Sudarsan Jayaraman - Open information security management maturity model


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Maturity levels are design so more important (ROSI wise) processes are in level 1 and so on. This makes easier to prioritize and schedule investment. ISO9001 management principles can be applied to security, as process have defined outputs that can be acted on. Levels 1-3 can be certified the same way ISO9001 management systems are. Level 4 can be certified ISO9001 wise or ISO27001 if ISO27001 requirements are met. Level 5 requires ISM3 Consortium involvement, as metrics are not compulsory for ISO27001. Frequently strict requirements for critical production systems spill all over IT, making management and use of information needlessly more difficult and expensive to use. The environment concept links lifecycles
  • Sudarsan Jayaraman - Open information security management maturity model

    1. 1. Open Information Security Management Maturity Model An Overview 25th May, 2011 Presented by : Sudarsan Jayaraman, CISA, CISM, ITIL –V3 Expert, ISO 20000 (C), ISO 27001 LA, COBIT (F) Director – Technology Risk Services
    2. 2. Today’s Discussion Points <ul><li>Current Information Security Management Practices </li></ul><ul><li>Open Information Security Management Maturity Model (O-ISM3) – An Overview </li></ul><ul><li>Implementation Approach and Potential Benefits? </li></ul>
    3. 3. Do you agree ? QUESTION: Does Information Security Compliance Projects improve the security posture of an organization?
    4. 4. Do you agree ? ANSWER: NO , Information Security Compliance Projects are not helping the organization and it is more of documentation of controls rather than security implementation. QUESTION: Does Information Security Compliance Projects improve the security posture of an organization?
    5. 5. Organization Concerns <ul><li>Management Concerns </li></ul><ul><li>Inadequate view of Information security functioning </li></ul><ul><li>Increase in number security incidents </li></ul><ul><li>High cost of Information security and low ROI </li></ul><ul><li>IT staffing issues </li></ul><ul><li>Lack of knowledge of critical systems </li></ul><ul><li>Information Security not measurable </li></ul><ul><li>CISO’s Concerns </li></ul><ul><li>No clear view on business requirements </li></ul><ul><li>Budget cuts and less IT spending </li></ul><ul><li>Deliver projects to meet business growth </li></ul><ul><li>Compliance requirements from various agencies </li></ul><ul><li>Demonstrate value to business </li></ul><ul><li>Improve security and privacy controls </li></ul><ul><li>Improving quality of Information security delivery </li></ul>
    6. 6. Governance – A Balancing act <ul><li>Governance is about: </li></ul><ul><ul><li>Performance </li></ul></ul><ul><ul><ul><li>Improving profitability, efficiency, effectiveness, and growth </li></ul></ul></ul><ul><ul><li>Conformance </li></ul></ul><ul><ul><ul><li>Adhering to legislation, internal policies, and audit requirements </li></ul></ul></ul>Conformance Performance
    7. 7. What is Information Security Governance?
    8. 8. International Standards in Information Security <ul><li>ISO/IEC 27001 Series Information Technology – Security Techniques - Information Security Management System Requirements </li></ul><ul><li>O – ISM3 –Open Group Information Security Management Maturity Model </li></ul><ul><li>Standard of Good Practice for Information Security from Information Security Forum </li></ul>
    9. 9. Common issues in the current standard Metrics allow finding incidents and faults in the process, enabling continuous improvement. Yes No Metrics Incident: Breach of a security objective Incident: Breach of CIA <ul><li>Security Objectives </li></ul><ul><li>Attacks prevention </li></ul><ul><li>Errors prevention </li></ul><ul><li>Accidents prevention </li></ul>Attacks prevention Information Quality should focus on addressing business interests <ul><li>Information qualities: </li></ul><ul><li>Business </li></ul><ul><li>Compliance </li></ul><ul><li>Technical </li></ul><ul><li>Information qualities: </li></ul><ul><li>Confidentiality </li></ul><ul><li>Availability </li></ul><ul><li>Integrity </li></ul>Link between business goals and information security Focus on business objectives/goals and derive security objectives and targets from business requirement Top - Down Bottom-up Business approach Process based management is easier to integrate with Cobit, ISO 9001 and ITIL Controls don’t have defined output, but processes do. This means processes can be managed using metrics of the outputs. Process Based Controls Based Paradigm Implications Requirements Current ISMS Criteria
    10. 10. IT Standards and Framework IT Governance COBIT ISO 27000/ Open ISM3/ ISF series ITIL Business Requirements WHAT HOW VAL IT IT Service Management ISO/IEC 20000 ISO/IEC38500 Project Management PMI - PMBOK
