SlideShare a Scribd company logo

Security Maturity Model

Conferencias FIST
Conferencias FIST
Technology
1 of 16
Download to read offline
First Improvised Security Testing Conference Madrid 18/7/2003 Security Maturity Model © Vicente Aceituno
“You are only as strong as your weakest link” 2 © Vicente Aceituno, smmodel@yahoogroups.com
In 1995, Nick Leeson traded derivatives bringing Barings Bank bankrupt. Information systems were not at fault. 3 © Vicente Aceituno, smmodel@yahoogroups.com
…an Organization is much more than information systems… Information Infrastructure Systems People Trademark & Know-How Prestige Financial Assets 4 © Vicente Aceituno, smmodel@yahoogroups.com
Are we sure auditing an information system will make an Organization safer in the long run? How about… Organization issues. Security Targets (Policy) issues. Security Investment Performance issues. A perfectly configured and patched system won’t stay that way for long in an Insecure Organization! 5 © Vicente Aceituno, smmodel@yahoogroups.com
OK. How can we know how secure an Organization is and how to make it safer? 6 © Vicente Aceituno, smmodel@yahoogroups.com
Introducing the Security Maturity Model SMM describes the maturity of an organization depending on: Assignment and supervision of responsibilities. Security organization. Security practices. Policies: Expectation-driven targets. Distributed Policy Enforcement Responsibility. Access Control management. Independent audits. Quantitative data gathering. Etc… Security investment management. 7 © Vicente Aceituno, smmodel@yahoogroups.com
SMM Level 1 - Initial Security is not acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or individual efforts. The presence of incidents invariably leads to the maximum impact that could be expected. 8 © Vicente Aceituno, smmodel@yahoogroups.com
SMM Level 2 - Acknowledged Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or some organizational efforts. The presence of incidents doesn’t always lead to the maximum impact that could be expected. Expectations, incidents, and assets are sometimes evaluated. Security measures are taken until the budget is exhausted. The results of the organizational efforts fades with time. From here on “Evaluation” means: Identify, Classify, Prioritize, Value 9 © Vicente Aceituno, smmodel@yahoogroups.com
SMM Level 3 - Defined Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or continuous organizational efforts. The presence of incidents normally doesn’t lead to the maximum impact that could be expected. Expectations, incidents and assets are sometimes evaluated. Security measures are taken until the budget is exhausted. Organizational security responsibilities are defined. A Security Policy exists. Assets are accessed using sessions. Security measures are audited. The results of the organizational efforts are permanent. 10 © Vicente Aceituno, smmodel@yahoogroups.com
SMM Level 4 - Managed Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents virtually never leads to the maximum impact that could be expected. Expectations, incidents and assets are evaluated. The best security measures are taken considering the budget. Organizational security responsibilities are defined. A Security Norms Framework exist and is applied. Assets are accessed using sessions only. Security measures are audited. Responsibilities are partitioned and supervised. A “Continuity of Operations Plan” exists. This plan considers the organization’s current status, and is properly implemented. The results of the organizational efforts are permanent. 11 © Vicente Aceituno, smmodel@yahoogroups.com
SMM Level 5 - Optimum Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents doesn’t lead to the maximum impact that could be expected. Expectations, incidents and assets are evaluated quantitatively. The best security measures are taken considering the budget. It can be determined if the budget is consistent with the targets defined by the Security Norms Framework. Organizational security responsibilities are defined. A Security Norms Framework exist and is applied. Assets are accessed using sessions only. Security measures are audited. Responsibilities are partitioned and supervised. A “Continuity of Operations Plan” exists. This plan considers the organization’s evolution and is properly implemented. Quantitative information is collected about incidents or close calls. Security measures are selected using objective criteria. The results of the organizational efforts are permanent. 12 © Vicente Aceituno, smmodel@yahoogroups.com
SMM SMM – Security Norms Framework Security Policies as a single document are not flexible enough in a big organization and quickly become worthless. An effective Security Policy describes the high-level principles that describe the targets (why) and the strategies (what) to reach them. The Security Norms develop the strategies describing the scope (where and when) of the security practices. The Security Standards develop the norms with specifications per domain, than can be checked. Security Procedures develop standards and norms and give a step-by-step description of the who and how of the practice. The Operations Continuity Plan is a procedure that specifies how to act when a catastrophe happens. The Fair Use norm informs users about their obligations when using the organization’s systems. The Third Party Agreements define mutual security commitments at the organization’s borders with others. 13 © Vicente Aceituno, smmodel@yahoogroups.com
SMM SMM –Sublevels. Depending on the degree of integration of the existing practices, such as: Theorized: The practice is identified as compulsory in the Security Norms Framework, but the scope norms, standards and procedures don’t exist. Procedured: There are norms, standards & procedures for this practice. Implemented: The norms of the practice are actually used. Verified: The results of the procedures used are audited periodically. Integrated: Circumvention of the norms of the practice is insignificant. …an organization may occupy any sublevel within a given level. 14 © Vicente Aceituno, smmodel@yahoogroups.com
SMM SMM – Summary. Using SMM you can: Determine what is your organization’s maturity. Set a maturity target. Plan for maturity enhancement. Benefits: Every partial result of achieving the higher SMM Levels won’t depend any longer on external contractors. Ever. Improve customer and stockholder's trust on the organization. Maximize turnover of Security Investment. Avoid non-technical security risks, setting an environment where there are no weak links. 15 © Vicente Aceituno, smmodel@yahoogroups.com
This presentation is just an overview. The SMM is being further developed at the smmodel Group smmodel@yahoogroups.com groups.yahoo.com/group/smmodel © Vicente Aceituno 18 de Julio de 2003 Open Content Licenced www.opencontent.org/opl.shtml SMM

