Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

O-ISM3 v2.0 Executive Summary


Published on

O-ISM3 is a Standard method published by The Open Group. It is the only Standard that introduces the use of short cycle continuous improvement in information security.

Published in: Internet
  • Be the first to comment

O-ISM3 v2.0 Executive Summary

  1. 1. O-ISM3 v2.0 Executive Summary Open Information Security Management Maturity Model Vicente Canal @vaceituno (c) 2017
  2. 2. Vicente A. Canal - Skype: vaceituno Blog - Linkedin - Video Blog - Twitter - Presentations - Articles -
  3. 3. What is the Open Information Security Management Maturity Model v2.0?  O-ISM3 is a Standard method published by The Open Group that is Compatible with the most popular information security Standards.  O-ISM3 is the only Standard that introduces the use of short cycle continuous improvement in information security.
  4. 4. A method is the complete definition of how to make repeatable a complex activity Method
  5. 5. O-ISM3 is an Information Security Management Method
  6. 6.  The Open Group is a leader in the development of open, vendor-neutral IT standards and certifications:  Oversees leading enterprise architecture standard: TOGAF™ and risk management FAIR™  Certification of products and professionals: ITAC, UNIX, etc.  O-ISM3 is an information security management maturity standard published by The Open Group. Standard
  7. 7. + O-ISM3 O-ISM3 is Compatible + O-ISM3 + O-ISM3
  8. 8. With O-ISM3 you can have compliance and continuous improvement Compliance  Most best practices are published a standards for compliance.  Improvement comes through better compliance between audits or between updates of the standard.  Incidents are seen only as a failure…  But the use of resources might be higher that necessary. Continuous Improvement  You can still use best practices from compliance standards.  Improvement comes through improving value or saving resources, triggered by collection of metrics.  Incidents are seen as an opportunity for improvement…  But it requires a high level of maturity, including the use of metrics.
  9. 9. O-ISM3 Continuous improvement Achieving higher value with the same resources Achieving the same value with fewer resources
  10. 10. O-ISM3 Continuous improvement Producing Better Results Contribute to Business Needs Tuning Priorities Better Use of Resources
  11. 11. O-ISM3 ToolBox for Continuous Improvement Metrics Security Objectives Analysis Processes Knowledge Management
  12. 12. Continuous Improvement Benefits  Effortless definition of SLA’s.  Feedback on Management decisions  Classification of systems according to Business Criteria.  Better Communication.  Efficient allocation of resources.  Better distribution of responsibilities.  Uniform results regardless of who performs a task.  No vendor lock-in.
  13. 13. O-ISM3 Maturity? Maturity measures how able is the organization at continuous improvement
  14. 14. O-ISM3 Example: Security of the Application Lifecycle (SDLA)
  15. 15. Bankia 4th Biggest bank in Spain with 12 million customers Took the decision to implement O-ISM3 for application security testing in late 2008 The Application Security team achieved an Optimized maturity level in 6 months
  16. 16. Return Of Investment and Maturity ROI Maturity Penetration Testing White Box P.T. Lifecycle Integration Secure Design Continuous Improvement
  17. 17. • Before O-ISM3:  Motivation: Find any existing vulnerabilities and report them.  Goal: Test all the new applications before going into production.  Activity: Perform pentest of new systems and applications and some on demand ones.  Policy: Test well known applications every so often.  Success criterion: None.  Continuous improvement: Perform more Pentests.  No metrics  Deliverables:  Initial Report  Agreement on what had to be fixed  Final Report SDLC Security
  18. 18.  After O-ISM3 implementation:  Motivation: Making systems and applications safer.  Goal: Test the most important applications & systems periodically, and all the new applications & systems.  Activity: Perform planned pentest of new systems and applications. Follow-up if the vulnerabilities found are fixed.  Policy: Applications and systems are classified, and tested with different periodicity depending on their importance.  Success criterion: Perform all planned tests, Perform new tests timely, getting vulnerabilities found fixed.  Continuous improvement: Revise the applications & systems classification periodically SDLC Security
  19. 19. Higher Maturity Results 0 50 100 150 200 250 2008 2009 2010 2011 2012 Weaknesses Fixed Euros / Weakness Fixed Weaknesses / Application Security Test Note:Qualitative changes in comparison with 2008 are represented
  20. 20. Higher Maturity Results 0 50 100 150 200 250 300 350 400 2008 2009 2010 2011 2012 Application Security Tests Euros / Application Security Test Application Security Test Workload Note:Qualitative changes in comparison with 2008 are represented
  21. 21. Other O-ISM3 example: Malware Protection Management
  22. 22. Malware Protection Management  Before O-ISM3  Motivation: Clean viruses or your business will sink.  Objective: No system should get a virus ever  Activity: Install antivirus on personal computers, servers, mail servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.  Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.  Success criterion: When no system gets ever a virus.  Continuous improvement: Add more antimalware controls (Tripwire, CORE, etc)
  23. 23.  After O-ISM3  Motivation: Unfortunately systems, specially Windows and malware prone. We should invest proportionally to the damage they can make.  Goal: Systems should accomplish their business role with or without malware.  Activity: Install antimalware in vulnerable systems. Measure activity, scope, update and availability of antimalware. Consider other measures, like using less malware prone systems.  Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.  Success criterion: When protected system play their business role without interruption or degradation.  Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI. Malware Protection Management
  24. 24. Highlights  O-ISM3 is the only Standard that introduces the use of short cycle continuous improvement in information security. • Achieving high levels of maturity (working smart, not hard) can be hard if you don’t know how. O-ISM3 can help. • You can save time and money, improve your security and avoid vendor lock-in using O-ISM3 v2.0 • Get O-ISM3 v2.0 free (with registration) at • Learn more at: