Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Maturity Models.

7,504 views

Published on

Security Bench marking
Capability Evaluation,Levels
Capability Maturity Models
Types of Maturity Models

Published in: Technology
  • Want to preview some of our plans? You can get 50 Woodworking Plans and a 440-Page "The Art of Woodworking" Book... Absolutely FREE ▲▲▲ http://tinyurl.com/y3hc8gpw
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Get access to 16,000 woodworking plans, Download 50 FREE Plans... ■■■ http://tinyurl.com/y3hc8gpw
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Security Maturity Models.

  1. 1. Security Maturity Models OVERVIEW OF SECURITY MATURITY MODELS
  2. 2. Agenda 1. What’s a Maturity Model? 2. Types of Maturity Models 3. Overview of SSE CMM & CISO Platform Security Benchmarking
  3. 3. What’s a Maturity Model? “A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline. Model content typically exemplifies best practices and may incorporate standards or other codes of practice of the discipline. A maturity model thus provides a benchmark against which an organization can evaluate the current level of capability of its practices, processes, and methods and set goals and priorities for improvement.” – C2M2, DOE, US Govt. How’s it Useful? ü Helps Define a Framework for Organizations to Baseline Current Capabilities / Architecture ü Conduct Standardized, Consistent Evaluation(s) -Identify Gaps, Build Roadmaps; Measure Progress ü Allows Organizations to Benchmark their Capabilities against Peers ü Enables Decision Making - How to Improve, Prioritize investments in Tech, People, Services etc.
  4. 4. Types of Maturity Models 1. Progress-based Maturity Models 1. Measures Simple Progress /Advance Through Ascending Levels (as defined by Org/Industry) 2. E.g.: Simple Password -> Strong Password -> TFA 3. Pros: Simple; Cons: May NOT translate to Maturity 2. Capability Maturity Models (CMM) 1. Primarily Measures the Degree to Which Processes are Institutionalized; Strength of Org Culture 2. E.g.: SSE-CMM 3. Pros: Rigorous Measure of Capabilities; Cons: False Sense of Achievement – Maturity does not equal security 3. Hybrid – 1. Combines the Above Two. 2. E.g.: Cybersecurity Capability Maturity Model (ES - C2M2) 3. Pro: Easy Progress Measurement & Approximation of Capability; Cons: Not as Rigorous as CMM Adapted from Content Provided by CERT and Software Engineering Institute (SSE), CMU.
  5. 5. Some Maturity Models 1. CERT CC Resilience Maturity Model 2. COBIT 3. US Dept of Energy (DoE) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) 4. Information Security Management Maturity Model (ISM3) 5. NIST CSEAT IT SMM 6. Gartner’s Security Model 7. Systems Security Engineering Capability Maturity Model (SSE-CMM) 8. Computer Emergency Response Team/Chief Security Officer Security Capability Assessment (CERT/CSO) 9. Community Cyber Security Maturity Model (CSMM) 10. FFIEC – Cybersecurity Maturity 11. OpenSAMM - AppSec 12. BSIMM – AppSec 13. and Many More…
  6. 6. ISO/IEC 21827 Systems Security Engineering Capability Maturity Model (SSE-CMM) The model is a standard metric for security engineering practices covering the following: 1. Project lifecycles, including development, operation, maintenance, and decommissioning activities 2. Entire organizations, including management, organizational, and engineering activities 3. Concurrent interactions with other disciplines, such as system software and hardware, human factors, test engineering; system management, operation, and maintenance 4. Interactions with other organizations, including acquisition, system management, certification, accreditation, and evaluation. Source: SSE-CMM
  7. 7. SSE-CMM Dimensions Level 1 - Performed Informally Level 2 – Planned & Tracked Level 3 – Well Defined Level 4 – Quantitatively Controlled Level 5 – Continuously Improving Source: SSE CMM
  8. 8. Sample Source: SSE CMM
  9. 9. CISO Platform Security Benchmarking ◦ An insight about company current cyber security positioning among the peers ◦ An insight about company current positioning in the overall market. ◦ Helps to analyse the gap in Cyber security structure ◦ Helps you to find out the strategic focus areas ◦ NOT a Capability Maturity Model
  10. 10. India vs World •India is 75 to 80% at par with USA for Prevention / Detection technologies. •India is less than 10% at par with USA in Response •India is less than 10% at par with USA for Prediction of breaches beforehand. •India is less than 10% at par in adoption of emerging security technologies like • threat Intelligence and Big data security analytics, RASP, IAST, Containerization/ Isolation, Attack Deception etc. when compared to USA.
  11. 11. Industry wise maturity 0 10 20 30 40 50 60 70 80 Minor BFSI Retail/Online Manufacturing Healthcare & Hospitality Financial Services Minor IT/ITES Major BFSI Major IT/ITES Large Scale Telecom 44.95 51.52 52.43 53.13 56.06 59.25 70.16 74.66 76.62 Security Maturity Index Verticals Security Maturity Index %
  12. 12. CISO Platform Security Benchmarking Community-based initiative which helps organizations benchmark their existing security posture against that of their peers / industry (e.g.: BFSI, IT/ITES) and develop an actionable, prioritized roadmap for achieving the desired maturity level. The technologies are categorized into: ◦ Security control type (Prevent, Detect, response, Predict) ◦ Technology adoption type (Basic, Moderate, Advance)
  13. 13. Benchmarking – capabilities in place * The Graph presented above is only indicative and for sample purposes only SECURITY AWARENESS AND TRAINING WIRELESS SECURITY POLICY MANAGEMENT MOBILE DEVICE MANAGEMENT IAM/PIM APPLICATION/DATABASE SECURITY SIEM END POINT SECURITY DIGITAL RIGHTS MANAGEMENT DLP/DATA SECURITY IDS/IPS PATCH MANAGEMENT SECURE EMAIL/WEB GATEWAY, CONTENT … STRONG AUTHENTICATION UNIFIED THREAT MANAGEMENT ANTI MALWARE/ANTISPYWARE BCP/DR WEB APPLICATION FIREWALL VULNERABILITY MANAGEMENT THREAT INTELLIGENCE 81.82% 68.18% 77.27% 45.45% 45.45% 59.09% 59.09% 90.91% 31.82% 72.73% 86.36% 86.36% 100.00% 63.64% 59.09% 95.45% 61.00% 61.00% 62.00% 53.00% Capability in Place Statistics Vertical Adoption(%)
  14. 14. Benchmarking - Capabilities not in place * The Graph presented above is only indicative and for sample purposes only 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% Vertical Adoption(%) Capability Not in Place Statistics DDOS IT GRC management Bio Metric Encryption for Servers/Storage/Database Anti APT
  15. 15. Some Resources to Get You Started 1. CPSB 2. Vendor Specific, some examples – 1. nCircle 2. Veracode 3. KPMG - Cyber KARE 3. BSIMM - https://www.bsimm.com/ 4. Open SAMM - http://www.opensamm.org/ 5. https://buildsecurityin.us-cert.gov 6. C2M2 - http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model- c2m2-program/cybersecurity
  16. 16. Thank You!

×