Social and Ethical Responsibility
 
Businessman d
Businessman dBusinessman d
Businessman d
 
Español ingles 1
Español   ingles 1Español   ingles 1
Español ingles 1
 
Business and management chapter 4
Business and management chapter 4Business and management chapter 4
Business and management chapter 4
 
Js gta 5 script complete
Js gta 5 script completeJs gta 5 script complete
Js gta 5 script complete
 
Pki guide v1.0a_aka
Pki guide v1.0a_akaPki guide v1.0a_aka
Pki guide v1.0a_aka
 
Business Management System (BMS) Slides
Business Management System (BMS) SlidesBusiness Management System (BMS) Slides
Business Management System (BMS) Slides
 
Maths. topic 2,3,4,5
Maths. topic 2,3,4,5Maths. topic 2,3,4,5
Maths. topic 2,3,4,5
 
Human Resource Management Int 2
Human Resource Management Int 2Human Resource Management Int 2
Human Resource Management Int 2
 
Internal Organisation Int 2
Internal Organisation Int 2Internal Organisation Int 2
Internal Organisation Int 2
 
MBA suggested books
MBA suggested booksMBA suggested books
MBA suggested books
 

Similar to Information Security Risks Management Maturity Model (ISRM3)

Solvency II - Programme Assurance
Solvency II - Programme AssuranceSolvency II - Programme Assurance
Solvency II - Programme Assurancegainline
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Portfolio risk management
Portfolio risk managementPortfolio risk management
Portfolio risk managementRONIT SURI
 
Project risk management
Project risk managementProject risk management
Project risk managementBarnatuCoffee
 
SEPG_2010_RiskKnowItAll_REV2
SEPG_2010_RiskKnowItAll_REV2SEPG_2010_RiskKnowItAll_REV2
SEPG_2010_RiskKnowItAll_REV2pbaxter
 
Risk Management as a Safety Program Tool
Risk Management as a Safety Program ToolRisk Management as a Safety Program Tool
Risk Management as a Safety Program ToolAtlantaSafetyCouncil
 
ERM LCPL overview
ERM LCPL overviewERM LCPL overview
ERM LCPL overviewkarld
 
Risk Management Processes (v2)
Risk Management Processes (v2)Risk Management Processes (v2)
Risk Management Processes (v2)Glen Alleman
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLPRobert Kloots
 
1Risk ReportingRisk ReportingRique Gidde.docx
1Risk ReportingRisk ReportingRique Gidde.docx1Risk ReportingRisk ReportingRique Gidde.docx
1Risk ReportingRisk ReportingRique Gidde.docxfelicidaddinwoodie
 
Project risk management model based on prince2 and scrum frameworks
Project risk management model based on prince2 and scrum frameworksProject risk management model based on prince2 and scrum frameworks
Project risk management model based on prince2 and scrum frameworksijseajournal
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Introduction To Risk Management Process
Introduction To Risk Management ProcessIntroduction To Risk Management Process
Introduction To Risk Management Processdavidcurriecia
 

Similar to Information Security Risks Management Maturity Model (ISRM3) (20)

Pmi rmp-2020 - v6
Pmi rmp-2020 - v6Pmi rmp-2020 - v6
Pmi rmp-2020 - v6
 
Solvency II - Programme Assurance
Solvency II - Programme AssuranceSolvency II - Programme Assurance
Solvency II - Programme Assurance
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
Portfolio risk management
Portfolio risk managementPortfolio risk management
Portfolio risk management
 
1_PMI-RMP_Project Risk Management Plan
1_PMI-RMP_Project Risk Management Plan1_PMI-RMP_Project Risk Management Plan
1_PMI-RMP_Project Risk Management Plan
 
Project risk management
Project risk managementProject risk management
Project risk management
 
SEPG_2010_RiskKnowItAll_REV2
SEPG_2010_RiskKnowItAll_REV2SEPG_2010_RiskKnowItAll_REV2
SEPG_2010_RiskKnowItAll_REV2
 
