• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Security Maturity Model
 

Security Maturity Model

on

  • 674 views

 

Statistics

Views

Total Views
674
Views on SlideShare
674
Embed Views
0

Actions

Likes
0
Downloads
10
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NoDerivs LicenseCC Attribution-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Security Maturity Model Security Maturity Model Presentation Transcript

    • First Improvised Security Testing ConferenceMadrid 18/7/2003 Security Maturity Model © Vicente Aceituno
    • “You are only as strong as your weakest link” 2© Vicente Aceituno, smmodel@yahoogroups.com
    • In 1995, Nick Leeson traded derivatives bringing Barings Bank bankrupt. Information systems were not at fault. 3© Vicente Aceituno, smmodel@yahoogroups.com
    • …an Organization is much more than information systems… Information Infrastructure Systems People Trademark & Know-How Prestige Financial Assets 4© Vicente Aceituno, smmodel@yahoogroups.com
    • Are we sure auditing an information system will make an Organization safer in the long run? How about… Organization issues. Security Targets (Policy) issues. Security Investment Performance issues. A perfectly configured and patched system won’t stay that way for long in an Insecure Organization! 5© Vicente Aceituno, smmodel@yahoogroups.com
    • OK. How can we know how secure an Organization is and how to make it safer? 6© Vicente Aceituno, smmodel@yahoogroups.com
    • Introducing the Security Maturity Model SMM describes the maturity of an organization depending on: Assignment and supervision of responsibilities. Security organization. Security practices. Policies: Expectation-driven targets. Distributed Policy Enforcement Responsibility. Access Control management. Independent audits. Quantitative data gathering. Etc… Security investment management. 7© Vicente Aceituno, smmodel@yahoogroups.com
    • SMM Level 1 - Initial Security is not acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or individual efforts. The presence of incidents invariably leads to the maximum impact that could be expected. 8© Vicente Aceituno, smmodel@yahoogroups.com
    • SMM Level 2 - Acknowledged Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or some organizational efforts. The presence of incidents doesn’t always lead to the maximum impact that could be expected. Expectations, incidents, and assets are sometimes evaluated. Security measures are taken until the budget is exhausted. The results of the organizational efforts fades with time. From here on “Evaluation” means: Identify, Classify, Prioritize, Value 9© Vicente Aceituno, smmodel@yahoogroups.com
    • SMM Level 3 - Defined Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or continuous organizational efforts. The presence of incidents normally doesn’t lead to the maximum impact that could be expected. Expectations, incidents and assets are sometimes evaluated. Security measures are taken until the budget is exhausted. Organizational security responsibilities are defined. A Security Policy exists. Assets are accessed using sessions. Security measures are audited. The results of the organizational efforts are permanent. 10© Vicente Aceituno, smmodel@yahoogroups.com
    • SMM Level 4 - Managed Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents virtually never leads to the maximum impact that could be expected. Expectations, incidents and assets are evaluated. The best security measures are taken considering the budget. Organizational security responsibilities are defined. A Security Norms Framework exist and is applied. Assets are accessed using sessions only. Security measures are audited. Responsibilities are partitioned and supervised. A “Continuity of Operations Plan” exists. This plan considers the organization’s current status, and is properly implemented. The results of the organizational efforts are permanent. 11© Vicente Aceituno, smmodel@yahoogroups.com
    • SMM Level 5 - Optimum Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents doesn’t lead to the maximum impact that could be expected. Expectations, incidents and assets are evaluated quantitatively. The best security measures are taken considering the budget. It can be determined if the budget is consistent with the targets defined by the Security Norms Framework. Organizational security responsibilities are defined. A Security Norms Framework exist and is applied. Assets are accessed using sessions only. Security measures are audited. Responsibilities are partitioned and supervised. A “Continuity of Operations Plan” exists. This plan considers the organization’s evolution and is properly implemented. Quantitative information is collected about incidents or close calls. Security measures are selected using objective criteria. The results of the organizational efforts are permanent. 12© Vicente Aceituno, smmodel@yahoogroups.com
    • SMM SMM – Security Norms Framework Security Policies as a single document are not flexible enough in a big organization and quickly become worthless. An effective Security Policy describes the high-level principles that describe the targets (why) and the strategies (what) to reach them. The Security Norms develop the strategies describing the scope (where and when) of the security practices. The Security Standards develop the norms with specifications per domain, than can be checked. Security Procedures develop standards and norms and give a step-by-step description of the who and how of the practice. The Operations Continuity Plan is a procedure that specifies how to act when a catastrophe happens. The Fair Use norm informs users about their obligations when using the organization’s systems. The Third Party Agreements define mutual security commitments at the organization’s borders with others. 13© Vicente Aceituno, smmodel@yahoogroups.com
    • SMM SMM –Sublevels. Depending on the degree of integration of the existing practices, such as: Theorized: The practice is identified as compulsory in the Security Norms Framework, but the scope norms, standards and procedures don’t exist. Procedured: There are norms, standards & procedures for this practice. Implemented: The norms of the practice are actually used. Verified: The results of the procedures used are audited periodically. Integrated: Circumvention of the norms of the practice is insignificant. …an organization may occupy any sublevel within a given level. 14© Vicente Aceituno, smmodel@yahoogroups.com
    • SMM SMM – Summary. Using SMM you can: Determine what is your organization’s maturity. Set a maturity target. Plan for maturity enhancement. Benefits: Every partial result of achieving the higher SMM Levels won’t depend any longer on external contractors. Ever. Improve customer and stockholders trust on the organization. Maximize turnover of Security Investment. Avoid non-technical security risks, setting an environment where there are no weak links. 15© Vicente Aceituno, smmodel@yahoogroups.com
    • This presentation is just an overview. The SMM is being further developed at the smmodel Group smmodel@yahoogroups.com groups.yahoo.com/group/smmodel© Vicente Aceituno18 de Julio de 2003Open Content Licencedwww.opencontent.org/opl.shtml SMM