Recommended

Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity AssessmentClaude Baudoin
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingRaghuraman Ramamurthy
 
Agiliance Risk Vision
Agiliance Risk VisionAgiliance Risk Vision
Agiliance Risk Visionagiliancecommunity
 
Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)leolemes
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 

Recommended

Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity AssessmentClaude Baudoin
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingRaghuraman Ramamurthy
 
Agiliance Risk Vision
Agiliance Risk VisionAgiliance Risk Vision
Agiliance Risk Visionagiliancecommunity
 
Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)leolemes
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccessasundaram1
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...OHS Leaders Summit
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTTHE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTIJNSA Journal
 
Allgress Brochure
Allgress BrochureAllgress Brochure
Allgress Brochurelinkedinlion11
 
CISSPills #3.03
CISSPills #3.03CISSPills #3.03
CISSPills #3.03Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
CISSPills #3.04
CISSPills #3.04CISSPills #3.04
CISSPills #3.04Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochureguest8a430d
 
IANS-2008
IANS-2008IANS-2008
IANS-2008Bob Radvanovsky
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
CISSPills #3.06
CISSPills #3.06CISSPills #3.06
CISSPills #3.06Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsDavid X Martin
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaJames McDonald
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Redspin, Inc.
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...OHS Leaders Summit
 
Basic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 EditionBasic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 EditionJOEL JESUS SUPAN
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security RisksEnterprise Security Risk Management
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook SecurityRogers Communications
 

More Related Content

What's hot

Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccessasundaram1
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...OHS Leaders Summit
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTTHE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTIJNSA Journal
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochureguest8a430d
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsDavid X Martin
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaJames McDonald
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Redspin, Inc.
 

