Successfully reported this slideshow.

Information Security Risks Management Maturity Model (ISRM3)


Published on

Published in: Business
  • Be the first to comment

  • Be the first to like this

Information Security Risks Management Maturity Model (ISRM3)

  1. 1. A Model to Assess the Maturity Level of the Risk Management Process in Information Security Janice Mayer Universidade do Vale do Rio dos Sinos (UNISINOS) Leonardo Lemes Fagundes Universidade do Vale do Rio dos Sinos (UNISINOS) | Fone: 55 51 35911100 - branch 1775 4rd IFIP/IEEE International Workshop on BDIM - 9 June 2009 1
  2. 2. Summary Introduction Risk Management Risk Management Maturity Model In Information Security (MMGRseg) Case study Conclusion 2
  3. 3. Introduction Information: one of the most valuable assets. Risk Management(RM): an essential front. Achieve compliance: laws, standards and regulations. Meet mandatory requirements for the certification of an Information Security Management System. 3
  4. 4. Motivation Companies need to implement RM. There is no maturity model aimed at RM in Information Security. Maturity model identifies deficiencies in process structure and management. To provide improvements with the predictability, control and effectiveness. 4
  5. 5. Objective Describes the structure of a model for the assessment of the maturity level of the RM process in the realm of Information Security. 5
  6. 6. Risk Management Risk Management Process, as per standard ISO/IEC 27005:2008 6
  7. 7. Risk Management Maturity Model In Information Security (MMGRseg) MMGRseg is comprised of a set of requirements and best practices, which provides a formal structure. Aligned with standard ISO/IEC 27005. 7
  8. 8. Structure - MMGRseg Comprised of: three stages; five maturity levels; forty-three control objectives; one control map; one assessment instrument relative to the maturity level of the activities of the RM process; an accountability matrix relative to each activity of the process; and a risk scorecard. 8
  9. 9. Stages - MMGRseg Steered for three stages: Immaturity: processes are improvised. Maturity: processes are already defined, standardized and controlled. Excellence: optimized processes. 9
  10. 10. Maturity levels - MMGRseg M A T U R I T Y L E V E L S STAGES 10
  11. 11. Control Objective - MMGRseg CD1 Context Definition: CD1.1. Define the basic criteria for Risk Assessment CD1.2. Define the basic criteria for Impact Assessment CD1.3. Define the basic criteria for Risk Acceptance CD1.4. Establish the scope and the constraints of the risk management process CD1.5. Establish and maintain an organization CD1.6. Develop a risk management policy CD1.7. Establish a standard for RM processes CD1.8. Audit the Context Definition activity CD1.9. Collect and store information 11
  12. 12. Control Objective - MMGRseg AA1 Risk Analysis/Assessment: AA1.1. Identify the Risks AA1.2. Estimate the Risks AA1.3. Assess the Risks AA1.4. Standardize the Assessment process AA1.5. Automatize the Analysis/Assessment process AA1.6. Audit the Risk Analysis/Assessment activity AA1.7. Avoid rework AA1.8. Revise the process of risk estimation 12
  13. 13. Control Objective - MMGRseg RT1. Risk treatment: RT1.1. Select an appropriate Treatment option RT1.2. Define a Risk Treatment plan RT1.3. Implement Risk Treatment plan RT1.4. Define how to measure the effectiveness of controls RT1.5. Calculate Residual Risks RT1.6. Standardize the Risk Treatment process RT1.7. Audit the Risk Treatment activity RT1.8. Improve the Risk Treatment process 13
  14. 14. Control Objective - MMGRseg RA1. Risk Acceptance: RA1.1. Verify the description of the Treatment plan RA1.2. Analyze and approve the acceptance criteria RA1.3. Verify the residual risk RA1.4. List the accepted risks RA1.5. Standardize the Risk Acceptance process RA1.6. Audit the Risk Acceptance activity RA1.7. Revise the Risk Acceptance process 14
  15. 15. Control Objective - MMGRseg RC1. Risk Communication: RC1.1. Implement awareness plan RC1.2. Make stakeholders able to identify and communicate risks RC1.3. Standardize the Risk Communication activity RC1.4. Audit the Risk Communication activity RC1.5. Exchange and/or share risk-related information RC1.6. Critical analysis of Risk Communication 15