Risk Management as a Safety Program Tool
Risk Management as a Safety Program ToolRisk Management as a Safety Program Tool
Risk Management as a Safety Program Tool
 
Srm
SrmSrm
Srm
 
Srm
SrmSrm
Srm
 
ERM LCPL overview
ERM LCPL overviewERM LCPL overview
ERM LCPL overview
 
Risk Management Processes (v2)
Risk Management Processes (v2)Risk Management Processes (v2)
Risk Management Processes (v2)
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLP
 
1Risk ReportingRisk ReportingRique Gidde.docx
1Risk ReportingRisk ReportingRique Gidde.docx1Risk ReportingRisk ReportingRique Gidde.docx
1Risk ReportingRisk ReportingRique Gidde.docx
 
Project risk management model based on prince2 and scrum frameworks
Project risk management model based on prince2 and scrum frameworksProject risk management model based on prince2 and scrum frameworks
Project risk management model based on prince2 and scrum frameworks
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Erm public workshop
Erm public workshopErm public workshop
Erm public workshop
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Introduction To Risk Management Process
Introduction To Risk Management ProcessIntroduction To Risk Management Process
Introduction To Risk Management Process
 

Recently uploaded

Meet Raj Shamani: A Trailblazing Entrepreneur
Meet Raj Shamani: A Trailblazing EntrepreneurMeet Raj Shamani: A Trailblazing Entrepreneur
Meet Raj Shamani: A Trailblazing Entrepreneurramya202104
 
Olympus 38DL Plus Ultrasonic Thickness Gauge
Olympus 38DL Plus Ultrasonic Thickness GaugeOlympus 38DL Plus Ultrasonic Thickness Gauge
Olympus 38DL Plus Ultrasonic Thickness GaugeStephenKim86
 
AirOxi - Pioneering Aquaculture Advancements Through NFDB Empanelment.pptx
AirOxi -  Pioneering Aquaculture Advancements Through NFDB Empanelment.pptxAirOxi -  Pioneering Aquaculture Advancements Through NFDB Empanelment.pptx
AirOxi - Pioneering Aquaculture Advancements Through NFDB Empanelment.pptxAirOxi Tube
 
0311 National Accounts Online Giving Trends.pdf
0311 National Accounts Online Giving Trends.pdf0311 National Accounts Online Giving Trends.pdf
0311 National Accounts Online Giving Trends.pdfBloomerang
 
Mist Cooling & Fogging System Company in Egypt
Mist Cooling & Fogging System Company in EgyptMist Cooling & Fogging System Company in Egypt
Mist Cooling & Fogging System Company in Egyptopstechsanjanasingh
 
3BBE: THE FUTURE OF ECOMMERCE PRESENTATION - LOUIS MALAYBALAY
3BBE: THE FUTURE OF ECOMMERCE PRESENTATION - LOUIS MALAYBALAY3BBE: THE FUTURE OF ECOMMERCE PRESENTATION - LOUIS MALAYBALAY
3BBE: THE FUTURE OF ECOMMERCE PRESENTATION - LOUIS MALAYBALAYLouis Malaybalay
 
The 10 Most Influential Women Making Difference In 2024.pdf
The 10 Most Influential Women Making Difference In 2024.pdfThe 10 Most Influential Women Making Difference In 2024.pdf
The 10 Most Influential Women Making Difference In 2024.pdfInsightsSuccess4
 
Wallet Pitch for startup fintech and loan
Wallet Pitch for startup fintech and loanWallet Pitch for startup fintech and loan
Wallet Pitch for startup fintech and loansujat8807
 
A Comprehensive Case Study on the IL&FS Crisis (final).pptx
A Comprehensive Case Study on the IL&FS Crisis (final).pptxA Comprehensive Case Study on the IL&FS Crisis (final).pptx
A Comprehensive Case Study on the IL&FS Crisis (final).pptxShainaMaheshwari1
 
The Smart Bridge Interview now Veranda Learning
The Smart Bridge Interview now Veranda LearningThe Smart Bridge Interview now Veranda Learning
The Smart Bridge Interview now Veranda LearningNaval Singh
 
unfinished legacy it is a clothing brand
unfinished legacy it is a clothing brandunfinished legacy it is a clothing brand
unfinished legacy it is a clothing brandakashm530190
 