What's hot (17)

Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
 
The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTTHE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
 
Allgress Brochure
Allgress BrochureAllgress Brochure
Allgress Brochure
 
CISSPills #3.03
CISSPills #3.03CISSPills #3.03
CISSPills #3.03
 
CISSPills #3.04
CISSPills #3.04CISSPills #3.04
CISSPills #3.04
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochure
 
IANS-2008
IANS-2008IANS-2008
IANS-2008
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq Hanaysha
 
CISSPills #3.06
CISSPills #3.06CISSPills #3.06
CISSPills #3.06
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-Profits
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed Proba
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
 

Similar to Security Maturity Model

Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...OHS Leaders Summit
 
Basic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 EditionBasic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 EditionJOEL JESUS SUPAN
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Tuan Phan
 
Understanding the 8 Keys to Security Success
Understanding the 8 Keys to Security SuccessUnderstanding the 8 Keys to Security Success
Understanding the 8 Keys to Security SuccessSecurityOn-Demand
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
Virtual Chief Information Security Officer | VCISO | Cyber Security
Virtual Chief Information Security Officer | VCISO | Cyber SecurityVirtual Chief Information Security Officer | VCISO | Cyber Security
Virtual Chief Information Security Officer | VCISO | Cyber SecurityCyber Security Experts
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIskcon Ahmedabad
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 

Similar to Security Maturity Model (20)

Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...
 
Basic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 EditionBasic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 Edition
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
 
Cybersecurity report-vol-8
Cybersecurity report-vol-8Cybersecurity report-vol-8
Cybersecurity report-vol-8
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013
 
Understanding the 8 Keys to Security Success
Understanding the 8 Keys to Security SuccessUnderstanding the 8 Keys to Security Success
Understanding the 8 Keys to Security Success
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
 
Virtual Chief Information Security Officer | VCISO | Cyber Security
Virtual Chief Information Security Officer | VCISO | Cyber SecurityVirtual Chief Information Security Officer | VCISO | Cyber Security
Virtual Chief Information Security Officer | VCISO | Cyber Security
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 

More from Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

More from Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Cisco Equipment Security
Cisco Equipment SecurityCisco Equipment Security
Cisco Equipment Security
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

