The document introduces the Security Maturity Model (SMM) which describes an organization's security maturity based on factors such as security responsibilities, organization, practices, policies, access control, audits, and security investment management. It outlines 5 levels of security maturity for organizations from initial/ad hoc (Level 1) to optimum/embedded (Level 5). Levels 3-5 involve defined, managed, and quantitative security practices and responsibilities. The SMM also describes a Security Norms Framework for developing flexible and domain-specific security policies, norms, standards and procedures.

1. First Improvised Security Testing Conference
Madrid 18/7/2003
Security Maturity Model
© Vicente Aceituno

2. “You are only as strong
as your weakest link”
2
© Vicente Aceituno, smmodel@yahoogroups.com

3. In 1995, Nick Leeson traded derivatives
bringing Barings Bank bankrupt.
Information systems were not at fault.
3
© Vicente Aceituno, smmodel@yahoogroups.com

4. …an Organization is much more
than information systems…
Information
Infrastructure Systems People
Trademark & Know-How
Prestige Financial Assets
4
© Vicente Aceituno, smmodel@yahoogroups.com

5. Are we sure auditing an
information system will make an
Organization safer in the long run?
How about…
Organization issues.
Security Targets (Policy) issues.
Security Investment Performance issues.
A perfectly configured and patched
system won’t stay that way for long
in an Insecure Organization!
5
© Vicente Aceituno, smmodel@yahoogroups.com

6. OK. How can we know how
secure an Organization is and
how to make it safer?
6
© Vicente Aceituno, smmodel@yahoogroups.com

7. Introducing the Security Maturity Model
SMM describes the maturity of an organization
depending on:
Assignment and supervision of responsibilities.
Security organization.
Security practices.
Policies:
Expectation-driven targets.
Distributed Policy Enforcement Responsibility.
Access Control management.
Independent audits.
Quantitative data gathering.
Etc…
Security investment management.
7
© Vicente Aceituno, smmodel@yahoogroups.com

8. SMM Level 1 - Initial
Security is not acknowledged as a desirable property of
the organization. The absence of incidents is the result of
luck or individual efforts. The presence of incidents
invariably leads to the maximum impact that could be
expected.
8
© Vicente Aceituno, smmodel@yahoogroups.com

9. SMM Level 2 - Acknowledged
Security is acknowledged as a desirable property of the
organization. The absence of incidents is the result of luck
or some organizational efforts. The presence of incidents
doesn’t always lead to the maximum impact that could be
expected.
Expectations, incidents, and assets are sometimes
evaluated.
Security measures are taken until the budget is exhausted.
The results of the organizational efforts fades with time.
From here on “Evaluation” means: Identify, Classify, Prioritize, Value
9
© Vicente Aceituno, smmodel@yahoogroups.com

10. SMM Level 3 - Defined
Security is acknowledged as a desirable property of the
organization. The absence of incidents is the result of luck
or continuous organizational efforts. The presence of
incidents normally doesn’t lead to the maximum impact
that could be expected.
Expectations, incidents and assets are sometimes evaluated.
Security measures are taken until the budget is exhausted.
Organizational security responsibilities are defined.
A Security Policy exists.
Assets are accessed using sessions.
Security measures are audited.
The results of the organizational efforts are permanent.
10
© Vicente Aceituno, smmodel@yahoogroups.com

11. SMM Level 4 - Managed
Security is acknowledged as a desirable property of the
organization. The absence of incidents is the result of
continuous organizational efforts. The presence of incidents
virtually never leads to the maximum impact that could be
expected.
Expectations, incidents and assets are evaluated.
The best security measures are taken considering the
budget.
Organizational security responsibilities are defined.
A Security Norms Framework exist and is applied.
Assets are accessed using sessions only.
Security measures are audited.
Responsibilities are partitioned and supervised.
A “Continuity of Operations Plan” exists. This plan considers
the organization’s current status, and is properly
implemented.
The results of the organizational efforts are permanent.
11
© Vicente Aceituno, smmodel@yahoogroups.com

12. SMM Level 5 - Optimum
Security is acknowledged as a desirable property of the
organization. The absence of incidents is the result of
continuous organizational efforts. The presence of incidents
doesn’t lead to the maximum impact that could be expected.
Expectations, incidents and assets are evaluated quantitatively.
The best security measures are taken considering the budget. It can
be determined if the budget is consistent with the targets defined by
the Security Norms Framework.
Organizational security responsibilities are defined.
A Security Norms Framework exist and is applied.
Assets are accessed using sessions only.
Security measures are audited.
Responsibilities are partitioned and supervised.
A “Continuity of Operations Plan” exists. This plan considers the
organization’s evolution and is properly implemented.
Quantitative information is collected about incidents or close calls.
Security measures are selected using objective criteria.
The results of the organizational efforts are permanent.
12
© Vicente Aceituno, smmodel@yahoogroups.com

13. SMM
SMM – Security Norms Framework
Security Policies as a single document are not flexible
enough in a big organization and quickly become
worthless.
An effective Security Policy describes the high-level
principles that describe the targets (why) and the strategies
(what) to reach them.
The Security Norms develop the strategies describing the
scope (where and when) of the security practices.
The Security Standards develop the norms with
specifications per domain, than can be checked.
Security Procedures develop standards and norms and give
a step-by-step description of the who and how of the
practice. The Operations Continuity Plan is a procedure that
specifies how to act when a catastrophe happens.
The Fair Use norm informs users about their obligations
when using the organization’s systems.
The Third Party Agreements define mutual security
commitments at the organization’s borders with others.
13
© Vicente Aceituno, smmodel@yahoogroups.com

14. SMM
SMM –Sublevels.
Depending on the degree of integration of the
existing practices, such as:
Theorized: The practice is identified as compulsory in the
Security Norms Framework, but the scope norms, standards
and procedures don’t exist.
Procedured: There are norms, standards & procedures for
this practice.
Implemented: The norms of the practice are actually used.
Verified: The results of the procedures used are audited
periodically.
Integrated: Circumvention of the norms of the practice is
insignificant.
…an organization may occupy any sublevel
within a given level.
14
© Vicente Aceituno, smmodel@yahoogroups.com

15. SMM
SMM – Summary.
Using SMM you can:
Determine what is your organization’s maturity.
Set a maturity target.
Plan for maturity enhancement.
Benefits:
Every partial result of achieving the higher SMM Levels won’t
depend any longer on external contractors. Ever.
Improve customer and stockholder's trust on the
organization.
Maximize turnover of Security Investment.
Avoid non-technical security risks, setting an environment
where there are no weak links.
15
© Vicente Aceituno, smmodel@yahoogroups.com

16. This presentation is just an overview. The SMM is
being further developed at the smmodel Group
smmodel@yahoogroups.com
groups.yahoo.com/group/smmodel
© Vicente Aceituno
18 de Julio de 2003
Open Content Licenced
www.opencontent.org/opl.shtml
SMM