Importance of Commercial Vehicle Insurance.pptx
Importance of Commercial Vehicle Insurance.pptxImportance of Commercial Vehicle Insurance.pptx
Importance of Commercial Vehicle Insurance.pptxBonano Insurance
 
Business Models and Business Model Innovation
Business Models and Business Model InnovationBusiness Models and Business Model Innovation
Business Models and Business Model InnovationMichal Hron
 
10 Tips for Great Teams CSUN Conference 2024
10 Tips for Great Teams CSUN Conference 202410 Tips for Great Teams CSUN Conference 2024
10 Tips for Great Teams CSUN Conference 2024Nate Evans
 
Reframing Requirements: A Strategic Approach to Requirement Definition, with ...
Reframing Requirements: A Strategic Approach to Requirement Definition, with ...Reframing Requirements: A Strategic Approach to Requirement Definition, with ...
Reframing Requirements: A Strategic Approach to Requirement Definition, with ...Jake Truemper
 
EPC Contractors aspects Presentation.pdf
EPC Contractors  aspects Presentation.pdfEPC Contractors  aspects Presentation.pdf
EPC Contractors aspects Presentation.pdfGiuseppe Tommasone
 
Bus Eth ch3 ppt.ppt business ethics and corporate social responsibilities ppt
Bus Eth ch3 ppt.ppt business ethics and corporate social responsibilities pptBus Eth ch3 ppt.ppt business ethics and corporate social responsibilities ppt
Bus Eth ch3 ppt.ppt business ethics and corporate social responsibilities pptendeworku
 
Presented by Sabri international .......
Presented by Sabri international .......Presented by Sabri international .......
Presented by Sabri international .......SABRI INTERNATIONAL
 
CXO 2.0 Conference (Event Information Deck | Dec'24-Mar'25)
CXO 2.0 Conference (Event Information Deck | Dec'24-Mar'25)CXO 2.0 Conference (Event Information Deck | Dec'24-Mar'25)
CXO 2.0 Conference (Event Information Deck | Dec'24-Mar'25)CXO 2.0 Conference
 

Recently uploaded (20)

Meet Raj Shamani: A Trailblazing Entrepreneur
Meet Raj Shamani: A Trailblazing EntrepreneurMeet Raj Shamani: A Trailblazing Entrepreneur
Meet Raj Shamani: A Trailblazing Entrepreneur
 
Olympus 38DL Plus Ultrasonic Thickness Gauge
Olympus 38DL Plus Ultrasonic Thickness GaugeOlympus 38DL Plus Ultrasonic Thickness Gauge
Olympus 38DL Plus Ultrasonic Thickness Gauge
 
AirOxi - Pioneering Aquaculture Advancements Through NFDB Empanelment.pptx
AirOxi -  Pioneering Aquaculture Advancements Through NFDB Empanelment.pptxAirOxi -  Pioneering Aquaculture Advancements Through NFDB Empanelment.pptx
AirOxi - Pioneering Aquaculture Advancements Through NFDB Empanelment.pptx
 
0311 National Accounts Online Giving Trends.pdf
0311 National Accounts Online Giving Trends.pdf0311 National Accounts Online Giving Trends.pdf
0311 National Accounts Online Giving Trends.pdf
 
Mist Cooling & Fogging System Company in Egypt
Mist Cooling & Fogging System Company in EgyptMist Cooling & Fogging System Company in Egypt
Mist Cooling & Fogging System Company in Egypt
 
3BBE: THE FUTURE OF ECOMMERCE PRESENTATION - LOUIS MALAYBALAY
3BBE: THE FUTURE OF ECOMMERCE PRESENTATION - LOUIS MALAYBALAY3BBE: THE FUTURE OF ECOMMERCE PRESENTATION - LOUIS MALAYBALAY
3BBE: THE FUTURE OF ECOMMERCE PRESENTATION - LOUIS MALAYBALAY
 
