Introducing O-ISM3

4,323 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,323
On SlideShare
0
From Embeds
0
Number of Embeds
2,847
Actions
Shares
0
Downloads
94
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • What, When, Where, Who, How, Why No podemos trabajar de cualquier forma: Hay que utilizar las técnicas. No podemos utilizar cualquier documento: Hay que usar los entregables. Disminuye la dependencia de personas específicas. La aplicación de técnicas se refleja naturalmente en los entregables. Medimos el progreso objetivamente. Podemos planificar mejor el trabajo. Hacemos sólo lo relevante al proyecto. El trabajo realizado es de mejor calidad y está bien documentado. Disminuye mucho el riesgo cuando el proyecto es grande y/o complejo.
  • What, When, Where, Who, How, Why No podemos trabajar de cualquier forma: Hay que utilizar las técnicas. No podemos utilizar cualquier documento: Hay que usar los entregables. Disminuye la dependencia de personas específicas. La aplicación de técnicas se refleja naturalmente en los entregables. Medimos el progreso objetivamente. Podemos planificar mejor el trabajo. Hacemos sólo lo relevante al proyecto. El trabajo realizado es de mejor calidad y está bien documentado. Disminuye mucho el riesgo cuando el proyecto es grande y/o complejo.
  • Este concepto de sistema de información se refleja en la metodología en que no se considera que un sistema de formación esté desarrollado, definido o analizado si no se estudia tanto los componentes hardware y software como a las actividades realizadas por los usuarios.
  • Puede suceder que una persona desempeñe varios roles, o que un rol sea realizado por más de una persona.
  • Pueden definirse hitos para la facturación dependientes de la entrega de estos documentos.
  • See previous notes.
  • Manage what you can control
  • See previous notes.
  • Business objectives are the specific expression of general business goals.
  • Security objectives are a specific expression of business, compliance and technical needs and limitations.
  • Security Targets are a way to gauge if the management systems is successful or not. Without security targets (that can be considered a way to express risk appetite) it is not possible to tell a successful ISMS from a failed one, as incidents are unavoidable. One incident means the ISMS has failed? Normally no, but How many incidents (and how severe) it takes to declare the ISMS a failure?
  • See previous notes.
  • See previous notes.
  • See previous notes.
  • Access Control aka Identity Management
  • Who are the users of the system? Do they need to be specifically authorized? From whom do we want to protect the system's information? Will any part of the system be located in publicly accessible locations? Will the system handle personal information of clients, potential clients, stockholders or employees? What are the different locations subject to diverse regulations in terms of handling of personal information and data breach disclosure where parts of the system will be located? Will the system use licensed information from third parties? What are the different locations subject to diverse regulations in terms of licensed information where parts of the system will be located? Will the system handle intellectual property? What are the different locations subject to diverse regulations in terms of intellectual property where parts of the system will be located? These questions help understand the inventory, DRM, watermarking, obfuscation and compliance needs.
  • When should the system be performing normally (8x5, e.g)? How many interruptions are acceptable? What would be the longest acceptable interruption? What is the maximum amount of transactions that can be lost because of an interruption? These questions help understand the data and system backup, high availability and business continuity needs. For how long will the system's data be archived? If the data needs to be deleted, when should this happen? These questions help understand the long term archival and safe deletion needs. What is the maximum acceptable percentage of records with wrong information? What is the maximum percentage of records that can be missing? These questions help understand the data quality control needs
  • Expired information is one problem Metadata is another
  • Expired information is one problem Metadata is another
  • Take the worry out and think about the results, get
  • Different accreditable maturity levels can be adequate for organizations with different resources. A maturity level can be used as a way to show progress and a step to achieving higher levels. Early investment in security brings the highest return. A binary compliant / not compliant approach can discourage initial invesment.
  • This information is an important resource for selection of security measures and optimizing the security investment. This information is an important resource for the security norms framework, where these expectations are turned into specific requirements.
  • This information is an important resource for selection of security measures and optimising the security investment. This information is an important resource for the security norms framework, where these expectations are turned into specific requirements.
  • Introducing O-ISM3

    1. 1. 1 Information Security Management Maturity Model
    2. 2. 2
    3. 3. 3
    4. 4. 4 Methods  A method is the complete definition of how to make repeatable a complex activity.
    5. 5. 5 Concepts  Clear concepts help mapping real problems with the framework provided by the method.  They give the method internal coherence.
    6. 6. 6 Principles  Generic high level do’s, don’ts and how to’s.
    7. 7. 7 Roles  Defined roles guarantee that everyone knows his responsibilities, and there are no unassigned responsibilities.  Every task performed needs one person or team that is responsible to carry it out.
    8. 8. 8 Processes  The task is performed equally regardless of who performs it.  Makes planning easier.  It produces something with value for the business.
    9. 9. 9 Deliverables  Document activity  Results  Measure progress and success  Less dependencies  Better communication  Reminder
    10. 10. 10 Techniques  Capture and reuse lessons learnt  Improve productivity and quality  Less dependencies of individual talent  Produce deliverables
    11. 11. 11  Why  What  Who  How  When  Resources  Responsibilities
    12. 12. 12 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
    13. 13. 13 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
    14. 14. 14 Charter  The Problem  Lack of guidance for the infosec community on managing the information security function using metrics and maturity models.  Existing infosec frameworks and standards for the most part fail to tie information security controls and management to business objectives. As such, they provide laundry lists of best practice controls, but they leave it to the information security management at each organization to determine which controls have applicability based upon many internal factors.  Existing frameworks are also not tailored for various kinds of organizations. SMBs, large enterprises, e-commerce, and military/defense have different requirements
    15. 15. 15 Charter  Objectives  Fill the gap between ISMS as defined in ISO27001, best practices in ISO27002, and the need for continuous improvement in infosec using metrics and maturity models.  Help organizations to identify and achieve levels of security appropriate to their industry, risk profile, and size.  Provide organizations with certification opportunities for infosec management program  Provide basis for an ecosystem to develop around ISM3, including trainers, certification, consultants.
    16. 16. 16 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
    17. 17. 17 Asking the Right Questions  What questions would you ask in order to keep the Confidentiality, Availability and Integrity of the systems used by Human Resources?
    18. 18. 18 Contrarian view of business and security
    19. 19. 19 Security seen as part of the business
    20. 20. 20 Protect the asset
    21. 21. 21 Protect business bjectives
    22. 22. 22  “We want to prevent attacks from succeeding”. With this approach, to be secure means to be invulnerable.  An incident is any loss of confidentiality, integrity or availability.  You look at a piece of data and think: Is it confidential, has it got integrity, is it available? Traditional approach to security:
    23. 23. 23  “We want to guarantee that our business objectives are met”. With this approach, to be secure means to be reliable, despite attacks, accidents and errors.  An incident is a failure to meet a security objective resulting from accidents, errors or attacks.  Using ISM3 you look at a piece of data and think: What properties of this data must be protected for it to have business value? ISM3 style Approach:
    24. 24. 24 ISM3 Business Focus  Business Objectives: Resilience depends on security objectives.  Security Objectives are derived from business, compliance and technical needs and limitations. This are the goals of the ISM.  Security Targets measure the achievement of security objectives in business terms.
    25. 25. 25 Benefits Realization Business Goals and Obligations removed in order to simplify and focus.
    26. 26. 26 ISM3 - What needs protection?  Business Objectives examples:  Paying taxes in time;  Invoice all products and services provided;  Keep any records needed to pass successfully any audit, like a tax audit or a software licenses audit.  Security Objectives.  Security Targets.
    27. 27. 27 ISM3 - What protection is needed?  Business Objectives.  Security Objectives examples:  “Secrets should be accessible to authorized users only”  “Repositories with Personal information have to be registered with the Data Protection agency”  “Systems are as free of weaknesses as possible”  Security Targets.
    28. 28. 28 ISM3 - Is protection successful?  Business Objectives.  Security Objectives.  Security Targets examples.  “Less than 2 secrets revealed every year, accounting for loses of less than 0.1% of the value of the company”  “Fewer than one incident every two years where a Repository with Personal Information s not registered”  “Medium update level in the DMZ environment below 3 days”
    29. 29. 29 Benefits Realization
    30. 30. 30 Operational Definitions for Security  ISM3 borrows the concept of operational definition from the scientific method.  Under an operational definition, any measurable characteristic is defined by the methodology used to measure it, without any attempt to describe or define the nature of the measured characteristic.  Repeatable, as the measurement can the performed as often as needed with consistent results,  Independent of the observer, as any observer following the measurement methodology will achieve the same result
    31. 31. 31 Operational Definitions for Security  Remove ambiguity, enable agreement.  Switch from “what is” to “how you measure”.  You don’t need to know what “mass” is in order to know the weight of something.