Security Maturity Model

  • 1. First Improvised Security Testing Conference Madrid 18/7/2003 Security Maturity Model © Vicente Aceituno
  • 2. “You are only as strong as your weakest link” 2 © Vicente Aceituno, smmodel@yahoogroups.com
  • 3. In 1995, Nick Leeson traded derivatives bringing Barings Bank bankrupt. Information systems were not at fault. 3 © Vicente Aceituno, smmodel@yahoogroups.com
  • 4. …an Organization is much more than information systems… Information Infrastructure Systems People Trademark & Know-How Prestige Financial Assets 4 © Vicente Aceituno, smmodel@yahoogroups.com
  • 5. Are we sure auditing an information system will make an Organization safer in the long run? How about… Organization issues. Security Targets (Policy) issues. Security Investment Performance issues. A perfectly configured and patched system won’t stay that way for long in an Insecure Organization! 5 © Vicente Aceituno, smmodel@yahoogroups.com
  • 6. OK. How can we know how secure an Organization is and how to make it safer? 6 © Vicente Aceituno, smmodel@yahoogroups.com
  • 7. Introducing the Security Maturity Model SMM describes the maturity of an organization depending on: Assignment and supervision of responsibilities. Security organization. Security practices. Policies: Expectation-driven targets. Distributed Policy Enforcement Responsibility. Access Control management. Independent audits. Quantitative data gathering. Etc… Security investment management. 7 © Vicente Aceituno, smmodel@yahoogroups.com
  • 8. SMM Level 1 - Initial Security is not acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or individual efforts. The presence of incidents invariably leads to the maximum impact that could be expected. 8 © Vicente Aceituno, smmodel@yahoogroups.com
  • 9. SMM Level 2 - Acknowledged Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or some organizational efforts. The presence of incidents doesn’t always lead to the maximum impact that could be expected. Expectations, incidents, and assets are sometimes evaluated. Security measures are taken until the budget is exhausted. The results of the organizational efforts fades with time. From here on “Evaluation” means: Identify, Classify, Prioritize, Value 9 © Vicente Aceituno, smmodel@yahoogroups.com
  • 10. SMM Level 3 - Defined Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or continuous organizational efforts. The presence of incidents normally doesn’t lead to the maximum impact that could be expected. Expectations, incidents and assets are sometimes evaluated. Security measures are taken until the budget is exhausted. Organizational security responsibilities are defined. A Security Policy exists. Assets are accessed using sessions. Security measures are audited. The results of the organizational efforts are permanent. 10 © Vicente Aceituno, smmodel@yahoogroups.com
  • 11. SMM Level 4 - Managed Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents virtually never leads to the maximum impact that could be expected. Expectations, incidents and assets are evaluated. The best security measures are taken considering the budget. Organizational security responsibilities are defined. A Security Norms Framework exist and is applied. Assets are accessed using sessions only. Security measures are audited. Responsibilities are partitioned and supervised. A “Continuity of Operations Plan” exists. This plan considers the organization’s current status, and is properly implemented. The results of the organizational efforts are permanent. 11 © Vicente Aceituno, smmodel@yahoogroups.com
  • 12. SMM Level 5 - Optimum Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents doesn’t lead to the maximum impact that could be expected. Expectations, incidents and assets are evaluated quantitatively. The best security measures are taken considering the budget. It can be determined if the budget is consistent with the targets defined by the Security Norms Framework. Organizational security responsibilities are defined. A Security Norms Framework exist and is applied. Assets are accessed using sessions only. Security measures are audited. Responsibilities are partitioned and supervised. A “Continuity of Operations Plan” exists. This plan considers the organization’s evolution and is properly implemented. Quantitative information is collected about incidents or close calls. Security measures are selected using objective criteria. The results of the organizational efforts are permanent. 12 © Vicente Aceituno, smmodel@yahoogroups.com
  • 13. SMM SMM – Security Norms Framework Security Policies as a single document are not flexible enough in a big organization and quickly become worthless. An effective Security Policy describes the high-level principles that describe the targets (why) and the strategies (what) to reach them. The Security Norms develop the strategies describing the scope (where and when) of the security practices. The Security Standards develop the norms with specifications per domain, than can be checked. Security Procedures develop standards and norms and give a step-by-step description of the who and how of the practice. The Operations Continuity Plan is a procedure that specifies how to act when a catastrophe happens. The Fair Use norm informs users about their obligations when using the organization’s systems. The Third Party Agreements define mutual security commitments at the organization’s borders with others. 13 © Vicente Aceituno, smmodel@yahoogroups.com
  • 14. SMM SMM –Sublevels. Depending on the degree of integration of the existing practices, such as: Theorized: The practice is identified as compulsory in the Security Norms Framework, but the scope norms, standards and procedures don’t exist. Procedured: There are norms, standards & procedures for this practice. Implemented: The norms of the practice are actually used. Verified: The results of the procedures used are audited periodically. Integrated: Circumvention of the norms of the practice is insignificant. …an organization may occupy any sublevel within a given level. 14 © Vicente Aceituno, smmodel@yahoogroups.com
  • 15. SMM SMM – Summary. Using SMM you can: Determine what is your organization’s maturity. Set a maturity target. Plan for maturity enhancement. Benefits: Every partial result of achieving the higher SMM Levels won’t depend any longer on external contractors. Ever. Improve customer and stockholder's trust on the organization. Maximize turnover of Security Investment. Avoid non-technical security risks, setting an environment where there are no weak links. 15 © Vicente Aceituno, smmodel@yahoogroups.com
  • 16. This presentation is just an overview. The SMM is being further developed at the smmodel Group smmodel@yahoogroups.com groups.yahoo.com/group/smmodel © Vicente Aceituno 18 de Julio de 2003 Open Content Licenced www.opencontent.org/opl.shtml SMM