SlideShare ist ein Scribd-Unternehmen logo
1 von 16
Downloaden Sie, um offline zu lesen
First Improvised Security Testing Conference
Madrid 18/7/2003




          Security Maturity Model


          © Vicente Aceituno
“You are only as strong
                                    as your weakest link”




                                                             2
© Vicente Aceituno, smmodel@yahoogroups.com
In 1995, Nick Leeson traded derivatives
                 bringing Barings Bank bankrupt.




                  Information systems were not at fault.

                                                           3
© Vicente Aceituno, smmodel@yahoogroups.com
…an Organization is much more
                 than information systems…



                                              Information
                 Infrastructure               Systems            People



                   Trademark &                                    Know-How
                   Prestige                   Financial Assets




                                                                             4
© Vicente Aceituno, smmodel@yahoogroups.com
Are we sure auditing an
                 information system will make an
                 Organization safer in the long run?
                           How about…
                                   Organization issues.
                                   Security Targets (Policy) issues.
                                   Security Investment Performance issues.




                                          A perfectly configured and patched
                                          system won’t stay that way for long
                                                 in an Insecure Organization!

                                                                                5
© Vicente Aceituno, smmodel@yahoogroups.com
OK. How can we know how
                    secure an Organization is and
                    how to make it safer?




                                                    6
© Vicente Aceituno, smmodel@yahoogroups.com
Introducing the Security Maturity Model

                 SMM describes the maturity of an organization
                 depending on:
                       Assignment and supervision of responsibilities.
                       Security organization.
                       Security practices.
                            Policies:
                                Expectation-driven targets.
                                Distributed Policy Enforcement Responsibility.
                            Access Control management.
                            Independent audits.
                            Quantitative data gathering.
                            Etc…
                       Security investment management.



                                                                                 7
© Vicente Aceituno, smmodel@yahoogroups.com
SMM Level 1 - Initial

                 Security is not acknowledged as a desirable property of
                 the organization. The absence of incidents is the result of
                 luck or individual efforts. The presence of incidents
                 invariably leads to the maximum impact that could be
                 expected.




                                                                               8
© Vicente Aceituno, smmodel@yahoogroups.com
SMM Level 2 - Acknowledged


                 Security is acknowledged as a desirable property of the
                 organization. The absence of incidents is the result of luck
                 or some organizational efforts. The presence of incidents
                 doesn’t always lead to the maximum impact that could be
                 expected.
                       Expectations, incidents, and assets are sometimes
                       evaluated.
                       Security measures are taken until the budget is exhausted.


                 The results of the organizational efforts fades with time.




                    From here on “Evaluation” means: Identify, Classify, Prioritize, Value
                                                                                             9
© Vicente Aceituno, smmodel@yahoogroups.com
SMM Level 3 - Defined


                 Security is acknowledged as a desirable property of the
                 organization. The absence of incidents is the result of luck
                 or continuous organizational efforts. The presence of
                 incidents normally doesn’t lead to the maximum impact
                 that could be expected.
                       Expectations, incidents and assets are sometimes evaluated.
                       Security measures are taken until the budget is exhausted.
                       Organizational security responsibilities are defined.
                       A Security Policy exists.
                       Assets are accessed using sessions.
                       Security measures are audited.


                   The results of the organizational efforts are permanent.


                                                                                    10
© Vicente Aceituno, smmodel@yahoogroups.com
SMM Level 4 - Managed
                 Security is acknowledged as a desirable property of the
                 organization. The absence of incidents is the result of
                 continuous organizational efforts. The presence of incidents
                 virtually never leads to the maximum impact that could be
                 expected.
                       Expectations, incidents and assets are evaluated.
                       The best security measures are taken considering the
                       budget.
                       Organizational security responsibilities are defined.
                       A Security Norms Framework exist and is applied.
                       Assets are accessed using sessions only.
                       Security measures are audited.
                       Responsibilities are partitioned and supervised.
                       A “Continuity of Operations Plan” exists. This plan considers
                       the organization’s current status, and is properly
                       implemented.
                 The results of the organizational efforts are permanent.