The 10 Most Influential Women Making Difference In 2024.pdf
The 10 Most Influential Women Making Difference In 2024.pdfThe 10 Most Influential Women Making Difference In 2024.pdf
The 10 Most Influential Women Making Difference In 2024.pdf
 
Wallet Pitch for startup fintech and loan
Wallet Pitch for startup fintech and loanWallet Pitch for startup fintech and loan
Wallet Pitch for startup fintech and loan
 
A Comprehensive Case Study on the IL&FS Crisis (final).pptx
A Comprehensive Case Study on the IL&FS Crisis (final).pptxA Comprehensive Case Study on the IL&FS Crisis (final).pptx
A Comprehensive Case Study on the IL&FS Crisis (final).pptx
 
The Smart Bridge Interview now Veranda Learning
The Smart Bridge Interview now Veranda LearningThe Smart Bridge Interview now Veranda Learning
The Smart Bridge Interview now Veranda Learning
 
unfinished legacy it is a clothing brand
unfinished legacy it is a clothing brandunfinished legacy it is a clothing brand
unfinished legacy it is a clothing brand
 
Importance of Commercial Vehicle Insurance.pptx
Importance of Commercial Vehicle Insurance.pptxImportance of Commercial Vehicle Insurance.pptx
Importance of Commercial Vehicle Insurance.pptx
 
Business Models and Business Model Innovation
Business Models and Business Model InnovationBusiness Models and Business Model Innovation
Business Models and Business Model Innovation
 
10 Tips for Great Teams CSUN Conference 2024
10 Tips for Great Teams CSUN Conference 202410 Tips for Great Teams CSUN Conference 2024
10 Tips for Great Teams CSUN Conference 2024
 
Reframing Requirements: A Strategic Approach to Requirement Definition, with ...
Reframing Requirements: A Strategic Approach to Requirement Definition, with ...Reframing Requirements: A Strategic Approach to Requirement Definition, with ...
Reframing Requirements: A Strategic Approach to Requirement Definition, with ...
 
EPC Contractors aspects Presentation.pdf
EPC Contractors  aspects Presentation.pdfEPC Contractors  aspects Presentation.pdf
EPC Contractors aspects Presentation.pdf
 
WAM Corporate Presentation Mar 12 2024_Video.pdf
WAM Corporate Presentation Mar 12 2024_Video.pdfWAM Corporate Presentation Mar 12 2024_Video.pdf
WAM Corporate Presentation Mar 12 2024_Video.pdf
 
Bus Eth ch3 ppt.ppt business ethics and corporate social responsibilities ppt
Bus Eth ch3 ppt.ppt business ethics and corporate social responsibilities pptBus Eth ch3 ppt.ppt business ethics and corporate social responsibilities ppt
Bus Eth ch3 ppt.ppt business ethics and corporate social responsibilities ppt
 
Presented by Sabri international .......
Presented by Sabri international .......Presented by Sabri international .......
Presented by Sabri international .......
 
CXO 2.0 Conference (Event Information Deck | Dec'24-Mar'25)
CXO 2.0 Conference (Event Information Deck | Dec'24-Mar'25)CXO 2.0 Conference (Event Information Deck | Dec'24-Mar'25)
CXO 2.0 Conference (Event Information Deck | Dec'24-Mar'25)
 

Information Security Risks Management Maturity Model (ISRM3)