    32. 32. 32 Asking the Right Questions  What questions would you ask in order to keep the Confidentiality, Availability and Integrity of the systems used by Human Resources?
    33. 33. 33 Asking the Right Questions 1. Who are the users of the system? 2. Do they need to be specifically authorized? 3. From whom do we want to protect the system’s information? 4. Will any part of the system be located in publicly accessible locations? 5. Will the system handle personal information of clients, potential clients, stockholders, or employees? 6. What are the different locations subject to diverse regulations in terms of handling of personal information and data breach disclosure where parts of the system will be located? 7. Will the system use licensed information from third parties? 8. What are the different locations subject to diverse regulations in terms of licensed information where parts of the system will be located?
    34. 34. 34 Asking the Right Questions 9. Will the system handle intellectual property? 10. What are the different locations subject to diverse regulations in terms of intellectual property where parts of the system will be located? 11. When should the system be performing normally (e.g., 8×5)? 12. How many interruptions are acceptable? 13. What would be the longest acceptable interruption? 14. What is the maximum amount of transactions that can be lost because of an interruption? 15. For how long will the system’s data be archived? 16. If the data needs to be deleted, when should this happen? 17. What is the maximum acceptable fraction of records with wrong information? 18. What is the maximum fraction of records that can be missing?
    35. 35. 35 Security Objectives
    36. 36. 36  Use of services and physical and logical access to repositories and systems is restricted to authorized users; Access Control
    37. 37. 37  Secrets (industrial, trade) are accessible to authorized users only; Access Control
    38. 38. 38  Personal information of clients and employees is accessible for a valid purpose to authorized users only, preserves their anonymity if necessary, and is held for no longer than required. Access Control
    39. 39. 39  Intellectual property (licensed, copyrighted, patented and trademarks) is accessible to authorized users only;  Third party services and repositories are appropriately licensed and accessible only to authorized users; Access Control
    40. 40. 40  Users are accountable for the repositories and messages they create or modify;  Users are accountable for their acceptance of contracts and agreements.  Users are accountable for their use of services. Access Control
    41. 41. 41  Accurate time and date is reflected in all records; Access Control
    42. 42. 42  Availability of repositories, services and channels exceeds Customer needs;  Reliability and performance of services and channels exceeds Customer needs;  Volatility of services and channels within Customer needs; Priority Objectives
    43. 43. 43  Repositories are retained at least as long as Customer requirements;  Expired or end of life-cycle repositories are permanently destroyed; Durability Objectives
    44. 44. 44  Precision, relevance (up-to- date), completeness and consistency of repositories exceeds Customer needs; Quality Objectives
    45. 45. 45 Technical Objectives * Keep systems free of weaknesses. * Keep systems that need to be visible from not trusted systems the least visible possible. * Have systems run trusted services only. * Keep electricity, temperature and humidity within controlled limits. Press Any Key to Continue
    46. 46. 46 Use case – Malware Management  Use case – ISM3-less management  Motivation: Clean viruses or your business will sink.  Objective: No system should get a virus ever  Activity: Install antivirus on personal computers, servers, mail servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.  Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.  Success criterion: When no system gets ever a virus.  Continuous improvement: Add more antimalware controls (Tripwire, CORE, etc)
    47. 47. 47  Use Case – ISM3-style management  Motivation: Unfortunately systems, specially Windows and malware prone. We should invest proportionally to the damage they can make.  Goal: Systems should accomplish their business role with or without malware.  Activity: Install antimalware in vulnerable systems. Measure activity, scope, update and availability of antimalware. Consider other measures, like using less malware prone systems.  Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.  Success criterion: When protected system play their business role without interruption or degradation.  Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI. Use case – Malware Management
    48. 48. 48 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
    49. 49. 49 Definitions Process OSP-6 Environment Clearing Description This process covers procedures for secure clearing of repositories to prevent disclosure of information. Rationale Clearing or destroying of repositories is required to prevent disclosure incidents when an information system leaves an environment or passes outside the control of the organization. Documentation OSP-061-Repository Clearing Procedure. OSP-062-Clearing Report Template Inputs Inventory of Assets Alerts and Fixes Report Work Products Cleared Repositories Clearing Report Metrics Report Activity Number of Work Products submitted Scope Percentage of information systems susceptible to be cleared when changing state in the environment Update Time since last Work Products submission Mean time between Work Products submissions Time since last information system clearing Availability Not Applicable Process owner Information Systems Management Related Processes OSP-4 Information Systems Environment Change Control OSP-22 Alerts Monitoring Related Methodologies Not Applicable
    50. 50. 50 Definitions Description: The activity performed in the process. Rationale: How the process contributes to specific and generic goals. Documentation: Policies, Procedures and Templates Process Definitions needed to describe and perform the process. Inputs: Inputs to the process. (Inputs in italics or obtained from sources other than documents) Work Products: Results of the process. (Work Products in italics are work products other than documents)
    51. 51. 51 Definitions Activity: Metric description of the volume of work products produced. Scope: Metric description showing how much of the organisation or the environment is covered by the process. Efficiency Efficacy Load Quality Unavailability: Metric description of the period of time that a process has performed as expected upon demand, and the frequency and duration of interruptions.
