SlideShare a Scribd company logo

Information Security Assurance Capability Maturity Model (ISA-.docx

Download as DOCX, PDF
L
lanagore871

Information Security Assurance Capability Maturity Model (ISA-CMM) Version 3.2 February 2012 Copyright © 1999 Permission to reproduce this product and to prepare derivative works from this product is granted royalty-free, provided the copyright is included with all reproductions and derivative works. This document includes excerpts from “A Systems Engineering Capability Maturity Model, Version 1.1,” CMU/SEI-95-MM-003, published in November 1995 and version 2.0 of the Systems Security Engineering CMM (SSE-CMM), published in April 1999 and is now ISO Standard ISO/IEC DIS 21827. The Systems Engineering CMM is “Copyright © 1995 by Carnegie Mellon University and the SSE-CMM is held and maintained by the International System Security Engineering Association (ISSEA). Permission to reproduce this product and to prepare derivative works from this product is granted royalty-free, provided this copyright is included with all reproductions and derivative works.” TABLE OF CONTENTS 1.INTRODUCTION4 Information Security ASSUrance5 Information Security AssURANCE Training and Rating Program (ISATRP)6 Information Security Assessment Methodology (ISAM)7 Information Security RED TEAM Methodology (ISRM)9 Information Security ASSURANCE – Capability Maturity Model (ISA-CMM)11 Acknowledgments13 Points of Contact14 2.ISA-CMM Overview15 Expected Results17 Key Concepts18 ISA-CMM Architecture Description22 The Basic Model23 The Base Practices and Process Areas25 The Generic PRACTICES27 The Capability Levels28 3.Process Area Format31 ISA-PA01: Provide Training32 ISA-BP01.01 – Identify Training Needs34 ISA-BP01.02 – Select method of Information Security training35 ISA-BP01.03 – Ensure availability of Information Security training36 ISA-BP01.04 – Train Personnel37 ISA-BP01.05 – Assess Training Effectiveness38 ISA-PA02: Coordinate with Customer Organization39 ISA-BP02.01 – Identify coordination mechanisms40 ISA-BP02.02 – Facilitate coordination41 ISA-BP02.03 – Coordinate decisions and recommendations42 ISA-PA03: Specify Initial Information Security Needs43 ISA-BP03.01 – Understand criticality of the customer’s assets44 ISA-BP03.02 – Identify applicable constraints45 ISA-BP03.03 – Identify customer's concerns46 ISA-BP03.04 – Capture high-level OBJECTIVES47 ISA-BP03.05 Identify initial Information Security needs48 ISA-PA04: Assess Threat49 ISA-BP04.01 – Identify applicable threats50 ISA-BP04.02 – Identify threat impact potential51 ISA-BP04.03 – Assess threat agent capability52 ISA-BP04.04 – Assess threat likelihood53 ISA-BP04.05 – Monitor threats54 ISA-PA05: Assess Vulnerability55 ISA-BP05.01 – Identify Applicable Vulnerabilities56 ISA-BP05.02 – Define Exploitation Potential57 ISA-BP05.03 – Determine Overall Vulnerability58 ISA-BP05.04 – Monitor Exploitation Potential59 ISA-PA06: Assess Impact60 ISA-BP06.01 – Analyze Capabilities61 ISA-BP06.02 – Identify Potential Impacts62 ISA-BP06.03 – Monitor Impacts63 ISA-PA07: Assess Information Security Risk64 ISA-BP07.01 ...