  • 1. A Model to Assess the Maturity Level of the Risk Management Process in Information Security Janice Mayer Universidade do Vale do Rio dos Sinos (UNISINOS) j.mayer@brturbo.com.br Leonardo Lemes Fagundes Universidade do Vale do Rio dos Sinos (UNISINOS) llemes@unisinos.br | Fone: 55 51 35911100 - branch 1775 4rd IFIP/IEEE International Workshop on BDIM - 9 June 2009 1
  • 2. Summary Introduction Risk Management Risk Management Maturity Model In Information Security (MMGRseg) Case study Conclusion 2
  • 3. Introduction Information: one of the most valuable assets. Risk Management(RM): an essential front. Achieve compliance: laws, standards and regulations. Meet mandatory requirements for the certification of an Information Security Management System. 3
  • 4. Motivation Companies need to implement RM. There is no maturity model aimed at RM in Information Security. Maturity model identifies deficiencies in process structure and management. To provide improvements with the predictability, control and effectiveness. 4
  • 5. Objective Describes the structure of a model for the assessment of the maturity level of the RM process in the realm of Information Security. 5
  • 6. Risk Management Risk Management Process, as per standard ISO/IEC 27005:2008 6
  • 7. Risk Management Maturity Model In Information Security (MMGRseg) MMGRseg is comprised of a set of requirements and best practices, which provides a formal structure. Aligned with standard ISO/IEC 27005. 7
  • 8. Structure - MMGRseg Comprised of: three stages; five maturity levels; forty-three control objectives; one control map; one assessment instrument relative to the maturity level of the activities of the RM process; an accountability matrix relative to each activity of the process; and a risk scorecard. 8
  • 9. Stages - MMGRseg Steered for three stages: Immaturity: processes are improvised. Maturity: processes are already defined, standardized and controlled. Excellence: optimized processes. 9
  • 10. Maturity levels - MMGRseg M A T U R I T Y L E V E L S STAGES 10
  • 11. Control Objective - MMGRseg CD1 Context Definition: CD1.1. Define the basic criteria for Risk Assessment CD1.2. Define the basic criteria for Impact Assessment CD1.3. Define the basic criteria for Risk Acceptance CD1.4. Establish the scope and the constraints of the risk management process CD1.5. Establish and maintain an organization CD1.6. Develop a risk management policy CD1.7. Establish a standard for RM processes CD1.8. Audit the Context Definition activity CD1.9. Collect and store information 11
  • 12. Control Objective - MMGRseg AA1 Risk Analysis/Assessment: AA1.1. Identify the Risks AA1.2. Estimate the Risks AA1.3. Assess the Risks AA1.4. Standardize the Assessment process AA1.5. Automatize the Analysis/Assessment process AA1.6. Audit the Risk Analysis/Assessment activity AA1.7. Avoid rework AA1.8. Revise the process of risk estimation 12
  • 13. Control Objective - MMGRseg RT1. Risk treatment: RT1.1. Select an appropriate Treatment option RT1.2. Define a Risk Treatment plan RT1.3. Implement Risk Treatment plan RT1.4. Define how to measure the effectiveness of controls RT1.5. Calculate Residual Risks RT1.6. Standardize the Risk Treatment process RT1.7. Audit the Risk Treatment activity RT1.8. Improve the Risk Treatment process 13
  • 14. Control Objective - MMGRseg RA1. Risk Acceptance: RA1.1. Verify the description of the Treatment plan RA1.2. Analyze and approve the acceptance criteria RA1.3. Verify the residual risk RA1.4. List the accepted risks RA1.5. Standardize the Risk Acceptance process RA1.6. Audit the Risk Acceptance activity RA1.7. Revise the Risk Acceptance process 14
  • 15. Control Objective - MMGRseg RC1. Risk Communication: RC1.1. Implement awareness plan RC1.2. Make stakeholders able to identify and communicate risks RC1.3. Standardize the Risk Communication activity RC1.4. Audit the Risk Communication activity RC1.5. Exchange and/or share risk-related information RC1.6. Critical analysis of Risk Communication 15
