Sudarsan Jayaraman - Open information security management maturity modelPresentation Transcript
Open Information Security Management Maturity Model An Overview 25th May, 2011 Presented by : Sudarsan Jayaraman, CISA, CISM, ITIL –V3 Expert, ISO 20000 (C), ISO 27001 LA, COBIT (F) Director – Technology Risk Services
Today’s Discussion Points
Current Information Security Management Practices
Open Information Security Management Maturity Model (O-ISM3) – An Overview
Implementation Approach and Potential Benefits?
Do you agree ? QUESTION: Does Information Security Compliance Projects improve the security posture of an organization?
Do you agree ? ANSWER: NO , Information Security Compliance Projects are not helping the organization and it is more of documentation of controls rather than security implementation. QUESTION: Does Information Security Compliance Projects improve the security posture of an organization?
Inadequate view of Information security functioning
Increase in number security incidents
High cost of Information security and low ROI
IT staffing issues
Lack of knowledge of critical systems
Information Security not measurable
No clear view on business requirements
Budget cuts and less IT spending
Deliver projects to meet business growth
Compliance requirements from various agencies
Demonstrate value to business
Improve security and privacy controls
Improving quality of Information security delivery
Governance – A Balancing act
Governance is about:
Improving profitability, efficiency, effectiveness, and growth
Adhering to legislation, internal policies, and audit requirements
What is Information Security Governance?
International Standards in Information Security
ISO/IEC 27001 Series Information Technology – Security Techniques - Information Security Management System Requirements
O – ISM3 –Open Group Information Security Management Maturity Model
Standard of Good Practice for Information Security from Information Security Forum
Common issues in the current standard Metrics allow finding incidents and faults in the process, enabling continuous improvement. Yes No Metrics Incident: Breach of a security objective Incident: Breach of CIA
Attacks prevention Information Quality should focus on addressing business interests
Link between business goals and information security Focus on business objectives/goals and derive security objectives and targets from business requirement Top - Down Bottom-up Business approach Process based management is easier to integrate with Cobit, ISO 9001 and ITIL Controls don’t have defined output, but processes do. This means processes can be managed using metrics of the outputs. Process Based Controls Based Paradigm Implications Requirements Current ISMS Criteria
IT Standards and Framework IT Governance COBIT ISO 27000/ Open ISM3/ ISF series ITIL Business Requirements WHAT HOW VAL IT IT Service Management ISO/IEC 20000 ISO/IEC38500 Project Management PMI - PMBOK
Characteristics of a Framework Has General Acceptability Among Organizations Helps Meet Regulatory Requirements Control Framework Defines a Common Language Provides Sharper Business Focus Ensures Process Orientation
O-ISM3 – Information Security Management Maturity Model
O-ISM3 main characteristics are:
O-ISM3 Framework Characteristics
About Open ISM3
ISM3 was developed by ISM3 consortium and it is developed by team headed by Mr. Vicente Aceituno
The ISM3 is now adopted by Open Group and the latest version is released on Feb 2011
The Open Group is a vendor- and technology-neutral consortium.
Other standards - The Open Group Architecture Framework ( TOGAF® )
Highlights of O-ISM3
Enable the creation of ISM systems that are fully aligned with the business mission and compliance needs.
Applicable to any organization regardless of size, context and resources.
Enable organizations to prioritize and optimize their investment in information security.
Enable continuous improvement of ISM systems using metrics
GP-1 Knowledge Management
GP-2 ISM and Business Audit
GP-3 ISM Design and Evolution
Generic Practices Strategic Practices
SSP-1 Report to Stakeholders
SSP-4 Define Division of Duties rules
SSP-6 Allocate Resources for Information Security
TSP-1 Report to Strategic Management
TSP-2 Manage Allocated Resources
TSP-3 Define Security Targets and Security Objectives
TSP-4 Service Level Management
TSP-6 Security Architecture
TSP-7 Background Checks
TSP-8 Personnel Security
TSP-9 Security Personnel Training
TSP-10 Disciplinary Process
TSP-11 Security Awareness
TSP-13 Insurance Management
TSP-14 Information Operations
ISM3 Process - Operational Practices
OSP-1 Report to Tactical Management
OSP-2 Security Procurement
OSP-3 Inventory Management
OSP-4 Information Systems IT Managed Domain Change Control
OSP-5 IT Managed Domain Patching
OSP-6 IT Managed Domain Clearing
OSP-7 IT Managed Domain Hardening
OSP-8 Software Development Life-cycle Control
OSP-9 Security Measures Change Control
OSP-16 Segmentation and Filtering Management
OSP-17 Malware Protection Management
Access and Environmental Control
OSP-11 Access control
OSP-12 User Registration
OSP-14 Physical Environment Protection Management
OSP-10 Backup Management
OSP-15 Operations Continuity Management
OSP-26 Enhanced Reliability and Availability Management
OSP-27 Archiving Management
OSP-16 Segmentation and Filtering Management
Testing and Auditing
OSP-19 Internal Technical Audit
OSP-20 Incident Emulation
OSP-21 Information Quality and Compliance Assessment
OSP-22 Alerts Monitoring
OSP-23 Internal Events Detection and Analysis
OSP-28 External Events Detection and Analysis
OSP-24 Handling of incidents and near-incidents
Sample Process Description….. Project Quant Related methodologies OSP-4: Information Systems IT Managed Domain Change Control OSP-9: Security Measures Change Control Related processes Supervisor: TSP-14 Process Owner Process Owner: Information Systems Management Responsibilities
Update level, calculated as follows:
The update level for a specific information system is equal to the sum of the days outstanding for all pending security patches.
The IT managed domain update level is equal to the sum of the individual update levels, divided by the number of information systems.
The lower this metric, the better. This metric allows checking of the progress of the patching process,
and comparison of the update level of different IT managed domains.
Quality Up-to-date services in every IT managed domain Services Update Level Report (OSP-4) Metrics Report (TSP-4) Outputs Inventory of Assets (OSP-3) Inputs OSP-051: Services update level report template OSP-052: Services Patching Management procedure Documentation Patching prevents incidents arising from the exploitation of known weaknesses in services. Value This process covers the ongoing update of services to prevent incidents related to known weaknesses, enhancing the reliability of the updated systems. Description OSP-5:IT Managed Domain Patching Process
O-ISM3 Goals Prevent and mitigate Incidents ,Optimise the use of information, money, people, time and infrastructure. Generic Goals Defines Security Objectives consistent with organizational objectives, protecting stakeholders Interests. Strategic Goals Provide feedback to Strategic Management; Manage budget, people and other resources allocated to information security Tactical Goals Provide feedback to Tactical Management, Carry out processes for incident prevention, Detection, And mitigation. Operational Goals
O – ISM3 An Information Security Management Maturity Model
O-ISM3 is a framework for managing information security in the context of business objectives.
Business objectives and security objectives are aligned, information security becomes a key contributor to the common goal of achieving the business objectives.
Security objectives and security targets are expressed in tangible, specific, and measurable terms.
Business Objectives Security Objectives Security Targets
O-ISM3 Security Management Levels
Strategic Management : Managers involved in the long-term alignment of IT with business needs
Tactical Management : Managers involved in the allocation of resources and the configuration and management of the ISMS.
Operational Management : Managers involved in setting up, operating, and monitoring specific processes.