    52. 52. 52 Definitions Process Owner: Every process should have one and no more than one process owner. Related Processes: Other ISM3 processes that are required to generate key inputs. Related Methodologies: Well-known methodologies and best practices.
    53. 53. 53  Managing is achieving results with the resources available for it.  There are specific activities for management: “Management Practices” Management
    54. 54. 54  Assessment. How well the process matches the organization's needs and compliance goals. Management Practices
    55. 55. 55  Benefits realization: Show how achieving security objectives contributes to achieving business objectives. Management Practices
    56. 56. 56  Planning. Organizing and forecasting the amount, assignment and milestones of tasks, resources, budget, deliverables and performance of a process. Management Practices
    57. 57. 57  Testing: Assessment of whether process outputs are as expected when test data is put in. Management Practices
    58. 58. 58  Monitoring: Checking whether the outputs of the process and the resources used are normal?, acceptable? Improving? Better than the Joneses? Management Practices
    59. 59. 59  Improving: Making changes in the process to make it more suitable for the purpose, or to reduce usage of resources. Management Practices
    60. 60. 60  Audit. Whether the process inputs, activities and results match their documentation. Management Practices
    61. 61. 61  Certify: Whether the process inputs, process documentation, activities and results comply with a pre- defined standard, law or regulation. Management Practices
    62. 62. 62  Therefore, there is a strong link between the metrics used and capability. Management  You can perform few management practices without metrics.
    63. 63. 63  The more sophisticated your management practices, the higher your capability. Management and Capability
    64. 64. 64 Types of Process Metrics  A quantitative measurement that can be interpreted in the context of a series of previous or equivalent measurements
    65. 65. 65 Types of Process Metrics  Activity: Number of outputs produced and their mean age.
    66. 66. 66 Types of Process Metrics Scope: Percentage of all inputs producers covered.
    67. 67. 67 Types of Process Metrics  Unavailability: Number, frequency and duration of interruptions in the normal operation of the process.
    68. 68. 68 Types of Process Metrics  Effectiveness: Number, mean time between inputs and percentage of Inputs that produce an Output.
    69. 69. 69 Types of Process Metrics  Efficiency: Ratio between the number of outputs submitted and the available resources for this process in actual use.
    70. 70. 70 Types of Process Metrics  Load: Percentage of resources reserved for the process in actual use.
    71. 71. 71 Types of Process Metrics  Quality: Measure of the fitness for purpose of the outputs.
    72. 72. 72  Description of what is measured  How is the metric measured  How often is the measurement taken  How are the thresholds calculated  Current range of values considered normal for the metric  Best possible value of the metric  Units of measurement Metrics Specification
    73. 73. 73 What are metrics good for?  Enable performing management practices.  Determine whether security objectives are met (test success);  Show how security objectives contribute to business objectives;  Measure how changes in a process improve (or not) the ISM system;  Inform decisions to fix or improve the ISM processes.  Detect significant anomalies (tell normal from abnormal, saving investigation efforts);  SLAs, Outsourcing
    74. 74. 74 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
    75. 75. 75  What you can’t measure you can’t manage.  What you can’t manage you can’t improve.  ISM3 uses PDCA per process & Metrics for continuous improvement.  The higher the capability of a process, the better opportunities for improvement arise. ISM3 - Continuous Improvement
    76. 76. 76 ISM3 Process Capability
    77. 77. 77 Security & Security Investment Security Investment Cost % People  Mayfield’s Paradox  It cost an infinite amount of money both to give everyone access to a system, and to prevent everyone access to the same system.  CMU – CERT study:  The more you spend, the less difference it makes on your security.
