Mapping SABSA and O-ISM3


Published on

Mapping SABSA and O-ISM3

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mapping SABSA and O-ISM3

  1. 1. A White Paper by: Vicente Aceituno, Inovement Spain and Michael Legary Seccuris Inc November, 2013 Copyright © 2013, Inovement Spain and Seccuris Inc STATUS: DRAFT Please address comments to:
  2. 2. Executive Summary The Open Group Information Security Management Maturity Model (O-ISM3), an Open Group Standard, ensures that security control processes deployed in an enterprise's Information Security Management System (ISMS) operate at a level consistent with the security goals of the business. It achieves this by defining security processes and measuring how effectively each performs to inform business decision-making on targeting ISMS investment. The Sherwood Applied Business Security Architecture (SABSA) is a well-defined, supported and implemented standard for enterprise security architectures today, in use globally in a diverse range of enterprises. This DRAFT paper presents a tentative mapping between both standards in order to help practitioners of both standards to collaborate more effectively. DRAFT W hit e Paper 2
  3. 3. Mapping Terminologies This paper expects that the reader of the mappings defined in the following sections will have sufficient familiarity with both the O-ISM3 processes and the SABSA Blue Book to be able to reference them in their respective reference publications. The conceptual background and principles underlying SABSA and O-ISM3 are aligned. As there is no overlap between both standards, they are complementary. The main barrier to the effective use of both standards lays in their differing terminology for the same concepts, there being several constructs that are called by different names in both standards. The following quotation from the introductory chapter of the O-ISM3 standard illustrates the philosophical alignment between SABSA and O-ISM3: “O-ISM3 defines information security management maturity in terms of the operation of an appropriate complementary set of O-ISM3 information security processes. It defines capability in terms of the metrics and management practices used, and it requires the linking of security objectives and targets to business objectives. Market-driven maturity levels help organizations choose the scale of ISMS most appropriate to their needs. The maturity spectrum facilitates the trade-off of cost, risk, and usability and enables incremental improvement, benchmarking, and longterm targets.” For example SABSA Security Domains and O-ISM3 IT Managed Domains are equivalent. The subtle difference is that SABSA security domains fall under a single security policy, while in OISM3, domains fall under a single manager. The underlying common requirement that this concept delivers is the need to apply a level of protection that is suited to different business needs within an organization, instead of using the inefficient approach of trying to protect all information systems meeting the most stringent business requirements for security. DRAFT W hit e Paper 3
  4. 4. Leveraging Complementary Features O-ISM3 practitioners can use SABSA to enhance ISMS development activities. SABSA strategy and planning activities allow for strong definition of business level requirements for information security, through the development of several deliverables at the business context and conceptual layers. Specifically, SABSA's concept of business attributes which quantify business objectives into security performance requirements and service levels, provides clear design inputs for O-ISM3 based ISMS development, and creates a method of communicating ISMS performance in business terms over the lifecycle of the program. Other significant complementary features include:       O-ISM3 processes implement a Measure+Service with Quality+Contract framework for SABSA practitioners. This is an important benefit, as SABSA does not describe any particular framework implementation. O-ISM3 operational processes cover the SABSA Manage =-&-Measure phase. O-ISM3 provides SABSA with guidance on the design and development of the required logical security service suites required for security performance. O-ISM3 identifies security service interdependencies and defines common logical service definitions expediting design, providing guidance on implementation validation and recommendations on management and measurement activities. SABSA controls are not similar to the ISO 27001 understanding of controls. Rather, they are akin to O-ISM3 processes. A SABSA control can be at any layer of abstraction, it is something that contributes to achievement of a goal at that layer. SABSA’s measurement process feedback loop matches actual O-ISM3 implementation practices. Mapping Continuous Improvement Cycle The SABSA lifecycle (Strategy & Planning, Design, Implement, Manage & Measure) requires metrics and targets to be aligned to the attributes (serve the attributes), allowing the owner, trustees and custodians to:  manage performance of the attribute within acceptable risk tolerance,  detect when performance is beyond the acceptable risk threshold (i.e. Invoke incident response), and allow for risk adjustment based on the owners view of the world. (i.e. manage the system performance in a dynamic environment) DRAFT W hit e Paper 4