  16. 16. Control Objective - MMGRseg MA1. Monitoring and Critical Analysis: MA1.1. Verify the alignment of the RM process with business objectives MA1.2. Monitor, critically analyze and improve the risk management processs MA1.3. Standardize the Monitoring and Critical Analysis activity MA1.4. Audit the Monitoring and Critical Analysis activity MA1.5. Improve the Risk Management process 16
  17. 17. Control Map - MMGRseg Risk Management activities Maturity Levels Level 1 Level 2 Level 3 Level 4 Level 5 Context definition No control is CD1.1, CD1.4, implemented CD1.2 and CD1.5, CD1.6 CD1.8 CD1.9 CD1.3 and CD1.7 Risk Analysis/ No control is Assessment implemented AA1.1 and AA1.3, AA1.4 AA1.6 AA1.7 AA1.2 and AA1.5 and AA1.8 Risk Treatment No control is RT1.2, RT1.3, implemented RT1.1 RT1.4, RT1.5 RT1.7 RT1.8 and RT1.6 Risk Acceptance No control is implemented RA1.1 and RA1.3, RA1.4 RA1.6 RA1.7 RA1.2 and RA1.5 Risk No control is Communication implemented RC1.1 RC1.2 and RC1.4 RC1.6 RC1.3 and RC1.5 Monitoring and No control is Critical Risk implemented MA1.1 MA1.2 and MA1.4 MA1.5 Analysis MA1.3 17
  18. 18. Assessment perspective - MMGRseg Continuous representation. Each one of the six activities of the Risk Management process is assessed individually. The company is able to verify which activity needs to receive greater focus Provides specific guidance for each activity in regards to the necessary steps for an upper maturity level to be achieved. 18
  19. 19. Assessment perspective - MMGRseg Examples of assessment hypothesis of the Maturity Level through MMGRseg 19
  20. 20. Accountability Matrix - MMGRseg Controls CEO CFO Executive Business CIO Management Business Senior Head Operations Chief Architect Development Head Administration Head IT Security Audit, Risk and Compliance, CD1.1 R/A C C C I CD1.2 R/A C C C I CD1.3 R/A C C C I CD1.4 R/A CD1.5 R/A CD1.6 I C R C R/A C C C C C CD1.7 R/A CD1.8 A R=Responsible; A=Accountable, C=Consulted and I=Informed. 20
  21. 21. Risk Scorecard - MMGRseg Every process must have defined goals and aims making it possible to measure the degree of success in their execution. In so doing, metrics need to be defined according to the SMARRT model (Specific, Measurable, Actionable, Realistic, Results-oriented and Timely). In the MMGRSeg model, the measurement of all the six activities of the risk management process must be based on SMARRT. 21
  22. 22. Case study - MMGRseg Designed as a questionnaire – based on the control objectives; 35 questions, uses the Likert scale CD AA RT RA RC MA Level 2 Q3 Q9 Q15 Q21 Q26 Q31 Level 3 Q4, Q5, Q10, Q11, Q16, Q17, Q22, Q23 Q27, Q28 Q32, Q33 Q6 Q12 Q18 Level 4 Q7 Q13 Q19 Q24 Q29 Q34 Level 5 Q8 Q14 Q20 Q25 Q30 Q35 CD = Context definition, AA = Risk Analysis/Assessment, RT = Risk Treatment, RA = Risk Acceptance, RC = Risk Communication and MA = Monitoring and Critical Analysis of the Risk. 22
  23. 23. Case study - MMGRseg The latter was sent as a convenience sample comprised of 31 companies; Feedback was received from 12 of them; Only 3 out of the 12 respondent companies managed to achieve above level 1; The remaining respondent companies could only achieve maturity level 1 in the six activities of the RM process for IS. 23
  24. 24. Conclusion This is a meaningful contribution to the development to the field of information security, aligned with ISO/IEC 27005; It is comprised of a set of requirements and best practices: three stages: immaturity, maturity e excellence; five maturity levels: Initial, Known, Standardized, Managed and Optimized; forty-three control objectives; one control map; one assessment instrument relative to the maturity level of the activities of the RM process; an accountability matrix relative to each activity of the process; and a risk scorecard. 24
  25. 25. Conclusion All this can be used by the organization to: identify the weaknesses and/or deficiencies and the possibilities for improvements in the process, guiding investments in IS; directing the investments in Information Security; foster segmented benchmarking; disseminate the risk management culture all over the company; achieve effectiveness in the continuous improvement process of Risk Management in Information Security; and advise certification projects of Information Security Management Systems (ISMS) and Business Continuity. 25
  26. 26. Thank you. | 26