    78. 78. 78 Security Investment, Maturity Level & Risk N one Basic Level SM E Level eCom m erce Level Enterprise LevelM ilitary Level Security Investment Risk Risk Reduction/ Additional Security Investment ISM3 Maturity Levels (Qualitative Graphic. Risk Reduction / Extra Security Investment, scaled x40 for readability)
    79. 79. 79 ISM3 Maturity Levels  Defines one basic maturity level  Defined level is minimal set of processes without which you don’t have an ISMS  Certified capability and maturity moved to separate conformance/certification documentation  Maturity levels documented in separate documents will be market driven projects  Guidance given on historical/empirical economical process sequencing and continuous improvement
    80. 80. 80 ISM3 Maturity Levels Low Investment Medium Investment High Investment High Benefit OSP-12: User Registration SSP-4: Define TPSRSR Rules TSP-6: Define IT Managed Domains and Lifecycles GP-2: ISM System and Business Audit OSP-14: Physical Environment Protection Management OSP-7: IT Managed Domain Hardening OSP-8: Software Development Lifecycle Control OSP-19: Internal Technical Audit OSP-4: Information Systems IT Managed Domain Change Control OSP-9: Security Measures Change Control OSP-26: Enhanced Reliability and Availability Management Medium Benefit TSP-11: Security Awareness TSP-8: Personnel Security TS8P-:9 Security Personnel Training OSP-3: Inventory Management OSP-2: Security Procurement OSP-6: IT Managed Domain Clearing OSP-27: Archiving Management OSP-15: Operations Continuity Management OSP-20: Incident Emulation Low Benefit TSP-10: Disciplinary Process TSP-13: Insurance Management OSP-22: Alerts Monitoring OSP-28: External Events Detection and Analysis OSP-23: Internal Events Detection and Analysis OSP-24: Handling of Incidents and Near-incidents OSP-25: Forensics TSP-7: Background Checks TSP-14: Information Operations
    81. 81. 81 ISM3 Flexibility  ISM3 is adaptable to organizations with different missions and contexts.  ISM3 is adaptable to organizations with different resources.  Security investment is driven by business need.  Some organizations may not have a huge budget for Information Security ( 20 / 80 Rule).  Maturity levels describe different levels of sophistication of ISM systems.  Organizations can identify appropriate processes, choose a level suitable for them, and show implementation progress.
    82. 82. 82 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
    83. 83. 83 Incidents = Failure
    84. 84. 84 Incidents = Opportunity for Improvement
    85. 85. 85 (But… Don’t make the same mistake twice. & Learn from the mistakes of others)
    86. 86. 86 ISMS Success  A security target specifies the maximum number and impact of incidents that is acceptable.  An occurrence of an incident does not by itself mean that a ISM system has failed.  ISM defines success as, not whether an incident has occurred, but whether the security target related to that incident has been met.  Meeting all security targets throughout the year means that the ISM system has been successful, regardless of the incidents that occurred during that period.  Incidents and failed security targets lead to improvements in the cycle of continuous improvement of the ISMS.
    87. 87. 87 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Advantages 11. Summary
    88. 88. 88 ISM3 Responsibility Guidance  Transparency: Responsibilities and reporting channels should be clearly defined, documented and communicated.  Partitioning: All instances of ISM processes should have one and only one Process Owner.  Supervision: All ISM processes should have at least one supervisor.  Rotation: All sensitive processes should be transferred periodically to another competent process owner.  Separation: No process owner will own incompatible processes.