Education
1 of 15
Information Security Assurance Capability Maturity Model (ISA-CMM) Version 3.2 February 2012 Copyright © 1999 Permission to reproduce this product and to prepare derivative works from this product is granted royalty-free, provided the copyright is included with all reproductions and derivative works. This document includes excerpts from “A Systems Engineering Capability Maturity Model, Version 1.1,” CMU/SEI-95-MM-003, published in November 1995 and version 2.0 of the Systems Security Engineering CMM (SSE- CMM), published in April 1999 and is now ISO Standard ISO/IEC DIS 21827. The Systems Engineering CMM is “Copyright © 1995 by Carnegie Mellon University and the SSE-CMM is held and maintained by the International System Security Engineering Association (ISSEA). Permission to reproduce this product and to prepare derivative works from this product is granted royalty- free, provided this copyright is included with all reproductions and derivative works.” TABLE OF CONTENTS 1.INTRODUCTION4 Information Security ASSUrance5 Information Security AssURANCE Training and Rating Program (ISATRP)6
Information Security Assessment Methodology (ISAM)7 Information Security RED TEAM Methodology (ISRM)9 Information Security ASSURANCE – Capability Maturity Model (ISA-CMM)11 Acknowledgments13 Points of Contact14 2.ISA-CMM Overview15 Expected Results17 Key Concepts18 ISA-CMM Architecture Description22 The Basic Model23 The Base Practices and Process Areas25 The Generic PRACTICES27 The Capability Levels28 3.Process Area Format31 ISA-PA01: Provide Training32 ISA-BP01.01 – Identify Training Needs34 ISA-BP01.02 – Select method of Information Security training35 ISA-BP01.03 – Ensure availability of Information Security training36 ISA-BP01.04 – Train Personnel37 ISA-BP01.05 – Assess Training Effectiveness38 ISA-PA02: Coordinate with Customer Organization39 ISA-BP02.01 – Identify coordination mechanisms40 ISA-BP02.02 – Facilitate coordination41 ISA-BP02.03 – Coordinate decisions and recommendations42 ISA-PA03: Specify Initial Information Security Needs43 ISA-BP03.01 – Understand criticality of the customer’s assets44 ISA-BP03.02 – Identify applicable constraints45 ISA-BP03.03 – Identify customer's concerns46 ISA-BP03.04 – Capture high-level OBJECTIVES47 ISA-BP03.05 Identify initial Information Security needs48 ISA-PA04: Assess Threat49 ISA-BP04.01 – Identify applicable threats50 ISA-BP04.02 – Identify threat impact potential51
ISA-BP04.03 – Assess threat agent capability52 ISA-BP04.04 – Assess threat likelihood53 ISA-BP04.05 – Monitor threats54 ISA-PA05: Assess Vulnerability55 ISA-BP05.01 – Identify Applicable Vulnerabilities56 ISA-BP05.02 – Define Exploitation Potential57 ISA-BP05.03 – Determine Overall Vulnerability58 ISA-BP05.04 – Monitor Exploitation Potential59 ISA-PA06: Assess Impact60 ISA-BP06.01 – Analyze Capabilities61 ISA-BP06.02 – Identify Potential Impacts62 ISA-BP06.03 – Monitor Impacts63 ISA-PA07: Assess Information Security Risk64 ISA-BP07.01 – Determine Threat / Vulnerability / Impact Triples65 ISA-BP07.02 – Assess Risk Associated with Exploitations66 ISA-BP07.03 – Identify Potential Countermeasures67 ISA-BP07.04 – Monitor Risks68 ISA-PA08: Provide Analysis and Results69 ISA-BP08.01 – Address Customer’s Concerns AND CONSTRAINTS70 ISA-BP08.02 – Provide Findings and Recommendations71 ISA-PA09: Manage Information Security assurance Processes72 ISA-BP09.01 – Identify Information Security Assurance Process Management Structure73 ISA-BP09.02 – Define Information Security Assurance Process74 ISA-BP09.03 – Maintain Work Product Baselines75 ISA-BP09.04 – Manage Information Security Assurance Program76 4.Generic Practices77 Capability Level 0 – Not Performed78 Capability Level 1 – Performed Informally79 Common Feature 1.1 – Base Practices Are Performed80 Capability Level 2 – Planned and Tracked82
Common Feature 2.1 – Planning Performance83 Common Feature 2.2 – Disciplined Performance90 Common Feature 2.3 – Verifying Performance93 Common Feature 2.4 – Tracking Performance96 Capability Level 3 – Well-Defined99 Common Feature 3.1 – Defining a Standard Process100 Common Feature 3.2 – Perform the Defined Process103 Common Feature 3.3 – Coordinate Practices107 Capability Level 4 – Quantitatively Controlled111 Common Feature 4.1 – Establishing Measurable Quality Goals112 Common Feature 4.2 – Objectively Managing Performance114 Capability Level 5 – Continuously Improving117 Common Feature 5.1 – Improving Organizational Capability118 Common Feature 5.2 – Improving Process Effectiveness121 Appendix A: Glossary125 Appendix B: GP Interdependencies132 Appendix C: ISAM Compliance Guidelines133 Appendix D: ISAM Evidence Matrix141 Appendix E: ISRM Compliance Guidelines145 5.Appendix F: ISRM Evidence Matrix161 LIST OF FIGURES Figure 21: Rating Profile24 Figure 22: Capability Levels29 Figure 31: Process Area Format32 LIST OF TABLES Table 21: Capability Principles27INTRODUCTION The last twenty years have seen a proliferation of automated information systems, reliance on the Internet to enable most of the nation’s essential services and infrastructures, and the growing threat of organized cyber attacks capable of causing debilitating disruption to our critical infrastructures. There are many regulations, policies, and guidelines encouraging organizations to assess the security posture of their information systems to determine fundamental, cost-effective security improvements in order to contribute to the protection of these
critical information infrastructures. As a result of events leading up to and that have occurred since September 11, 2001, there has been an even greater need to be aware of and address cyber threats and vulnerabilities. On November 25, 2002, the Department of Homeland Security was established as the federal center of excellence for cyber-security and the focal point for federal outreach to state, local, and nongovernmental organizations including the private sector, academia, and the public in providing ongoing protection from threats against our national assets. The National Strategy to Secure Cyberspace is an implementing component of the National Strategy for Homeland Security, with the purpose of engaging and empowering Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact. The National Strategy to Secure Cyberspace includes five national priorities, one of which is a National Cyberspace Security Threat and Vulnerability Reduction Program, aimed at reducing threats from and our vulnerabilities to cyber attacks. Vulnerabilities must be identified and corrected in critical networks and systems before threats surface. Recognizing that vulnerabilities result from weaknesses in technology as well as from improper implementation and oversight of technological products, the strategy identifies eight major actions and initiatives, one of which is to create a process for national vulnerability assessments to better understand the potential consequences of threats and vulnerabilities. The number of government organizations and private companies who profess to offer security assessment services has also grown significantly. However, without any standardization, these organizations have implemented varying interpretations of the Information Security assurance services. Today the terminology, scope and cost of Information Security assurance services offered by industry differ greatly with no standardized way for customers to determine which provider is the most capable to address their specific needs for the most reasonable cost. The National Security Agency (NSA) offered a solution to
this problem through the INFOSEC Assurance Training and Rating Program (IATRP). In mid-2010, the NSA transferred the entire IATRP to Security Horizon, Inc. which has renamed the program Information Security Assurance Training and Rating Program.Information Security ASSUrance One of the most significant changes to version 3.2 of the ISA- CMM is the incorporation of the updated Methodologies. This change reflects the expanded scope of the document. Whereas the previous versions of the ISA-CMM focused only on Information Security Assessment, in particular the Information Security Assessment Methodology (IAM) and the Information Security Evaluation Methodology (IEM), the current version has been updated to encompass the merger of the IAM and IEM Methodologies into the Information Security Assessment Methodology (ISAM), the creation of the Information Security Red Team Methodology, and other current, and possibly future, Information Security Assurance services. What is meant by Information Security Assurance? It is best explained by expanding the acronym and taking the words in reverse order. Information Security Assurance is the assurance level that can be associated with the security that the system (e.g., technical, procedural, etc) uses to protect the information. Since it is impractical for security to guarantee that information is totally protected from exploitation, there is a level of assurance that is associated with the ability of the system to protect the information. Information Security Assurance services analyze this level of Information Security Assurance through analysis of information criticality, vulnerability, threat, impact, risk, and countermeasures. Although Information Security Assurance services can be performed on developmental as well as operational systems, the focus of this current version of the ISA-CMM is the analysis of operational systems.Information Security AssURANCE Training and Rating Program (ISATRP) Security Horizon, Inc. operates the ISATRP on the assumption that there are a significant number of Commercial and National
Information Infrastructure (NII) organizations (Customers) who own and operate systems that store, process, and transmit information with national security implications that need assistance in vulnerability discovery and risk management decisions. These Customers face a myriad of Information Security Assurance service providers (Providers) that offer an array of services. Customers are often confused about what needs to be done during an Information Security Assurance Activity and how to compare both individual assessors and evaluators and service provider organizations. The ISATRP provides standardized methodologies that set the baseline of activities that are required for an Information Security Assurance Activity, trains and certifies assessors and evaluators in the standard, rates provider organizations against a standardized metric to determine the provider's organizational capability to perform Information Security Assurance Activities, and identifies if the rating was met by compliance with one (or more) of the ISATRP methodologies. The ISATRP standardized rating system provides consumers with the appropriate information required to be better informed when selecting Information Security Assurance providers. The first part of the ISATRP is the ISATRP methodology courses, these courses transfer the standards by which the Information Security Assurance service should be performed. Through the ISATRP, Security Horizon, Inc. certifies that individuals have demonstrated an understanding in these specific methodologies. The second part of the program involves an organization undergoing an Information Security Assurance Capability Maturity Model (ISA-CMM) appraisal and receiving a rating that indicates the organization’s capability to provide ongoing support and confidence that its technical work force is performing according to an established and mature Information Security Assurance process. The goal is to gain relative assurance that the Information Security Assurance process is consistent and repeatable over time.
The application of an ISA-CMM appraisal is defined in the Continuous Appraisal Method (CAM). The purpose of the CAM is to ensure the consistent application and execution of the ISA- CMM appraisal process. This provides a level “playing field” with the ultimate objective of providing the assurance that the ratings applied to the sites are equivalent regardless of the team composition from one appraisal to the next.Information Security Assessment Methodology (ISAM) The Information Security Assessment Methodology (ISAM) is the foundation for Information Security Assessment services. Information Security Assessments provide a detailed and systematic way of examining cyber vulnerabilities and was developed by experienced assessors from government and industry. In addition to assisting the governmental and private sectors, an important result of supplying baseline standards for information security assessments is fostering a commitment to improve the organization's security posture. The ISAM is a hands-on methodology for conducting comprehensive assessments of customer organizations and networks utilizing common techniques and technical evaluation tools. Students successfully completing the certification class can expect to learn a repeatable methodology that provides each customer an individualized roadmap for addressing their security concerns and improving their security posture. The ISAM focuses on the appropriate procedures for three primary phases: Pre Assessment: · Focuses on identifying critical information and systems and addressing the impact to the organization should the loss of confidentiality, integrity, and/or availability occur. · This phase also addresses the full scoping of the assessment process. On-Site Assessment: · Focuses on gathering the information needed to validate the actual security posture of the organization through interviews, documentation review, and system evaluation. Post Assessment:
· Focuses on detailed analysis and reporting of the findings. · This process also includes a reporting tool that assists in the management view of the security posture. The ISAM consists of a standardized set of activities required to perform an Information Security Assessment. In other words, the methodology explains the depth and breadth of the assessment activities that must be performed to be compliant within the ISATRP. The ISAM “sets the bar” for what needs to be done for an activity to be considered a complete Information Security Assessment. The methodology does not teach Information Security analysis skills. It merely provides a framework by which Information Security analysts can use their skills to perform a repeatable and comparable process. Providers who advertise an Information Security Assurance capability and consumers seeking assistance in performing Information Security Assessments can use the ISAM as their baseline for their discussions. Because the ISAM is a baseline, providers can expand upon it to further meet the needs of the customers. However, it is recommended that any "expansion" should not reduce or interfere with the original intent of any ISAM activity. The ISAM is taught in a three-day training class. Although the class material is the same, the ISAM is taught in two formats: Certification and Non-Certification. The certification is open to anyone meeting the requirements (government, contractor, or private individual). To qualify for certification, individuals must have five years of demonstrated experience in the field of Information Security, Communications Security, or Computer Security, with two of the five years of experience directly involved in analyzing / evaluating / assessing computer system / network vulnerabilities and security risks. To further qualify for certification, students must demonstrate an understanding of the ISAM through
participating in all of the three-day training, group presentations to the class, and a passing grade on the ISAM final exam. Each student who meets all these requirements will receive an ISAM certificate of Completion stating that they have been trained and demonstrated an understanding of the ISAM. The ISAM certification provides no assurance as to the Information Security analysis ability of the individuals beyond that of the qualifications. Organizations can bring together a cadre of ISAM certified individuals to provide an Information Security Assessment capability to market for public and private organizations. Individuals with Information Security responsibilities for U.S. Government systems can earn the ISAM certification to meet CNSS 4012 requirements for Security Managers. More information about the ISAM and ISATRP can be found at www.isatrp.com.Information Security RED TEAM Methodology (ISRM) The second of the ISATRP methodologies is the Information Security Red Team Methodology (ISRM). The ISRM is a detailed hands-on methodology for performing evaluations of the current security readiness of an organization against identified threats. Individuals can expect to learn a repeatable methodology that can be used to prepare for and conduct a Red Team engagement. It is recommended that a security professional obtain both the ISRM and the Information Security Assessment Methodology (ISAM) to assure a broad understanding of the information security analysis processes. The ISRM covers the processes involved in an evaluation of a customer's overall security posture, based on both technical and physical threats. The ISRM can start with a review of the ISAM and select inputs to the ISRM, and proceeds to walk through the process of planning, executing, monitoring, and reporting, Red Team activities with the customer. The students will learn techniques that can be used for intelligence gathering and reconnaissance of selected targets, and how to use this information. Once the intelligence gathering and
reconnaissance is completed, the students will learn how to plan and execute various exploitation techniques in a coordinated attack against the selected targets. Both technical and mental exercises are used throughout the course to reinforce the concepts. The ISRM is a four-day course for experienced Information Systems Security analysts, those interested in performing Red Team engagements, or those planning on having a Red Team engagement performed against their organization. The students will benefit most if they have a solid background in information security systems and have an understanding of networking concepts. A strong ability to analyze disparate information is also highly valuable. The ISRM is taught in a four-day training class. Although the class material is the same, the ISRM is taught in two formats: Certification and Non-Certification. The certification is open to anyone meeting the requirements (government, contractor, or private individual). To qualify for certification, individuals must have five years of demonstrated experience in the field of Information Security, communications security, or computer security, with two of the five years of experience directly involved in analyzing / evaluating / assessing computer system / network vulnerabilities and security risks. To further qualify for certification, students must demonstrate an understanding of the ISRM through participating in all of the four-day training, group presentations to the class, and a passing grade on the ISRM final exam. Each student who meets all these requirements will receive an ISRM certificate of Completion stating that they have been trained and demonstrated an understanding of the ISRM. The ISRM certification provides no assurance as to the Information Security analysis ability of the individuals beyond that of the qualifications. Organizations can bring together a cadre of
ISRM certified individuals to provide an Information Security Red Team Assessment capability to market for public and private organizations. More information about the ISRM and ISATRP can be found at www.isatrp.com.Information Security ASSURANCE – Capability Maturity Model (ISA-CMM) The Information Security Assurance – Capability Maturity Model (ISA-CMM) is based on the System Security Engineering Capability Maturity Model (SSE-CMM) which became an International Organization for Standardization (ISO) standard on 18 March 2002 (reference: Document ISO/IEC 21827 “Information Technology - Systems Security Engineering - Capability Maturity Model”). The ISA-CMM addresses the Information Security Assurance analysis processes. The ISA- CMM is a non-tailorable continuous model (i.e. all the Process Areas will be appraised for a given organization and can not be “tailored out”). The ISA-CMM focuses on the processes (specific functions) that produce Information Security Assurance analysis work products (e.g., results that identify vulnerabilities, countermeasures, and threats). The ISA-CMM identifies nine process areas related to performing Information Security Assurance Activities. For each of the nine process areas, the ISA-CMM defines six levels of capability maturity from Level 0 to Level 5. The higher the capability maturity level, the greater the confidence that a process is well established throughout the organization and the more likely it is that the process will be performed consistently from one assessment to the next. From consistency comes greater confidence in the quality of an activity, but quality cannot necessarily be guaranteed (i.e. there is an outside chance that a process can run perfectly and consistently produce bad results). As such, it is important that the knowledge and skills of individual assessors be taken into consideration as well (e.g. ISAM / ISRM certification, CISSP, other certifications, past performance). The combination of skilled assessors and a capable organization greatly increases the potential for
consistent high-quality results. The Process Areas in the ISA-CMM were initially developed to gauge the maturity of Information Security Assurance capability. However, they have relevance when performing many other Information Assurance assessment related activities (e.g. Health Insurance Portability and Accountability Act of 1996 (HIPAA) for healthcare organizations and Gramm-Leach- Bliley for financial service organizations). In addition, organizations can use the ISA-CMM to measure their own capability for assessing Information Security strength within their infrastructure (e.g. do we know how to assess our own threats, vulnerabilities and impacts to determine the risk to our mission, systems and assets?). In traditional CMM activities, it is conceivable that a well- defined process that consistently produces a poor product can receive a fairly high maturity rating. The ISATRP approach reduces this possibility by providing detailed linkages between each process area and ISATRP methodology certifications. Standardized methodology products adds further assurance of quality in a resulting Information Security Assurance activity (i.e., the right products are being produced to meet compliance with the standard methodology.) As a result of an ISA-CMM appraisal, the organization will be assigned an ISA-CMM Rating Profile. This is a list of nine numbers from 0 to 5 (one for each process area). As mentioned above, the organization must be appraised against all Process Areas of the ISA-CMM, that is, none of the Process Areas may be tailored out of the model for the appraisal. When a customer is deciding on a provider organization, they should use the ISA-CMM rating profile along with the experience of the organization’s Information Security assessors to determine what is required to meet their needs. For example, in the case of a low rating in the Assess Vulnerability Process Area, the customer may want to pay particular attention when reviewing the qualifications of the individual analysts to determine their specific vulnerability assessment experience. A
high rating would provide assurance that the process area is institutionalized and allow for less scrutiny of analysts (i.e., the maturity of the process provides the assurance). If a customer is seeking a provider capable of providing a specific ISATRP methodology (e.g., ISAM, ISRM), they should verify that the appropriate compliance checkbox beneath each Process Area on the rating profile is marked. While an organization may be performing the activities within the parameters allowed by the ISA-CMM, they may lack the specific requirements needed to be complaint with a specific Information Security Assurance environment (i.e. an ISATRP methodology) as outlined in the various appendices of the ISA- CMM. In other words, an organization may have a mature process for identifying vulnerabilities and receive a rating in accordance with that maturity. But if the organization is not performing the process in compliance with the ISATRP methodology, they will not be given credit for meeting the methodology standards. If the methodology compliance box is checked for the organization, it can be assumed that the organization’s compliance for that Process Area is the maturity level assigned. This means if an organization has a maturity rating for Assess Vulnerabilities of level 3 and the ISAM compliance box is checked, the organization is considered level 3 for ISAM compliance.AcknowledgmentsSponsoring Organizations The Information Security Assurance – Capability Maturity Model (ISA-CMM) is sponsored by Security Horizon, Inc.Developers The following individuals are responsible for the ongoing updates and maintenance of the ISA-CMM and its related documents: Fuller, EdSecurity Horizon, Inc.PREVIOUS AuthorS AND Reviewer Group Members We wish to thank the following individuals for providing reviews, comments, and feedback to this version and / or previous versions of the ISA-CMM:
Becker, DoronElectronic Data Systems Camponeschi, ChristopherInterAct Solution s Group, Inc. Canfield, RebeccaNational Security Agency Crossman, TomElectronic Data Systems DiRienzo, VictorEngineering