                                                                                   11
© Vicente Aceituno, smmodel@yahoogroups.com
SMM Level 5 - Optimum
                 Security is acknowledged as a desirable property of the
                 organization. The absence of incidents is the result of
                 continuous organizational efforts. The presence of incidents
                 doesn’t lead to the maximum impact that could be expected.
                       Expectations, incidents and assets are evaluated quantitatively.
                       The best security measures are taken considering the budget. It can
                       be determined if the budget is consistent with the targets defined by
                       the Security Norms Framework.
                       Organizational security responsibilities are defined.
                       A Security Norms Framework exist and is applied.
                       Assets are accessed using sessions only.
                       Security measures are audited.
                       Responsibilities are partitioned and supervised.
                       A “Continuity of Operations Plan” exists. This plan considers the
                       organization’s evolution and is properly implemented.
                       Quantitative information is collected about incidents or close calls.
                       Security measures are selected using objective criteria.
                 The results of the organizational efforts are permanent.

                                                                                               12
© Vicente Aceituno, smmodel@yahoogroups.com
SMM
                 SMM – Security Norms Framework
                 Security Policies as a single document are not flexible
                 enough in a big organization and quickly become
                 worthless.
                       An effective Security Policy describes the high-level
                       principles that describe the targets (why) and the strategies
                       (what) to reach them.
                       The Security Norms develop the strategies describing the
                       scope (where and when) of the security practices.
                       The Security Standards develop the norms with
                       specifications per domain, than can be checked.
                       Security Procedures develop standards and norms and give
                       a step-by-step description of the who and how of the
                       practice. The Operations Continuity Plan is a procedure that
                       specifies how to act when a catastrophe happens.
                       The Fair Use norm informs users about their obligations
                       when using the organization’s systems.
                       The Third Party Agreements define mutual security
                       commitments at the organization’s borders with others.

                                                                                       13
© Vicente Aceituno, smmodel@yahoogroups.com
SMM
                 SMM –Sublevels.

                 Depending on the degree of integration of the
                 existing practices, such as:
                       Theorized: The practice is identified as compulsory in the
                       Security Norms Framework, but the scope norms, standards
                       and procedures don’t exist.
                       Procedured: There are norms, standards & procedures for
                       this practice.
                       Implemented: The norms of the practice are actually used.
                       Verified: The results of the procedures used are audited
                       periodically.
                       Integrated: Circumvention of the norms of the practice is
                       insignificant.

                 …an organization may occupy any sublevel
                 within a given level.
                                                                                     14
© Vicente Aceituno, smmodel@yahoogroups.com
SMM
                 SMM – Summary.

                 Using SMM you can:
                       Determine what is your organization’s maturity.
                       Set a maturity target.
                       Plan for maturity enhancement.


                 Benefits:
                       Every partial result of achieving the higher SMM Levels won’t
                       depend any longer on external contractors. Ever.
                       Improve customer and stockholder's trust on the
                       organization.
                       Maximize turnover of Security Investment.
                       Avoid non-technical security risks, setting an environment
                       where there are no weak links.

                                                                                    15
© Vicente Aceituno, smmodel@yahoogroups.com
This presentation is just an overview. The SMM is
                                being further developed at the smmodel Group
                                smmodel@yahoogroups.com
                                groups.yahoo.com/group/smmodel




© Vicente Aceituno
18 de Julio de 2003
Open Content Licenced
www.opencontent.org/opl.shtml




                     SMM

Weitere ähnliche Inhalte

Was ist angesagt?

Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccessasundaram1
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge   building soft skills for exemplary safety p...The safety leadership challenge   building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...OHS Leaders Summit
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTTHE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTIJNSA Journal
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochureguest8a430d
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsDavid X Martin
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaJames McDonald
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Redspin, Inc.
 

