O-ISM3 Executive Summary
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

O-ISM3 Executive Summary

on

  • 1,865 views

 

Statistics

Views

Total Views
1,865
Views on SlideShare
953
Embed Views
912

Actions

Likes
0
Downloads
39
Comments
0

6 Embeds 912

http://www.ism3.com 853
http://ism3.com 46
http://www.linkedin.com 7
http://www.ism3.com. 3
http://translate.googleusercontent.com 2
http://10.3.3.205 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • What, When, Where, Who, How, Why No podemos trabajar de cualquier forma: Hay que utilizar las técnicas. No podemos utilizar cualquier documento: Hay que usar los entregables. Disminuye la dependencia de personas específicas. La aplicación de técnicas se refleja naturalmente en los entregables. Medimos el progreso objetivamente. Podemos planificar mejor el trabajo. Hacemos sólo lo relevante al proyecto. El trabajo realizado es de mejor calidad y está bien documentado. Disminuye mucho el riesgo cuando el proyecto es grande y/o complejo.
  • What, When, Where, Who, How, Why No podemos trabajar de cualquier forma: Hay que utilizar las técnicas. No podemos utilizar cualquier documento: Hay que usar los entregables. Disminuye la dependencia de personas específicas. La aplicación de técnicas se refleja naturalmente en los entregables. Medimos el progreso objetivamente. Podemos planificar mejor el trabajo. Hacemos sólo lo relevante al proyecto. El trabajo realizado es de mejor calidad y está bien documentado. Disminuye mucho el riesgo cuando el proyecto es grande y/o complejo.
  • Manage what you can control
  • Red: High Importance, High Risk, Strong dependecy Orange: Medium importance, medium risk, medium dependecy Yellow: Low importance, low risk, low depedency Every environment has a risk. Every business function depends strongly or weakly on environments, being every business function of different importance. Depending on threats probability, importance, how every environment is protected and how business functions depend on environments, you will get a certain risk figure.
  • Who are the users of the system? Do they need to be specifically authorized? From whom do we want to protect the system's information? Will any part of the system be located in publicly accessible locations? Will the system handle personal information of clients, potential clients, stockholders or employees? What are the different locations subject to diverse regulations in terms of handling of personal information and data breach disclosure where parts of the system will be located? Will the system use licensed information from third parties? What are the different locations subject to diverse regulations in terms of licensed information where parts of the system will be located? Will the system handle intellectual property? What are the different locations subject to diverse regulations in terms of intellectual property where parts of the system will be located? These questions help understand the inventory, DRM, watermarking, obfuscation and compliance needs.
  • What, When, Where, Who, How, Why No podemos trabajar de cualquier forma: Hay que utilizar las técnicas. No podemos utilizar cualquier documento: Hay que usar los entregables. Disminuye la dependencia de personas específicas. La aplicación de técnicas se refleja naturalmente en los entregables. Medimos el progreso objetivamente. Podemos planificar mejor el trabajo. Hacemos sólo lo relevante al proyecto. El trabajo realizado es de mejor calidad y está bien documentado. Disminuye mucho el riesgo cuando el proyecto es grande y/o complejo.

O-ISM3 Executive Summary Presentation Transcript

  • 1. O-ISM3 Open - Information Security Management Maturity Model
  • 2. O-ISM3 is an Information Security Management Method
  • 3. A method is the complete definition of how to make repeatable a complex activity
  • 4. O-ISM3 is a Standard
  • 5. + + + O-ISM3 is Compatible
  • 6. O-ISM3 is not about Compliance
  • 7. O-ISM3 is about Results
  • 8. Security Investment, Maturity Level & Risk M axim um Risk/N o Investm entM axim um RO SI M inim um R isk/M axim um Investm ent Security Investment Risk Risk Reduction/ Additional Security Investment O-ISM3 has Maturity Levels…
  • 9. Security Investment, Maturity Level & Risk M axim um Risk/N o Investm entM axim um RO SI M inim um R isk/M axim um Investm ent Security Investment Risk Risk Reduction/ Additional Security Investment … in order to cater for different requirements and resources
  • 10. O-ISM3 Metrics are built-in  Activity.  Scope.  Efficacy.  Efficiency.
  • 11. Risk Assessment is not compulsory Internal Network DMZ Mobile Users Internal Users WiFi Networks Governance Infrastructure Human Resources Production Logistics Administration IT Advertising Research Procurement Sales Business Intelligence Financing/ Accounting Maintenance Relationships Legal
  • 12. O-ISM3 helps tuning: How much security is enough?
  • 13. Use case – Malware Management  Use case – ISM3-less management  Motivation: Clean viruses or your business will sink.  Objective: No system should get a virus ever  Activity: Install antivirus on personal computers, servers, mail servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.  Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.  Success criterion: When no system gets ever a virus.  Continuous improvement: Add more antimalware controls (Tripwire, CORE, etc)
  • 14.  Use Case – ISM3-style management  Motivation: Unfortunately systems, specially Windows and malware prone. We should invest proportionally to the damage they can make.  Goal: Systems should accomplish their business role with or without malware.  Activity: Install antimalware in vulnerable systems. Measure activity, scope, update and availability of antimalware. Consider other measures, like using less malware prone systems.  Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.  Success criterion: When protected system play their business role without interruption or degradation.  Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI. Use case – Malware Management
  • 15.  ISMS Method  Standard published by The Open Group  Compatible with ISO2700x, CobIT, ITIL, etc.  Focus on results, not on compliance.  Maturity Levels adapt to different resources and requirements.  Uses Processes instead of Controls.  Metrics are included, they don't need to be developed anew.  Risk Assessment is optional.  Security objectives and targets help handling: How much security is enough? Summary
  • 16. Information Security that makes Business Sense inovement.es/oism3 Web www.inovement.es Video Blog youtube.com/user/vaceituno Blog ism3.com Twitter twitter.com/vaceituno Presentations slideshare.net/vaceituno/presentations Articles slideshare.net/vaceituno/documents