    89. 89. 89  Deal with broad goals, coordination and provision of resources;  Deal with the design and implementation of the ISM system, specific goals and management of resources;  Deal with achieving defined goals by means of technical processes. Strategic Practices Tactical Practices Operational Practices Levels of Responsibility – Management Levels
    90. 90. 90 Strategic Managers Tactical Managers Operational Managers Stakeholders Report Report Report Levels of Responsibility - Reporting
    91. 91. 91 Strategic Practices Tactical Practices Operational Practices Generic Practices Specific Goals Specific Goals Specific Goals Generic Goals Direct and Provide Implement and Optimize Support Levels of Responsibility
    92. 92. 92 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Overview 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
    93. 93. 93 Generic Goals  Prevent and mitigate incidents that could jeopardize the organization’s property and the output of products and services that rely on information systems;  Optimise the use of information, money, people, time and infrastructure.  The work products of an ISM system are:  Incident prevention;  Incident mitigation;  The intangible work products of an ISM system are:  Risk reduction;  Trust. Generic Goals
    94. 94. 94 Strategic Goals  Provides leadership and coordination of:  Information security;  Physical security;  Workplace security (outside scope of ISM3);  Interaction with organizational units;  Reviews and improves the information security management system;  Provides resources for information security;  Defines relationships with other organisations;  Defines Security Objectives consistent with organizational objectives, protecting stakeholders interests;  Sets the organizational scheme of delegation. Specific Goals
    95. 95. 95 Tactical Goals  Provide feedback to Strategic Management;  Define the environment for Operational Management.  Define Security Targets;  Define information classes, priorities, durability and quality groups;  Define environments and lifecycles;  Select appropriate processes to achieve the Security Targets;  Manage budget, people and other resources allocated to information security Specific Goals
    96. 96. 96 Operational Goals  Provide feedback to Tactical Management, including Incident Reports;  Identify and protect assets;  Protection and support of information systems throughout their lifecycle;  Management of the security measures lifecycle;  Apply allocated resources efficiently and effectively;  Carry out processes for incident prevention, detection and mitigation (both real time and following an incident). Specific Goals
    97. 97. 97 Generic Practices  GP-1 Knowledge Management  GP-2 ISM System Audit  GP-3 ISM Design and Evolution Generic Practices
    98. 98. 98  SSP-1 Report to Stakeholders  SSP-2 Coordination  SSP-3 Strategic vision  SSP-4 Define Division of Duties rules  SSP-6 Allocate resources for information security Strategic Practices Strategic Practices
    99. 99. 99  TSP-1 Report to strategic management  TSP-2 Manage allocated resources  TSP-3 Define Security Targets and Security Objectives  TSP-4 Service Level Management  TSP-6 Security Architecture  TSP-7 Background Checks  TSP-8 Personnel Security  TSP-9 Security Personnel Training  TSP-10 Disciplinary Process  TSP-11 Security Awareness  TSP-13 Insurance Management  TSP-14 Information Operations Tactical Practices Tactical Practices
    100. 100. 100 Operational Practices  OSP-1 Report to tactical management  OSP-2 Security Procurement  OSP-3 Inventory Management  OSP-4 Information Systems Environment Change Control  OSP-5 Environment Patching  OSP-6 Environment Clearing  OSP-7 Environment Hardening  OSP-8 Software Development Life-cycle Control  OSP-9 Security Measures Change Control  OSP-10 Backup & Redundancy Management Operational Practices
    101. 101. 101 Operational Practices  OSP-11 Access control  OSP-12 User Registration  OSP-14 Physical Environment Protection Management –  OSP-15 Operations Continuity Management  OSP-16 Segmentation and Filtering Management  OSP-17 Malware Protection Management  OSP-19 Internal Technical Audit  OSP-20 Incident Emulation  OSP-21 Information Quality Probing  OSP-26 Enhanced Reliability and Availability Management Operational Practices
    102. 102. 102 Operational Practices  OSP-22 Alerts Monitoring  OSP-28 External Events Detection and Analysis  OSP-23 Internal Events Detection and Analysis  OSP-24 Handling of incidents and near- incidents  OSP-25 Forensics  OSP-27 Archiving Management  OSP-21 Information Quality and Compliance Probing Operational Practices
    103. 103. 103 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Overview 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
    104. 104. 104 Summary 1. Business Focused 2. Process Orientation 3. Manageable (with Metrics) 4. Compatible (ITIL, ISO27001, ISO9001) 5. Adaptable 6. Flexible
    105. 105. 105 Information Security that makes Business Sense inovement.es/oism3 Web www.inovement.es Video Blog youtube.com/user/vaceituno Blog ism3.com Twitter twitter.com/vaceituno Presentations slideshare.net/vaceituno/presentations Articles slideshare.net/vaceituno/documents
    106. 106. 106

    ×