Was ist angesagt? (17)

Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
 
The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge   building soft skills for exemplary safety p...The safety leadership challenge   building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTTHE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
 
Allgress Brochure
Allgress BrochureAllgress Brochure
Allgress Brochure
 
CISSPills #3.03
CISSPills #3.03CISSPills #3.03
CISSPills #3.03
 
CISSPills #3.04
CISSPills #3.04CISSPills #3.04
CISSPills #3.04
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochure
 
IANS-2008
IANS-2008IANS-2008
IANS-2008
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq Hanaysha
 
CISSPills #3.06
CISSPills #3.06CISSPills #3.06
CISSPills #3.06
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-Profits
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed Proba
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
 

Ähnlich wie Security Maturity Model

Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...OHS Leaders Summit
 
Basic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 EditionBasic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 EditionJOEL JESUS SUPAN
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Tuan Phan
 
Understanding the 8 Keys to Security Success
Understanding the 8 Keys to Security SuccessUnderstanding the 8 Keys to Security Success
Understanding the 8 Keys to Security SuccessSecurityOn-Demand
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIskcon Ahmedabad
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
Convergence innovative integration of security
Convergence   innovative integration of securityConvergence   innovative integration of security
Convergence innovative integration of securityciso_insights
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 

Ähnlich wie Security Maturity Model (20)

Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...
 
Basic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 EditionBasic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 Edition
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
 
Cybersecurity report-vol-8
Cybersecurity report-vol-8Cybersecurity report-vol-8
Cybersecurity report-vol-8
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013
 
Understanding the 8 Keys to Security Success
Understanding the 8 Keys to Security SuccessUnderstanding the 8 Keys to Security Success
Understanding the 8 Keys to Security Success
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
Convergence innovative integration of security
Convergence   innovative integration of securityConvergence   innovative integration of security
Convergence innovative integration of security
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
CM FAll 2015
CM FAll 2015CM FAll 2015
CM FAll 2015
 

Mehr von Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

Mehr von Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Cisco Equipment Security
Cisco Equipment SecurityCisco Equipment Security
Cisco Equipment Security
 

Kürzlich hochgeladen

UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 

Kürzlich hochgeladen (20)

UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 

Security Maturity Model

  • 1. First Improvised Security Testing Conference Madrid 18/7/2003 Security Maturity Model © Vicente Aceituno
  • 2. “You are only as strong as your weakest link” 2 © Vicente Aceituno, smmodel@yahoogroups.com
  • 3. In 1995, Nick Leeson traded derivatives bringing Barings Bank bankrupt. Information systems were not at fault. 3 © Vicente Aceituno, smmodel@yahoogroups.com
  • 4. …an Organization is much more than information systems… Information Infrastructure Systems People Trademark & Know-How Prestige Financial Assets 4 © Vicente Aceituno, smmodel@yahoogroups.com
  • 5. Are we sure auditing an information system will make an Organization safer in the long run? How about… Organization issues. Security Targets (Policy) issues. Security Investment Performance issues. A perfectly configured and patched system won’t stay that way for long in an Insecure Organization! 5 © Vicente Aceituno, smmodel@yahoogroups.com
  • 6. OK. How can we know how secure an Organization is and how to make it safer? 6 © Vicente Aceituno, smmodel@yahoogroups.com
  • 7. Introducing the Security Maturity Model SMM describes the maturity of an organization depending on: Assignment and supervision of responsibilities. Security organization. Security practices. Policies: Expectation-driven targets. Distributed Policy Enforcement Responsibility. Access Control management. Independent audits. Quantitative data gathering. Etc… Security investment management. 7 © Vicente Aceituno, smmodel@yahoogroups.com
  • 8. SMM Level 1 - Initial Security is not acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or individual efforts. The presence of incidents invariably leads to the maximum impact that could be expected. 8 © Vicente Aceituno, smmodel@yahoogroups.com
  • 9. SMM Level 2 - Acknowledged Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or some organizational efforts. The presence of incidents doesn’t always lead to the maximum impact that could be expected. Expectations, incidents, and assets are sometimes evaluated. Security measures are taken until the budget is exhausted. The results of the organizational efforts fades with time. From here on “Evaluation” means: Identify, Classify, Prioritize, Value 9 © Vicente Aceituno, smmodel@yahoogroups.com
  • 10. SMM Level 3 - Defined Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or continuous organizational efforts. The presence of incidents normally doesn’t lead to the maximum impact that could be expected. Expectations, incidents and assets are sometimes evaluated. Security measures are taken until the budget is exhausted. Organizational security responsibilities are defined. A Security Policy exists. Assets are accessed using sessions. Security measures are audited. The results of the organizational efforts are permanent. 10 © Vicente Aceituno, smmodel@yahoogroups.com
  • 11. SMM Level 4 - Managed Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents virtually never leads to the maximum impact that could be expected. Expectations, incidents and assets are evaluated. The best security measures are taken considering the budget. Organizational security responsibilities are defined. A Security Norms Framework exist and is applied. Assets are accessed using sessions only. Security measures are audited. Responsibilities are partitioned and supervised. A “Continuity of Operations Plan” exists. This plan considers the organization’s current status, and is properly implemented. The results of the organizational efforts are permanent. 11 © Vicente Aceituno, smmodel@yahoogroups.com
  • 12. SMM Level 5 - Optimum Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents doesn’t lead to the maximum impact that could be expected. Expectations, incidents and assets are evaluated quantitatively. The best security measures are taken considering the budget. It can be determined if the budget is consistent with the targets defined by the Security Norms Framework. Organizational security responsibilities are defined. A Security Norms Framework exist and is applied. Assets are accessed using sessions only. Security measures are audited. Responsibilities are partitioned and supervised. A “Continuity of Operations Plan” exists. This plan considers the organization’s evolution and is properly implemented. Quantitative information is collected about incidents or close calls. Security measures are selected using objective criteria. The results of the organizational efforts are permanent. 12 © Vicente Aceituno, smmodel@yahoogroups.com
  • 13. SMM SMM – Security Norms Framework Security Policies as a single document are not flexible enough in a big organization and quickly become worthless. An effective Security Policy describes the high-level principles that describe the targets (why) and the strategies (what) to reach them. The Security Norms develop the strategies describing the scope (where and when) of the security practices. The Security Standards develop the norms with specifications per domain, than can be checked. Security Procedures develop standards and norms and give a step-by-step description of the who and how of the practice. The Operations Continuity Plan is a procedure that specifies how to act when a catastrophe happens. The Fair Use norm informs users about their obligations when using the organization’s systems. The Third Party Agreements define mutual security commitments at the organization’s borders with others. 13 © Vicente Aceituno, smmodel@yahoogroups.com
  • 14. SMM SMM –Sublevels. Depending on the degree of integration of the existing practices, such as: Theorized: The practice is identified as compulsory in the Security Norms Framework, but the scope norms, standards and procedures don’t exist. Procedured: There are norms, standards & procedures for this practice. Implemented: The norms of the practice are actually used. Verified: The results of the procedures used are audited periodically. Integrated: Circumvention of the norms of the practice is insignificant. …an organization may occupy any sublevel within a given level. 14 © Vicente Aceituno, smmodel@yahoogroups.com
  • 15. SMM SMM – Summary. Using SMM you can: Determine what is your organization’s maturity. Set a maturity target. Plan for maturity enhancement. Benefits: Every partial result of achieving the higher SMM Levels won’t depend any longer on external contractors. Ever. Improve customer and stockholder's trust on the organization. Maximize turnover of Security Investment. Avoid non-technical security risks, setting an environment where there are no weak links. 15 © Vicente Aceituno, smmodel@yahoogroups.com
  • 16. This presentation is just an overview. The SMM is being further developed at the smmodel Group smmodel@yahoogroups.com groups.yahoo.com/group/smmodel © Vicente Aceituno 18 de Julio de 2003 Open Content Licenced www.opencontent.org/opl.shtml SMM