  5. 5. Mapping O-ISM3 with SABSA Services A SABSA service is a functional solution that fulfills a business need for security. A SABSA attribute is for the most part equivalent to an O-ISM3 security objective. SABSA services are ideally implemented using a SOA Architecture. Example of mapping of attributes: SABSA Attributes O-ISM3 Security Objectives Error-Free Precision of customer addresses. Legal Third-party services and repositories appropriately licensed. Providing Good Stewardship Personal information collected proportional to its use. and Custody Accurate Personal information held for no longer than required. Timely Tax records kept for a minimum number of years. Compliant Personal information is protected using the mandated security measures. Enforceable Owner of personal information agrees for it to be collected, and has the right to check it and fix it and approve how it will be used. Compliant Repositories with personal information registered with the Data Protection agency. Available Availability: The period of time when a service, repository, interface, or channel must exist, be accessible, and usable (perform according to customer needs) upon demand according to or exceeding customer needs. Reliable Reliability: The longest time and number of times in the availability (performance) time a service, repository, interface, or channel can be interrupted according to or exceeding customer needs. Recoverable Volatility: The oldest recent messages and information that can be lost because of an interruption of service, channel, or interface according to or exceeding customer needs. Timely Retention Period: The minimum length of time a repository is kept (preserved) according to or exceeding customer and regulatory requirements. DRAFT W hit e Paper 5
  6. 6. SABSA Attributes O-ISM3 Security Objectives Accurate Expiry: The date the expired or end of lifecycle repositories and records should be permanently and reliably destroyed according to or exceeding customer and regulatory requirements. Those with personal information of customers and employees often require a specific expiry date. Consistent Completeness: The extent to which a repository is populated (available and consistent) with the information required to meet or exceed customer needs. The lower limit is usually set by business or customer needs, and the upper limit by regulatory needs. Providing Good Stewardship Personal information completeness must be proportional to its use. and Custody Enforceable The owner of personal information must agree for it to be collected and has the right to check it, fix it, and approve how it will be used or ceded. Compliant The owner of personal information will be given notice when personal data is collected, including who is collecting the data. Providing Good Stewardship Personal information must be used for the purpose agreed with the and Custody information owner. Providing Good Stewardship Personal information must not be disclosed without the agreement and Custody of the information subject. Enforceable Personal information owners will have means to make data collectors accountable for their use of personal information. Access-controlled Granting the use of services and interfaces and access to repositories to authorized users. Access-controlled Denying the use of services and interfaces and access to repositories to unauthorized users. Accountable Express the will and intent about a repository of the owner of a user account or certificate. DRAFT W hit e Paper 6
  7. 7. SABSA Attributes O-ISM3 Security Objectives Auditable Accurate recording of: Interface ID and location User account or certificate ID Signature Type of access attempt Date and time of access attempt Access attempt result Access-controlled Access-controlled Repository, interface, service, or message accessed Personal information is accessible to authorized users only and is held for no longer than required. Secrets are accessible to authorized users only. Access-controlled Third-party services and repositories are appropriately licensed and accessible only to authorized users. Information systems are physically accessible only to authorized users. Repositories are accessed by authorized users only. Supported Systems are as free of weaknesses as possible. Protected Systems that need to be visible to not trusted systems are the least visible possible. Systems run trusted services only. Legal Access-controlled Supported Protected The electricity, temperature, and humidity where systems operate exceed the system needs. O-ISM3 processes support the complete delivery of required security services, and highlight interdependencies and required minimum service linkages between SABSA security services. Therefore O-ISM3 can be used as a tool to implement SABSA's "security service management strategy" DRAFT W hit e Paper 7
  8. 8. Mapping O-ISM3 with SABSA Operational Security Architecture The SABSA Operational Security Architecture matrix can be readily mapped to the matching OISM3 components that satisfy every item: Contextual Layer: Mapping SABSA Contextual O-ISM3 Assets (What) Business Requirements Collection; Information Classification Security Requirements Security Objectives Security Targets Motivation (Why) Business Risk Assessment; Corporate Policy Making GP-3: ISM Design and Evolution Process (How) Business Driven Information Security Management Programme Location (Where) Time (When) Business Security Organization Management Business Calendar and Timetable Management No match No match No match SABSA O-ISM3 Service Management TSP-4: Service Level Management relationships management SSP-2: Coordination point-of-supply management OSP-2: Security Procurement performance management TSP-1: Report to Strategic Management DRAFT W hit e Paper 8