Recommended

Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docx
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docxTECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docx
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docxmattinsonjanel
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...IJCI JOURNAL
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
InTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfInTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfglan Glandeva
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 

Recommended

Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docx
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docxTECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docx
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docxmattinsonjanel
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...IJCI JOURNAL
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
InTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfInTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfglan Glandeva
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Automation of Information (Cyber) Security by Joe Hessmiller
Automation of Information (Cyber) Security by Joe HessmillerAutomation of Information (Cyber) Security by Joe Hessmiller
Automation of Information (Cyber) Security by Joe HessmillerJoe Hessmiller
 
DojoSec FISMA Presentation
DojoSec FISMA PresentationDojoSec FISMA Presentation
DojoSec FISMA Presentationdanphilpott
 
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...IRJET Journal
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxKinetic Potential
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...IJCSIS Research Publications
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseThilak Pathirage -Senior IT Gov and Risk Consultant
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
Ijetr042329
Ijetr042329Ijetr042329
Ijetr042329Engineering Research Publication
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company Abdulrahman Alamri
 
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docx
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docxRunning Head STATEMENT OF WORKSTATEMENT OF WORK .docx
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docxtoltonkendal
 
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...IJNSA Journal
 
Predictive cyber security
Predictive cyber securityPredictive cyber security
Predictive cyber securitycsandit
 
PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...
PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...
PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...cscpconf
 
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...IJNSA Journal
 
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Amazon Web Services
 
·The pamphlet should contain the following·Content and la.docx
·The pamphlet should contain the following·Content and la.docx·The pamphlet should contain the following·Content and la.docx
·The pamphlet should contain the following·Content and la.docxlanagore871
 
·Quantitative Data Analysis StatisticsIntroductionUnd.docx
·Quantitative Data Analysis StatisticsIntroductionUnd.docx·Quantitative Data Analysis StatisticsIntroductionUnd.docx
·Quantitative Data Analysis StatisticsIntroductionUnd.docxlanagore871
 

More Related Content

Similar to Information Security Assurance Capability Maturity Model (ISA-.docx

The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Automation of Information (Cyber) Security by Joe Hessmiller
Automation of Information (Cyber) Security by Joe HessmillerAutomation of Information (Cyber) Security by Joe Hessmiller
Automation of Information (Cyber) Security by Joe HessmillerJoe Hessmiller
 
DojoSec FISMA Presentation
DojoSec FISMA PresentationDojoSec FISMA Presentation
DojoSec FISMA Presentationdanphilpott
 
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...IRJET Journal
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxKinetic Potential
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...IJCSIS Research Publications
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company Abdulrahman Alamri
 
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docx
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docxRunning Head STATEMENT OF WORKSTATEMENT OF WORK .docx
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docxtoltonkendal
 
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...IJNSA Journal
 
Predictive cyber security
Predictive cyber securityPredictive cyber security
Predictive cyber securitycsandit
 
PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...
PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...
PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...cscpconf
 
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...IJNSA Journal
 
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Amazon Web Services
 

Similar to Information Security Assurance Capability Maturity Model (ISA-.docx (20)

The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Automation of Information (Cyber) Security by Joe Hessmiller
Automation of Information (Cyber) Security by Joe HessmillerAutomation of Information (Cyber) Security by Joe Hessmiller
Automation of Information (Cyber) Security by Joe Hessmiller
 
DojoSec FISMA Presentation
DojoSec FISMA PresentationDojoSec FISMA Presentation
DojoSec FISMA Presentation
 
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices Framework
 
Ijetr042329
Ijetr042329Ijetr042329
Ijetr042329
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
 
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docx
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docxRunning Head STATEMENT OF WORKSTATEMENT OF WORK .docx
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docx
 
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
 
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
 
Predictive cyber security
Predictive cyber securityPredictive cyber security
Predictive cyber security
 
PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...
PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...
PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...
 
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
 
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
 

More from lanagore871

·The pamphlet should contain the following·Content and la.docx
·The pamphlet should contain the following·Content and la.docx·The pamphlet should contain the following·Content and la.docx
·The pamphlet should contain the following·Content and la.docxlanagore871
 
·Quantitative Data Analysis StatisticsIntroductionUnd.docx
·Quantitative Data Analysis StatisticsIntroductionUnd.docx·Quantitative Data Analysis StatisticsIntroductionUnd.docx
·Quantitative Data Analysis StatisticsIntroductionUnd.docxlanagore871
 
·The health communication plan should be expounded upon to resul.docx
·The health communication plan should be expounded upon to resul.docx·The health communication plan should be expounded upon to resul.docx
·The health communication plan should be expounded upon to resul.docxlanagore871
 
·ResearchEach student will select a medical disorder or c.docx
·ResearchEach student will select a medical disorder or c.docx·ResearchEach student will select a medical disorder or c.docx
·ResearchEach student will select a medical disorder or c.docxlanagore871
 
·IntroductionQuantitative research methodology uses a dedu.docx
·IntroductionQuantitative research methodology uses a dedu.docx·IntroductionQuantitative research methodology uses a dedu.docx
·IntroductionQuantitative research methodology uses a dedu.docxlanagore871
 
·Response GuidelinesReply to the posts of two peers in thi.docx
·Response GuidelinesReply to the posts of two peers in thi.docx·Response GuidelinesReply to the posts of two peers in thi.docx
·Response GuidelinesReply to the posts of two peers in thi.docxlanagore871
 
·Read Side Trip” #2 (page 183) and discuss what forms of in.docx
·Read Side Trip” #2 (page 183) and discuss what forms of in.docx·Read Side Trip” #2 (page 183) and discuss what forms of in.docx
·Read Side Trip” #2 (page 183) and discuss what forms of in.docxlanagore871
 