  • 16. Control Objective - MMGRseg MA1. Monitoring and Critical Analysis: MA1.1. Verify the alignment of the RM process with business objectives MA1.2. Monitor, critically analyze and improve the risk management processs MA1.3. Standardize the Monitoring and Critical Analysis activity MA1.4. Audit the Monitoring and Critical Analysis activity MA1.5. Improve the Risk Management process 16
  • 17. Control Map - MMGRseg Risk Management activities Maturity Levels Level 1 Level 2 Level 3 Level 4 Level 5 Context definition No control is CD1.1, CD1.4, implemented CD1.2 and CD1.5, CD1.6 CD1.8 CD1.9 CD1.3 and CD1.7 Risk Analysis/ No control is Assessment implemented AA1.1 and AA1.3, AA1.4 AA1.6 AA1.7 AA1.2 and AA1.5 and AA1.8 Risk Treatment No control is RT1.2, RT1.3, implemented RT1.1 RT1.4, RT1.5 RT1.7 RT1.8 and RT1.6 Risk Acceptance No control is implemented RA1.1 and RA1.3, RA1.4 RA1.6 RA1.7 RA1.2 and RA1.5 Risk No control is Communication implemented RC1.1 RC1.2 and RC1.4 RC1.6 RC1.3 and RC1.5 Monitoring and No control is Critical Risk implemented MA1.1 MA1.2 and MA1.4 MA1.5 Analysis MA1.3 17
  • 18. Assessment perspective - MMGRseg Continuous representation. Each one of the six activities of the Risk Management process is assessed individually. The company is able to verify which activity needs to receive greater focus Provides specific guidance for each activity in regards to the necessary steps for an upper maturity level to be achieved. 18
  • 19. Assessment perspective - MMGRseg Examples of assessment hypothesis of the Maturity Level through MMGRseg 19
  • 20. Accountability Matrix - MMGRseg Controls CEO CFO Executive Business CIO Management Business Senior Head Operations Chief Architect Development Head Administration Head IT Security Audit, Risk and Compliance, CD1.1 R/A C C C I CD1.2 R/A C C C I CD1.3 R/A C C C I CD1.4 R/A CD1.5 R/A CD1.6 I C R C R/A C C C C C CD1.7 R/A CD1.8 A R=Responsible; A=Accountable, C=Consulted and I=Informed. 20
  • 21. Risk Scorecard - MMGRseg Every process must have defined goals and aims making it possible to measure the degree of success in their execution. In so doing, metrics need to be defined according to the SMARRT model (Specific, Measurable, Actionable, Realistic, Results-oriented and Timely). In the MMGRSeg model, the measurement of all the six activities of the risk management process must be based on SMARRT. 21
  • 22. Case study - MMGRseg Designed as a questionnaire – based on the control objectives; 35 questions, uses the Likert scale CD AA RT RA RC MA Level 2 Q3 Q9 Q15 Q21 Q26 Q31 Level 3 Q4, Q5, Q10, Q11, Q16, Q17, Q22, Q23 Q27, Q28 Q32, Q33 Q6 Q12 Q18 Level 4 Q7 Q13 Q19 Q24 Q29 Q34 Level 5 Q8 Q14 Q20 Q25 Q30 Q35 CD = Context definition, AA = Risk Analysis/Assessment, RT = Risk Treatment, RA = Risk Acceptance, RC = Risk Communication and MA = Monitoring and Critical Analysis of the Risk. 22
  • 23. Case study - MMGRseg The latter was sent as a convenience sample comprised of 31 companies; Feedback was received from 12 of them; Only 3 out of the 12 respondent companies managed to achieve above level 1; The remaining respondent companies could only achieve maturity level 1 in the six activities of the RM process for IS. 23
  • 24. Conclusion This is a meaningful contribution to the development to the field of information security, aligned with ISO/IEC 27005; It is comprised of a set of requirements and best practices: three stages: immaturity, maturity e excellence; five maturity levels: Initial, Known, Standardized, Managed and Optimized; forty-three control objectives; one control map; one assessment instrument relative to the maturity level of the activities of the RM process; an accountability matrix relative to each activity of the process; and a risk scorecard. 24
  • 25. Conclusion All this can be used by the organization to: identify the weaknesses and/or deficiencies and the possibilities for improvements in the process, guiding investments in IS; directing the investments in Information Security; foster segmented benchmarking; disseminate the risk management culture all over the company; achieve effectiveness in the continuous improvement process of Risk Management in Information Security; and advise certification projects of Information Security Management Systems (ISMS) and Business Continuity. 25
  • 26. Thank you. j.mayer@brturbo.com.br | llemes@unisinos.br 26