  9. 9. Conceptual Layer: Mapping Assets (What) SABSA Motivation (Why) Process (How) Location (Where) Time (When) Business Continuity Management Security Audit & Assurance Levels; Measurement, Metrics & Benchmarking Incident Response; Disaster Recovery; Change Control Programme Security Training Security Operation Schedule Management Conceptual O-ISM3 OSP-15: Operations Continuity Management GP-2: ISMS and Business Audit TSP-4: Service Level Management TSP-9: Security Personnel Training OSP-4: Information Systems IT Managed Domain Change Control TSP-4: Service Level Management SABSA O-ISM3 Developing the Business Attributes Profile TSP-3: Define Security Targets and Security Objectives developing operational risk management objectives through risk TSP-3: Define Security Targets and Security Objectives, assessment SSP-4: Define Division of Duties Rules DRAFT W hit e Paper 9
  10. 10. Logical Layer: Mapping Assets (What) Motivation (Why) SABSA Logical O-ISM3 Information Security; System Integrity OSP-5: IT Managed Domain Patching OSP-6: IT Managed Domain Clearing OSP-7: IT Managed Domain Hardening OSP-17: Malware Protection Management Process (How) Location (Where) Time (When) Detailed Security Policy Making; Policy Compliance; Monitoring Intelligence Gathering Intrusion Detection; Event Monitoring; Process Development; Security Service Management; System Development Controls; Configuration Management Application Security Administration & Management Managing Application Deadlines & Cutoff OSP-11: Control OSP-8: Software Development Lifecycle Control OSP-19: Internal Technical Audit No match TSP-14: Information Operations Access SABSA O-ISM3 Asset management OSP-3: Inventory Management policy management GP-3: ISM Design and Evolution] DRAFT W hit e Paper 10
  11. 11. Physical Layer: Mapping Assets (What) Motivation (Why) Process (How) SABSA Database Security; Software Integrity Physical O-ISM3 OSP-8: Software Development Lifecycle Control OSP-19: Internal Technical Audit Vulnerability Assessment; Penetration Testing; Threat Assessment OSP-23: Internal Events Detection and Analysis OSP-28: External Events Detection and Analysis OSP-19: Internal Technical Audit Location (Where) Time (When) Rule Definition; Key Management; ACL Maintenance; Backup Admin; Computer Forensics; Event Log Admin; Antivirus Admin Network Security Management; Site Security Management User Account Aging; Password Aging; Crpyto Key Aging; Administering Time Windows for Access Control TSP-4: Service Level Management OSP-16: Segmentation and Filtering Management OSP-12: Registration SABSA O-ISM3 Asset security and protection The whole O-ISM3 operational level operational risk data collection, operations management User The whole O-ISM3 tactical level DRAFT W hit e Paper 11
  12. 12. Component Layer: Mapping Assets (What) SABSA Motivation (Why) Process (How) Product Tools Security Integrity CERT Notifications; Research on Threats & Vulnerabilities Product Procurement; Project Management; Operations Management OSP-22: Alerts Monitoring No match & & Component O-ISM3 No match Location (Where) Platform Workstation and Equipment Security Management OSP-5: IT Managed Domain Patching OSP-6: IT Managed Domain Clearing OSP-7: IT Managed Domain Hardening OSP-17: Malware Protection Management Time (When) Time-out Configuration; Detailed Operation Sequence No match SABSA O-ISM3 personnel deployment Personnel Security security management tools and service monitoring OSP-9: Security Measures Change Control DRAFT W hit e Paper 12
  13. 13. Mapping Maturity Levels The SABSA Risk Management Maturity Model coordinates risk management information from all parts of the business and demonstrates due diligence to senior management, auditors and regulators. It is based on the Capability Maturity Modeling (CMM). The O-ISM3 definition of capability is objective. The more metrics are in use, the better continuous improvement management action can be taken. Therefore, the more metrics involved, the higher the capability. As SABSA does not follow this approach, mapping between both is somewhat misleading, even if there are five levels with similar denominations. SABSA O-ISM3 Unreliable Undefined Informal Defined Defined Managed Monitored Controlled Optimized Optimized From either a SABSA or an O-ISM3 viewpoint, a particular business may decide to implement a selection of O-ISM3 processes. Similarly, a given organization may decide to implement selected O-ISM3 maturity levels. DRAFT W hit e Paper 13
  14. 14. Roles Mapping In SABSA, trustees define KPI and KRI’s. In O-ISM3, this is a task of the TSP-4 process owner, and the task may be delegated to other process owners. SABSA O-ISM3 Owner Client Trustee Tactical Process owner Custodian Operational Process owner Management Levels Mapping O-ISM3 uses four management levels  generic,  strategic,  tactical,  operational. whereas SABSA uses two:  strategy & planning,  manage+measure+implement+design. SABSA O-ISM3 Implement+ Design Generic Strategy+Planning Strategic Manage and Measure Tactical NA Operational SABSA O-ISM3 Implement + Design Strategy + Planning business goals Manage and Measure security objectives business objectives DRAFT W hit e Paper 14
  15. 15. SABSA O-ISM3 business drivers business goals business attributes business objectives ICT attributes security objectives Mapping Metrics SABSA security targets are the specific Key Risk Indicators (KRIs) for a Key Performance Indicator (KPI) related to the performance of a specific Attribute. SABSA O-ISM3 KRIs security targets DRAFT W hit e Paper 15