·Logical mathematical·Linguistic ·Musical·.docx
·Logical mathematical·Linguistic ·Musical·.docx·Logical mathematical·Linguistic ·Musical·.docx
·Logical mathematical·Linguistic ·Musical·.docxlanagore871
 
·Response GuidelinesReply to the posts of two peer.docx
·Response GuidelinesReply to the posts of two peer.docx·Response GuidelinesReply to the posts of two peer.docx
·Response GuidelinesReply to the posts of two peer.docxlanagore871
 
·Identify the pathophysiological mechanisms of inflammatory bowe.docx
·Identify the pathophysiological mechanisms of inflammatory bowe.docx·Identify the pathophysiological mechanisms of inflammatory bowe.docx
·Identify the pathophysiological mechanisms of inflammatory bowe.docxlanagore871
 
·From the e-Activity, analyze the basis for classifying courts i.docx
·From the e-Activity, analyze the basis for classifying courts i.docx·From the e-Activity, analyze the basis for classifying courts i.docx
·From the e-Activity, analyze the basis for classifying courts i.docxlanagore871
 
·Discuss the last three decades (1978- present) of China rapid.docx
·Discuss the last three decades (1978- present) of China rapid.docx·Discuss the last three decades (1978- present) of China rapid.docx
·Discuss the last three decades (1978- present) of China rapid.docxlanagore871
 
·Develop a webinar presentation for staff personnel to support t.docx
·Develop a webinar presentation for staff personnel to support t.docx·Develop a webinar presentation for staff personnel to support t.docx
·Develop a webinar presentation for staff personnel to support t.docxlanagore871
 
·Describe the clinical presentation of chronic kidney disease..docx
·Describe the clinical presentation of chronic kidney disease..docx·Describe the clinical presentation of chronic kidney disease..docx
·Describe the clinical presentation of chronic kidney disease..docxlanagore871
 
·Assignment 1 Implications of Health Economic Concepts for Heal.docx
·Assignment 1 Implications of Health Economic Concepts for Heal.docx·Assignment 1 Implications of Health Economic Concepts for Heal.docx
·Assignment 1 Implications of Health Economic Concepts for Heal.docxlanagore871
 
·Analyze the current uses of HTTP and HTTPS, and predict the fut.docx
·Analyze the current uses of HTTP and HTTPS, and predict the fut.docx·Analyze the current uses of HTTP and HTTPS, and predict the fut.docx
·Analyze the current uses of HTTP and HTTPS, and predict the fut.docxlanagore871
 
Wrrite  3 pages  about shakespearePlease write it as s.docx
Wrrite  3 pages  about shakespearePlease write it as s.docxWrrite  3 pages  about shakespearePlease write it as s.docx
Wrrite  3 pages  about shakespearePlease write it as s.docxlanagore871
 
What do the four parts of the Christian Biblical Narrative (i.e.,.docx
What do the four parts of the Christian Biblical Narrative (i.e.,.docxWhat do the four parts of the Christian Biblical Narrative (i.e.,.docx
What do the four parts of the Christian Biblical Narrative (i.e.,.docxlanagore871
 
Week 3 - News StorySeeing is BelievingWhile we can easily bec.docx
Week 3 - News StorySeeing is BelievingWhile we can easily bec.docxWeek 3 - News StorySeeing is BelievingWhile we can easily bec.docx
Week 3 - News StorySeeing is BelievingWhile we can easily bec.docxlanagore871
 
The paper must following the formatting guidelines in The Pub.docx
The paper must following the formatting guidelines in The Pub.docxThe paper must following the formatting guidelines in The Pub.docx
The paper must following the formatting guidelines in The Pub.docxlanagore871
 

More from lanagore871 (20)

·The pamphlet should contain the following·Content and la.docx
·The pamphlet should contain the following·Content and la.docx·The pamphlet should contain the following·Content and la.docx
·The pamphlet should contain the following·Content and la.docx
 
·Quantitative Data Analysis StatisticsIntroductionUnd.docx
·Quantitative Data Analysis StatisticsIntroductionUnd.docx·Quantitative Data Analysis StatisticsIntroductionUnd.docx
·Quantitative Data Analysis StatisticsIntroductionUnd.docx
 
·The health communication plan should be expounded upon to resul.docx
·The health communication plan should be expounded upon to resul.docx·The health communication plan should be expounded upon to resul.docx
·The health communication plan should be expounded upon to resul.docx
 
·ResearchEach student will select a medical disorder or c.docx
·ResearchEach student will select a medical disorder or c.docx·ResearchEach student will select a medical disorder or c.docx
·ResearchEach student will select a medical disorder or c.docx
 
·IntroductionQuantitative research methodology uses a dedu.docx
·IntroductionQuantitative research methodology uses a dedu.docx·IntroductionQuantitative research methodology uses a dedu.docx
·IntroductionQuantitative research methodology uses a dedu.docx
 
·Response GuidelinesReply to the posts of two peers in thi.docx
·Response GuidelinesReply to the posts of two peers in thi.docx·Response GuidelinesReply to the posts of two peers in thi.docx
·Response GuidelinesReply to the posts of two peers in thi.docx
 
·Read Side Trip” #2 (page 183) and discuss what forms of in.docx
·Read Side Trip” #2 (page 183) and discuss what forms of in.docx·Read Side Trip” #2 (page 183) and discuss what forms of in.docx
·Read Side Trip” #2 (page 183) and discuss what forms of in.docx
 
·Logical mathematical·Linguistic ·Musical·.docx
·Logical mathematical·Linguistic ·Musical·.docx·Logical mathematical·Linguistic ·Musical·.docx
·Logical mathematical·Linguistic ·Musical·.docx
 
·Response GuidelinesReply to the posts of two peer.docx
·Response GuidelinesReply to the posts of two peer.docx·Response GuidelinesReply to the posts of two peer.docx
·Response GuidelinesReply to the posts of two peer.docx
 
·Identify the pathophysiological mechanisms of inflammatory bowe.docx
·Identify the pathophysiological mechanisms of inflammatory bowe.docx·Identify the pathophysiological mechanisms of inflammatory bowe.docx
·Identify the pathophysiological mechanisms of inflammatory bowe.docx
 
·From the e-Activity, analyze the basis for classifying courts i.docx
·From the e-Activity, analyze the basis for classifying courts i.docx·From the e-Activity, analyze the basis for classifying courts i.docx
·From the e-Activity, analyze the basis for classifying courts i.docx
 
·Discuss the last three decades (1978- present) of China rapid.docx
·Discuss the last three decades (1978- present) of China rapid.docx·Discuss the last three decades (1978- present) of China rapid.docx
·Discuss the last three decades (1978- present) of China rapid.docx
 
·Develop a webinar presentation for staff personnel to support t.docx
·Develop a webinar presentation for staff personnel to support t.docx·Develop a webinar presentation for staff personnel to support t.docx
·Develop a webinar presentation for staff personnel to support t.docx
 
·Describe the clinical presentation of chronic kidney disease..docx
·Describe the clinical presentation of chronic kidney disease..docx·Describe the clinical presentation of chronic kidney disease..docx
·Describe the clinical presentation of chronic kidney disease..docx
 
·Assignment 1 Implications of Health Economic Concepts for Heal.docx
·Assignment 1 Implications of Health Economic Concepts for Heal.docx·Assignment 1 Implications of Health Economic Concepts for Heal.docx
·Assignment 1 Implications of Health Economic Concepts for Heal.docx
 