    11. 11. Characteristics of a Framework Has General Acceptability Among Organizations Helps Meet Regulatory Requirements Control Framework Defines a Common Language Provides Sharper Business Focus Ensures Process Orientation
    12. 12. O-ISM3 – Information Security Management Maturity Model <ul><li>O-ISM3 main characteristics are: </li></ul><ul><ul><li>Business-focused </li></ul></ul><ul><ul><li>Process-oriented </li></ul></ul><ul><ul><li>Measurement-driven </li></ul></ul>O-ISM3 Framework Characteristics
    13. 13. About Open ISM3 <ul><li>ISM3 was developed by ISM3 consortium and it is developed by team headed by Mr. Vicente Aceituno </li></ul><ul><li>The ISM3 is now adopted by Open Group and the latest version is released on Feb 2011 </li></ul><ul><li>The Open Group is a vendor- and technology-neutral consortium. </li></ul><ul><li>Other standards - The Open Group Architecture Framework ( TOGAF® ) </li></ul>
    14. 14. Highlights of O-ISM3 <ul><li>Enable the creation of ISM systems that are fully aligned with the business mission and compliance needs. </li></ul><ul><li>Applicable to any organization regardless of size, context and resources. </li></ul><ul><li>Enable organizations to prioritize and optimize their investment in information security. </li></ul><ul><li>Enable continuous improvement of ISM systems using metrics </li></ul>
    15. 15. ISM3 Process <ul><li>GP-1 Knowledge Management </li></ul><ul><li>GP-2 ISM and Business Audit </li></ul><ul><li>Implementing O-ISM3 </li></ul><ul><li>GP-3 ISM Design and Evolution </li></ul>Generic Practices Strategic Practices <ul><li>SSP-1 Report to Stakeholders </li></ul><ul><li>SSP-2 Coordination </li></ul><ul><li>SSP-4 Define Division of Duties rules </li></ul><ul><li>SSP-6 Allocate Resources for Information Security </li></ul>Tactical Practices <ul><li>TSP-1 Report to Strategic Management </li></ul><ul><li>TSP-2 Manage Allocated Resources </li></ul><ul><li>TSP-3 Define Security Targets and Security Objectives </li></ul><ul><li>TSP-4 Service Level Management </li></ul><ul><li>TSP-6 Security Architecture </li></ul><ul><li>TSP-7 Background Checks </li></ul><ul><li>TSP-8 Personnel Security </li></ul><ul><li>TSP-9 Security Personnel Training </li></ul><ul><li>TSP-10 Disciplinary Process </li></ul><ul><li>TSP-11 Security Awareness </li></ul><ul><li>TSP-13 Insurance Management </li></ul><ul><li>TSP-14 Information Operations </li></ul>
    16. 16. ISM3 Process - Operational Practices <ul><li>OSP-1 Report to Tactical Management </li></ul><ul><li>OSP-2 Security Procurement </li></ul><ul><li>Lifecycle Control </li></ul><ul><li>OSP-3 Inventory Management </li></ul><ul><li>OSP-4 Information Systems IT Managed Domain Change Control </li></ul><ul><li>OSP-5 IT Managed Domain Patching </li></ul><ul><li>OSP-6 IT Managed Domain Clearing </li></ul><ul><li>OSP-7 IT Managed Domain Hardening </li></ul><ul><li>OSP-8 Software Development Life-cycle Control </li></ul><ul><li>OSP-9 Security Measures Change Control </li></ul><ul><li>OSP-16 Segmentation and Filtering Management </li></ul><ul><li>OSP-17 Malware Protection Management </li></ul>Operational Practices <ul><li>Access and Environmental Control </li></ul><ul><li>OSP-11 Access control </li></ul><ul><li>OSP-12 User Registration </li></ul><ul><li>OSP-14 Physical Environment Protection Management </li></ul><ul><li>Availability Control </li></ul><ul><li>OSP-10 Backup Management </li></ul><ul><li>OSP-15 Operations Continuity Management </li></ul><ul><li>OSP-26 Enhanced Reliability and Availability Management </li></ul><ul><li>OSP-27 Archiving Management </li></ul><ul><li>OSP-16 Segmentation and Filtering Management </li></ul><ul><li>Testing and Auditing </li></ul><ul><li>OSP-19 Internal Technical Audit </li></ul><ul><li>OSP-20 Incident Emulation </li></ul><ul><li>OSP-21 Information Quality and Compliance Assessment </li></ul><ul><li>Monitoring </li></ul><ul><li>OSP-22 Alerts Monitoring </li></ul><ul><li>OSP-23 Internal Events Detection and Analysis </li></ul><ul><li>OSP-28 External Events Detection and Analysis </li></ul><ul><li>Incident Handling </li></ul><ul><li>OSP-24 Handling of incidents and near-incidents </li></ul><ul><li>OSP-25 Forensics </li></ul>