·Analyze the current uses of HTTP and HTTPS, and predict the fut.docx
·Analyze the current uses of HTTP and HTTPS, and predict the fut.docx·Analyze the current uses of HTTP and HTTPS, and predict the fut.docx
·Analyze the current uses of HTTP and HTTPS, and predict the fut.docx
 
Wrrite  3 pages  about shakespearePlease write it as s.docx
Wrrite  3 pages  about shakespearePlease write it as s.docxWrrite  3 pages  about shakespearePlease write it as s.docx
Wrrite  3 pages  about shakespearePlease write it as s.docx
 
What do the four parts of the Christian Biblical Narrative (i.e.,.docx
What do the four parts of the Christian Biblical Narrative (i.e.,.docxWhat do the four parts of the Christian Biblical Narrative (i.e.,.docx
What do the four parts of the Christian Biblical Narrative (i.e.,.docx
 
Week 3 - News StorySeeing is BelievingWhile we can easily bec.docx
Week 3 - News StorySeeing is BelievingWhile we can easily bec.docxWeek 3 - News StorySeeing is BelievingWhile we can easily bec.docx
Week 3 - News StorySeeing is BelievingWhile we can easily bec.docx
 
The paper must following the formatting guidelines in The Pub.docx
The paper must following the formatting guidelines in The Pub.docxThe paper must following the formatting guidelines in The Pub.docx
The paper must following the formatting guidelines in The Pub.docx
 

Recently uploaded

Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitolTechU
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxJiesonDelaCerna
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,Virag Sontakke
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 

Recently uploaded (20)

Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
 

Information Security Assurance Capability Maturity Model (ISA-.docx

  • 1. Information Security Assurance Capability Maturity Model (ISA-CMM) Version 3.2 February 2012 Copyright © 1999 Permission to reproduce this product and to prepare derivative works from this product is granted royalty-free, provided the copyright is included with all reproductions and derivative works. This document includes excerpts from “A Systems Engineering Capability Maturity Model, Version 1.1,” CMU/SEI-95-MM-003, published in November 1995 and version 2.0 of the Systems Security Engineering CMM (SSE- CMM), published in April 1999 and is now ISO Standard ISO/IEC DIS 21827. The Systems Engineering CMM is “Copyright © 1995 by Carnegie Mellon University and the SSE-CMM is held and maintained by the International System Security Engineering Association (ISSEA). Permission to reproduce this product and to prepare derivative works from this product is granted royalty- free, provided this copyright is included with all reproductions and derivative works.” TABLE OF CONTENTS 1.INTRODUCTION4 Information Security ASSUrance5 Information Security AssURANCE Training and Rating Program (ISATRP)6
  • 2. Information Security Assessment Methodology (ISAM)7 Information Security RED TEAM Methodology (ISRM)9 Information Security ASSURANCE – Capability Maturity Model (ISA-CMM)11 Acknowledgments13 Points of Contact14 2.ISA-CMM Overview15 Expected Results17 Key Concepts18 ISA-CMM Architecture Description22 The Basic Model23 The Base Practices and Process Areas25 The Generic PRACTICES27 The Capability Levels28 3.Process Area Format31 ISA-PA01: Provide Training32 ISA-BP01.01 – Identify Training Needs34 ISA-BP01.02 – Select method of Information Security training35 ISA-BP01.03 – Ensure availability of Information Security training36 ISA-BP01.04 – Train Personnel37 ISA-BP01.05 – Assess Training Effectiveness38 ISA-PA02: Coordinate with Customer Organization39 ISA-BP02.01 – Identify coordination mechanisms40 ISA-BP02.02 – Facilitate coordination41 ISA-BP02.03 – Coordinate decisions and recommendations42 ISA-PA03: Specify Initial Information Security Needs43 ISA-BP03.01 – Understand criticality of the customer’s assets44 ISA-BP03.02 – Identify applicable constraints45 ISA-BP03.03 – Identify customer's concerns46 ISA-BP03.04 – Capture high-level OBJECTIVES47 ISA-BP03.05 Identify initial Information Security needs48 ISA-PA04: Assess Threat49 ISA-BP04.01 – Identify applicable threats50 ISA-BP04.02 – Identify threat impact potential51
  • 3. ISA-BP04.03 – Assess threat agent capability52 ISA-BP04.04 – Assess threat likelihood53 ISA-BP04.05 – Monitor threats54 ISA-PA05: Assess Vulnerability55 ISA-BP05.01 – Identify Applicable Vulnerabilities56 ISA-BP05.02 – Define Exploitation Potential57 ISA-BP05.03 – Determine Overall Vulnerability58 ISA-BP05.04 – Monitor Exploitation Potential59 ISA-PA06: Assess Impact60 ISA-BP06.01 – Analyze Capabilities61 ISA-BP06.02 – Identify Potential Impacts62 ISA-BP06.03 – Monitor Impacts63 ISA-PA07: Assess Information Security Risk64 ISA-BP07.01 – Determine Threat / Vulnerability / Impact Triples65 ISA-BP07.02 – Assess Risk Associated with Exploitations66 ISA-BP07.03 – Identify Potential Countermeasures67 ISA-BP07.04 – Monitor Risks68 ISA-PA08: Provide Analysis and Results69 ISA-BP08.01 – Address Customer’s Concerns AND CONSTRAINTS70 ISA-BP08.02 – Provide Findings and Recommendations71 ISA-PA09: Manage Information Security assurance Processes72 ISA-BP09.01 – Identify Information Security Assurance Process Management Structure73 ISA-BP09.02 – Define Information Security Assurance Process74 ISA-BP09.03 – Maintain Work Product Baselines75 ISA-BP09.04 – Manage Information Security Assurance Program76 4.Generic Practices77 Capability Level 0 – Not Performed78 Capability Level 1 – Performed Informally79 Common Feature 1.1 – Base Practices Are Performed80 Capability Level 2 – Planned and Tracked82
  • 4. Common Feature 2.1 – Planning Performance83 Common Feature 2.2 – Disciplined Performance90 Common Feature 2.3 – Verifying Performance93 Common Feature 2.4 – Tracking Performance96 Capability Level 3 – Well-Defined99 Common Feature 3.1 – Defining a Standard Process100 Common Feature 3.2 – Perform the Defined Process103 Common Feature 3.3 – Coordinate Practices107 Capability Level 4 – Quantitatively Controlled111 Common Feature 4.1 – Establishing Measurable Quality Goals112 Common Feature 4.2 – Objectively Managing Performance114 Capability Level 5 – Continuously Improving117 Common Feature 5.1 – Improving Organizational Capability118 Common Feature 5.2 – Improving Process Effectiveness121 Appendix A: Glossary125 Appendix B: GP Interdependencies132 Appendix C: ISAM Compliance Guidelines133 Appendix D: ISAM Evidence Matrix141 Appendix E: ISRM Compliance Guidelines145 5.Appendix F: ISRM Evidence Matrix161 LIST OF FIGURES Figure 21: Rating Profile24 Figure 22: Capability Levels29 Figure 31: Process Area Format32 LIST OF TABLES Table 21: Capability Principles27INTRODUCTION The last twenty years have seen a proliferation of automated information systems, reliance on the Internet to enable most of the nation’s essential services and infrastructures, and the growing threat of organized cyber attacks capable of causing debilitating disruption to our critical infrastructures. There are many regulations, policies, and guidelines encouraging organizations to assess the security posture of their information systems to determine fundamental, cost-effective security improvements in order to contribute to the protection of these
  • 5. critical information infrastructures. As a result of events leading up to and that have occurred since September 11, 2001, there has been an even greater need to be aware of and address cyber threats and vulnerabilities. On November 25, 2002, the Department of Homeland Security was established as the federal center of excellence for cyber-security and the focal point for federal outreach to state, local, and nongovernmental organizations including the private sector, academia, and the public in providing ongoing protection from threats against our national assets. The National Strategy to Secure Cyberspace is an implementing component of the National Strategy for Homeland Security, with the purpose of engaging and empowering Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact. The National Strategy to Secure Cyberspace includes five national priorities, one of which is a National Cyberspace Security Threat and Vulnerability Reduction Program, aimed at reducing threats from and our vulnerabilities to cyber attacks. Vulnerabilities must be identified and corrected in critical networks and systems before threats surface. Recognizing that vulnerabilities result from weaknesses in technology as well as from improper implementation and oversight of technological products, the strategy identifies eight major actions and initiatives, one of which is to create a process for national vulnerability assessments to better understand the potential consequences of threats and vulnerabilities. The number of government organizations and private companies who profess to offer security assessment services has also grown significantly. However, without any standardization, these organizations have implemented varying interpretations of the Information Security assurance services. Today the terminology, scope and cost of Information Security assurance services offered by industry differ greatly with no standardized way for customers to determine which provider is the most capable to address their specific needs for the most reasonable cost. The National Security Agency (NSA) offered a solution to
  • 6. this problem through the INFOSEC Assurance Training and Rating Program (IATRP). In mid-2010, the NSA transferred the entire IATRP to Security Horizon, Inc. which has renamed the program Information Security Assurance Training and Rating Program.Information Security ASSUrance One of the most significant changes to version 3.2 of the ISA- CMM is the incorporation of the updated Methodologies. This change reflects the expanded scope of the document. Whereas the previous versions of the ISA-CMM focused only on Information Security Assessment, in particular the Information Security Assessment Methodology (IAM) and the Information Security Evaluation Methodology (IEM), the current version has been updated to encompass the merger of the IAM and IEM Methodologies into the Information Security Assessment Methodology (ISAM), the creation of the Information Security Red Team Methodology, and other current, and possibly future, Information Security Assurance services. What is meant by Information Security Assurance? It is best explained by expanding the acronym and taking the words in reverse order. Information Security Assurance is the assurance level that can be associated with the security that the system (e.g., technical, procedural, etc) uses to protect the information. Since it is impractical for security to guarantee that information is totally protected from exploitation, there is a level of assurance that is associated with the ability of the system to protect the information. Information Security Assurance services analyze this level of Information Security Assurance through analysis of information criticality, vulnerability, threat, impact, risk, and countermeasures. Although Information Security Assurance services can be performed on developmental as well as operational systems, the focus of this current version of the ISA-CMM is the analysis of operational systems.Information Security AssURANCE Training and Rating Program (ISATRP) Security Horizon, Inc. operates the ISATRP on the assumption that there are a significant number of Commercial and National
  • 7. Information Infrastructure (NII) organizations (Customers) who own and operate systems that store, process, and transmit information with national security implications that need assistance in vulnerability discovery and risk management decisions. These Customers face a myriad of Information Security Assurance service providers (Providers) that offer an array of services. Customers are often confused about what needs to be done during an Information Security Assurance Activity and how to compare both individual assessors and evaluators and service provider organizations. The ISATRP provides standardized methodologies that set the baseline of activities that are required for an Information Security Assurance Activity, trains and certifies assessors and evaluators in the standard, rates provider organizations against a standardized metric to determine the provider's organizational capability to perform Information Security Assurance Activities, and identifies if the rating was met by compliance with one (or more) of the ISATRP methodologies. The ISATRP standardized rating system provides consumers with the appropriate information required to be better informed when selecting Information Security Assurance providers. The first part of the ISATRP is the ISATRP methodology courses, these courses transfer the standards by which the Information Security Assurance service should be performed. Through the ISATRP, Security Horizon, Inc. certifies that individuals have demonstrated an understanding in these specific methodologies. The second part of the program involves an organization undergoing an Information Security Assurance Capability Maturity Model (ISA-CMM) appraisal and receiving a rating that indicates the organization’s capability to provide ongoing support and confidence that its technical work force is performing according to an established and mature Information Security Assurance process. The goal is to gain relative assurance that the Information Security Assurance process is consistent and repeatable over time.
  • 8. The application of an ISA-CMM appraisal is defined in the Continuous Appraisal Method (CAM). The purpose of the CAM is to ensure the consistent application and execution of the ISA- CMM appraisal process. This provides a level “playing field” with the ultimate objective of providing the assurance that the ratings applied to the sites are equivalent regardless of the team composition from one appraisal to the next.Information Security Assessment Methodology (ISAM) The Information Security Assessment Methodology (ISAM) is the foundation for Information Security Assessment services. Information Security Assessments provide a detailed and systematic way of examining cyber vulnerabilities and was developed by experienced assessors from government and industry. In addition to assisting the governmental and private sectors, an important result of supplying baseline standards for information security assessments is fostering a commitment to improve the organization's security posture. The ISAM is a hands-on methodology for conducting comprehensive assessments of customer organizations and networks utilizing common techniques and technical evaluation tools. Students successfully completing the certification class can expect to learn a repeatable methodology that provides each customer an individualized roadmap for addressing their security concerns and improving their security posture. The ISAM focuses on the appropriate procedures for three primary phases: Pre Assessment: · Focuses on identifying critical information and systems and addressing the impact to the organization should the loss of confidentiality, integrity, and/or availability occur. · This phase also addresses the full scoping of the assessment process. On-Site Assessment: · Focuses on gathering the information needed to validate the actual security posture of the organization through interviews, documentation review, and system evaluation. Post Assessment:
  • 9. · Focuses on detailed analysis and reporting of the findings. · This process also includes a reporting tool that assists in the management view of the security posture. The ISAM consists of a standardized set of activities required to perform an Information Security Assessment. In other words, the methodology explains the depth and breadth of the assessment activities that must be performed to be compliant within the ISATRP. The ISAM “sets the bar” for what needs to be done for an activity to be considered a complete Information Security Assessment. The methodology does not teach Information Security analysis skills. It merely provides a framework by which Information Security analysts can use their skills to perform a repeatable and comparable process. Providers who advertise an Information Security Assurance capability and consumers seeking assistance in performing Information Security Assessments can use the ISAM as their baseline for their discussions. Because the ISAM is a baseline, providers can expand upon it to further meet the needs of the customers. However, it is recommended that any "expansion" should not reduce or interfere with the original intent of any ISAM activity. The ISAM is taught in a three-day training class. Although the class material is the same, the ISAM is taught in two formats: Certification and Non-Certification. The certification is open to anyone meeting the requirements (government, contractor, or private individual). To qualify for certification, individuals must have five years of demonstrated experience in the field of Information Security, Communications Security, or Computer Security, with two of the five years of experience directly involved in analyzing / evaluating / assessing computer system / network vulnerabilities and security risks. To further qualify for certification, students must demonstrate an understanding of the ISAM through
  • 10. participating in all of the three-day training, group presentations to the class, and a passing grade on the ISAM final exam. Each student who meets all these requirements will receive an ISAM certificate of Completion stating that they have been trained and demonstrated an understanding of the ISAM. The ISAM certification provides no assurance as to the Information Security analysis ability of the individuals beyond that of the qualifications. Organizations can bring together a cadre of ISAM certified individuals to provide an Information Security Assessment capability to market for public and private organizations. Individuals with Information Security responsibilities for U.S. Government systems can earn the ISAM certification to meet CNSS 4012 requirements for Security Managers. More information about the ISAM and ISATRP can be found at www.isatrp.com.Information Security RED TEAM Methodology (ISRM) The second of the ISATRP methodologies is the Information Security Red Team Methodology (ISRM). The ISRM is a detailed hands-on methodology for performing evaluations of the current security readiness of an organization against identified threats. Individuals can expect to learn a repeatable methodology that can be used to prepare for and conduct a Red Team engagement. It is recommended that a security professional obtain both the ISRM and the Information Security Assessment Methodology (ISAM) to assure a broad understanding of the information security analysis processes. The ISRM covers the processes involved in an evaluation of a customer's overall security posture, based on both technical and physical threats. The ISRM can start with a review of the ISAM and select inputs to the ISRM, and proceeds to walk through the process of planning, executing, monitoring, and reporting, Red Team activities with the customer. The students will learn techniques that can be used for intelligence gathering and reconnaissance of selected targets, and how to use this information. Once the intelligence gathering and
  • 11. reconnaissance is completed, the students will learn how to plan and execute various exploitation techniques in a coordinated attack against the selected targets. Both technical and mental exercises are used throughout the course to reinforce the concepts. The ISRM is a four-day course for experienced Information Systems Security analysts, those interested in performing Red Team engagements, or those planning on having a Red Team engagement performed against their organization. The students will benefit most if they have a solid background in information security systems and have an understanding of networking concepts. A strong ability to analyze disparate information is also highly valuable. The ISRM is taught in a four-day training class. Although the class material is the same, the ISRM is taught in two formats: Certification and Non-Certification. The certification is open to anyone meeting the requirements (government, contractor, or private individual). To qualify for certification, individuals must have five years of demonstrated experience in the field of Information Security, communications security, or computer security, with two of the five years of experience directly involved in analyzing / evaluating / assessing computer system / network vulnerabilities and security risks. To further qualify for certification, students must demonstrate an understanding of the ISRM through participating in all of the four-day training, group presentations to the class, and a passing grade on the ISRM final exam. Each student who meets all these requirements will receive an ISRM certificate of Completion stating that they have been trained and demonstrated an understanding of the ISRM. The ISRM certification provides no assurance as to the Information Security analysis ability of the individuals beyond that of the qualifications. Organizations can bring together a cadre of
  • 12. ISRM certified individuals to provide an Information Security Red Team Assessment capability to market for public and private organizations. More information about the ISRM and ISATRP can be found at www.isatrp.com.Information Security ASSURANCE – Capability Maturity Model (ISA-CMM) The Information Security Assurance – Capability Maturity Model (ISA-CMM) is based on the System Security Engineering Capability Maturity Model (SSE-CMM) which became an International Organization for Standardization (ISO) standard on 18 March 2002 (reference: Document ISO/IEC 21827 “Information Technology - Systems Security Engineering - Capability Maturity Model”). The ISA-CMM addresses the Information Security Assurance analysis processes. The ISA- CMM is a non-tailorable continuous model (i.e. all the Process Areas will be appraised for a given organization and can not be “tailored out”). The ISA-CMM focuses on the processes (specific functions) that produce Information Security Assurance analysis work products (e.g., results that identify vulnerabilities, countermeasures, and threats). The ISA-CMM identifies nine process areas related to performing Information Security Assurance Activities. For each of the nine process areas, the ISA-CMM defines six levels of capability maturity from Level 0 to Level 5. The higher the capability maturity level, the greater the confidence that a process is well established throughout the organization and the more likely it is that the process will be performed consistently from one assessment to the next. From consistency comes greater confidence in the quality of an activity, but quality cannot necessarily be guaranteed (i.e. there is an outside chance that a process can run perfectly and consistently produce bad results). As such, it is important that the knowledge and skills of individual assessors be taken into consideration as well (e.g. ISAM / ISRM certification, CISSP, other certifications, past performance). The combination of skilled assessors and a capable organization greatly increases the potential for
  • 13. consistent high-quality results. The Process Areas in the ISA-CMM were initially developed to gauge the maturity of Information Security Assurance capability. However, they have relevance when performing many other Information Assurance assessment related activities (e.g. Health Insurance Portability and Accountability Act of 1996 (HIPAA) for healthcare organizations and Gramm-Leach- Bliley for financial service organizations). In addition, organizations can use the ISA-CMM to measure their own capability for assessing Information Security strength within their infrastructure (e.g. do we know how to assess our own threats, vulnerabilities and impacts to determine the risk to our mission, systems and assets?). In traditional CMM activities, it is conceivable that a well- defined process that consistently produces a poor product can receive a fairly high maturity rating. The ISATRP approach reduces this possibility by providing detailed linkages between each process area and ISATRP methodology certifications. Standardized methodology products adds further assurance of quality in a resulting Information Security Assurance activity (i.e., the right products are being produced to meet compliance with the standard methodology.) As a result of an ISA-CMM appraisal, the organization will be assigned an ISA-CMM Rating Profile. This is a list of nine numbers from 0 to 5 (one for each process area). As mentioned above, the organization must be appraised against all Process Areas of the ISA-CMM, that is, none of the Process Areas may be tailored out of the model for the appraisal. When a customer is deciding on a provider organization, they should use the ISA-CMM rating profile along with the experience of the organization’s Information Security assessors to determine what is required to meet their needs. For example, in the case of a low rating in the Assess Vulnerability Process Area, the customer may want to pay particular attention when reviewing the qualifications of the individual analysts to determine their specific vulnerability assessment experience. A
  • 14. high rating would provide assurance that the process area is institutionalized and allow for less scrutiny of analysts (i.e., the maturity of the process provides the assurance). If a customer is seeking a provider capable of providing a specific ISATRP methodology (e.g., ISAM, ISRM), they should verify that the appropriate compliance checkbox beneath each Process Area on the rating profile is marked. While an organization may be performing the activities within the parameters allowed by the ISA-CMM, they may lack the specific requirements needed to be complaint with a specific Information Security Assurance environment (i.e. an ISATRP methodology) as outlined in the various appendices of the ISA- CMM. In other words, an organization may have a mature process for identifying vulnerabilities and receive a rating in accordance with that maturity. But if the organization is not performing the process in compliance with the ISATRP methodology, they will not be given credit for meeting the methodology standards. If the methodology compliance box is checked for the organization, it can be assumed that the organization’s compliance for that Process Area is the maturity level assigned. This means if an organization has a maturity rating for Assess Vulnerabilities of level 3 and the ISAM compliance box is checked, the organization is considered level 3 for ISAM compliance.AcknowledgmentsSponsoring Organizations The Information Security Assurance – Capability Maturity Model (ISA-CMM) is sponsored by Security Horizon, Inc.Developers The following individuals are responsible for the ongoing updates and maintenance of the ISA-CMM and its related documents: Fuller, EdSecurity Horizon, Inc.PREVIOUS AuthorS AND Reviewer Group Members We wish to thank the following individuals for providing reviews, comments, and feedback to this version and / or previous versions of the ISA-CMM:
  • 15. Becker, DoronElectronic Data Systems Camponeschi, ChristopherInterAct Solution s Group, Inc. Canfield, RebeccaNational Security Agency Crossman, TomElectronic Data Systems DiRienzo, VictorEngineering