    17. 17. Sample Process Description….. Project Quant Related methodologies OSP-4: Information Systems IT Managed Domain Change Control OSP-9: Security Measures Change Control Related processes Supervisor: TSP-14 Process Owner Process Owner: Information Systems Management Responsibilities <ul><li>Update level, calculated as follows: </li></ul><ul><li>The update level for a specific information system is equal to the sum of the days outstanding for all pending security patches. </li></ul><ul><li>The IT managed domain update level is equal to the sum of the individual update levels, divided by the number of information systems. </li></ul><ul><li>The lower this metric, the better. This metric allows checking of the progress of the patching process, </li></ul><ul><li>and comparison of the update level of different IT managed domains. </li></ul>Quality Up-to-date services in every IT managed domain Services Update Level Report (OSP-4) Metrics Report (TSP-4) Outputs Inventory of Assets (OSP-3) Inputs OSP-051: Services update level report template OSP-052: Services Patching Management procedure Documentation Patching prevents incidents arising from the exploitation of known weaknesses in services. Value This process covers the ongoing update of services to prevent incidents related to known weaknesses, enhancing the reliability of the updated systems. Description OSP-5:IT Managed Domain Patching Process
    18. 18. O-ISM3 Goals Prevent and mitigate Incidents ,Optimise the use of information, money, people, time and infrastructure. Generic Goals Defines Security Objectives consistent with organizational objectives, protecting stakeholders Interests. Strategic Goals Provide feedback to Strategic Management; Manage budget, people and other resources allocated to information security Tactical Goals Provide feedback to Tactical Management, Carry out processes for incident prevention, Detection, And mitigation. Operational Goals
    19. 19. O – ISM3 An Information Security Management Maturity Model <ul><li>O-ISM3 is a framework for managing information security in the context of business objectives. </li></ul><ul><li>Business objectives and security objectives are aligned, information security becomes a key contributor to the common goal of achieving the business objectives. </li></ul><ul><li>Security objectives and security targets are expressed in tangible, specific, and measurable terms. </li></ul>Business Objectives Security Objectives Security Targets
    20. 20. O-ISM3 Security Management Levels <ul><li>Strategic Management : Managers involved in the long-term alignment of IT with business needs </li></ul><ul><li>Tactical Management : Managers involved in the allocation of resources and the configuration and management of the ISMS. </li></ul><ul><li>Operational Management : Managers involved in setting up, operating, and monitoring specific processes. </li></ul>Strategic Managers Tactical Managers Operational Managers Stakeholders Report Report Report
    21. 21. Significant Features of O-ISM3 <ul><li>The significant features of O-ISM3 are: </li></ul><ul><li>Metrics for Information Security </li></ul><ul><li>Capability Levels </li></ul><ul><li>Maturity Levels </li></ul><ul><li>Process based </li></ul><ul><li>Adopts best practices </li></ul><ul><li>Accreditation. </li></ul>
    22. 22. O-ISM3 – Capability Levels <ul><li>Capability is a property of how a process is managed </li></ul><ul><li>Process capability is determined by the metrics the process produces. </li></ul>* * * * * * * Documentation * * * * * * Activity Metric Type * * * * * * Scope * * * * * * Effectiveness * * * * * * Unavailability * * * * * Load * * Quality * Efficiency Planning Benefits realization Optimization Optimized Assessment Controlled Monitor Managed Test Defined Audit, Certify Initial Management practices Enabled Capability Level
    23. 23. O-ISM3 Implementation Operational Business Objectives (Objectives, Security Targets) Dependency Analysis Operationalized Security Objectives (Objectives, Security Targets) Priority (Objectives, Security Targets) Durability (Objectives, Security Targets) Quality (Objectives, Security Targets) Access Control (Objectives, Security Targets) Technical (Objectives, Security Targets) OSP -15, OSP-26, Others OSP -6, OSP-10, OSP-27, Others OSP-21, Others OSP -3, OSP-11,OSP-12, OSP-14, Others OSP -5, OSP-7,OSP-16, OSP-17, Others Business Objectives and Incidents Security Objectives and Incidents ISM3 Processes and Metrics
    24. 24. Typical Implementation Approach Open – ISM3 Implementation Approach
    25. 25. Potential Benefits <ul><li>Maturity Levels make easier to prioritize and optimize investment in information security. </li></ul><ul><li>It scales to small and big organizations. The use of separate process in every environment prevents using procedures for restrictive environments all over the organization. </li></ul><ul><li>Business Focused </li></ul><ul><li>Process Orientation </li></ul><ul><li>Manageable (with Metrics) </li></ul><ul><li>Compatible (ITIL, ISO27001, ISO9001, Cobit) </li></ul><ul><li>Adaptable </li></ul><ul><li>Flexible </li></ul><ul><li>Open Standard, readily available </li></ul>
    26. 26. <ul><li>Q & A ??? </li></ul>
    27. 27. <ul><li>Thank you for your participation </li></ul>