Suche senden
Hochladen
Security Maturity Model
•
0 gefällt mir
•
1,525 views
Conferencias FIST
Folgen
Technologie
Melden
Teilen
Melden
Teilen
1 von 16
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Information Security Maturity Model
Information Security Maturity Model
CSCJournals
Security Maturity Assessment
Security Maturity Assessment
Claude Baudoin
The security risk management guide
The security risk management guide
Sergey Erohin
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
Raghuraman Ramamurthy
Agiliance Risk Vision
Agiliance Risk Vision
agiliancecommunity
Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)
leolemes
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
Ivanti
Five principles for improving your cyber security
Five principles for improving your cyber security
WGroup
Weitere ähnliche Inhalte
Was ist angesagt?
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)
Maurice Dawson
Security Maturity Models.
Security Maturity Models.
Priyanka Aash
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
asundaram1
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
Ben Browning
The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...
OHS Leaders Summit
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
IJNSA Journal
Allgress Brochure
Allgress Brochure
linkedinlion11
CISSPills #3.03
CISSPills #3.03
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
CISSPills #3.04
CISSPills #3.04
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
Techserv Brochure
Techserv Brochure
guest8a430d
IANS-2008
IANS-2008
Bob Radvanovsky
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq Hanaysha
Hanaysha
CISSPills #3.06
CISSPills #3.06
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-Profits
David X Martin
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed Proba
James McDonald
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Redspin, Inc.
Was ist angesagt?
(17)
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)
Security Maturity Models.
Security Maturity Models.
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
Allgress Brochure
Allgress Brochure
CISSPills #3.03
CISSPills #3.03
CISSPills #3.04
CISSPills #3.04
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
Techserv Brochure
Techserv Brochure
IANS-2008
IANS-2008
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq Hanaysha
CISSPills #3.06
CISSPills #3.06
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-Profits
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed Proba
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ähnlich wie Security Maturity Model
Selling security to the C-level
Selling security to the C-level
Donald Tabone
Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...
OHS Leaders Summit
Basic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 Edition
JOEL JESUS SUPAN
Convergence of Security Risks
Convergence of Security Risks
Enterprise Security Risk Management
Rogers eBook Security
Rogers eBook Security
Rogers Communications
Security Feature Cover Story
Security Feature Cover Story
Torrid Networks Private Limited
Cybersecurity report-vol-8
Cybersecurity report-vol-8
Mohamed Abdelhakim
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013
Tuan Phan
Understanding the 8 Keys to Security Success
Understanding the 8 Keys to Security Success
SecurityOn-Demand
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Accenture Technology
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
Luke Farrell
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
Samuel Loomis
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
Iskcon Ahmedabad
From checkboxes to frameworks
From checkboxes to frameworks
Andréanne Clarke
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
David X Martin
Convergence innovative integration of security
Convergence innovative integration of security
ciso_insights
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
Chinatu Uzuegbu
The security risk management guide
The security risk management guide
Sergey Erohin
CM FAll 2015
CM FAll 2015
Matthew Williams
Ähnlich wie Security Maturity Model
(20)
Selling security to the C-level
Selling security to the C-level
Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...
Basic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 Edition
Convergence of Security Risks
Convergence of Security Risks
Rogers eBook Security
Rogers eBook Security
Security Feature Cover Story
Security Feature Cover Story
Cybersecurity report-vol-8
Cybersecurity report-vol-8
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013
Understanding the 8 Keys to Security Success
Understanding the 8 Keys to Security Success
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
From checkboxes to frameworks
From checkboxes to frameworks
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
Convergence innovative integration of security
Convergence innovative integration of security
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
The security risk management guide
The security risk management guide
CM FAll 2015
CM FAll 2015
Mehr von Conferencias FIST
Seguridad en Open Solaris
Seguridad en Open Solaris
Conferencias FIST
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
Conferencias FIST
Spanish Honeynet Project
Spanish Honeynet Project
Conferencias FIST
Seguridad en Windows Mobile
Seguridad en Windows Mobile
Conferencias FIST
SAP Security
SAP Security
Conferencias FIST
Que es Seguridad
Que es Seguridad
Conferencias FIST
Network Access Protection
Network Access Protection
Conferencias FIST
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
Conferencias FIST
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
Conferencias FIST
El Information Security Forum
El Information Security Forum
Conferencias FIST
Criptografia Cuántica
Criptografia Cuántica
Conferencias FIST
Inseguridad en Redes Wireless
Inseguridad en Redes Wireless
Conferencias FIST
Mas allá de la Concienciación
Mas allá de la Concienciación
Conferencias FIST
Security Metrics
Security Metrics
Conferencias FIST
PKI Interoperability
PKI Interoperability
Conferencias FIST
Wifislax 3.1
Wifislax 3.1
Conferencias FIST
Network Forensics
Network Forensics
Conferencias FIST
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
Conferencias FIST
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
Conferencias FIST
Cisco Equipment Security
Cisco Equipment Security
Conferencias FIST
Mehr von Conferencias FIST
(20)
Seguridad en Open Solaris
Seguridad en Open Solaris
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
Spanish Honeynet Project
Spanish Honeynet Project
Seguridad en Windows Mobile
Seguridad en Windows Mobile
SAP Security
SAP Security
Que es Seguridad
Que es Seguridad
Network Access Protection
Network Access Protection
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
El Information Security Forum
El Information Security Forum
Criptografia Cuántica
Criptografia Cuántica
Inseguridad en Redes Wireless
Inseguridad en Redes Wireless
Mas allá de la Concienciación
Mas allá de la Concienciación
Security Metrics
Security Metrics
PKI Interoperability
PKI Interoperability
Wifislax 3.1
Wifislax 3.1
Network Forensics
Network Forensics
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
Cisco Equipment Security
Cisco Equipment Security
Kürzlich hochgeladen
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UbiTrack UK
Nanopower In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
Pedro Manuel
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
UiPathCommunity
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
DianaGray10
201610817 - edge part1
201610817 - edge part1
Jamie (Taka) Wang
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
Md Hossain Ali
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
DianaGray10
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
DianaGray10
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
Brian Pichman
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Will Schroeder
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
SkyPlanner
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
Aggregage
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
Seth Reyes
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
Matt Ray
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
D Cloud Solutions
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
DianaGray10
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
Jamie (Taka) Wang
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
IES VE
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
Daniel Santiago Silva Capera
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
Tarek Kalaji
Kürzlich hochgeladen
(20)
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
Nanopower In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
201610817 - edge part1
201610817 - edge part1
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
Security Maturity Model
1.
First Improvised Security
Testing Conference Madrid 18/7/2003 Security Maturity Model © Vicente Aceituno
2.
“You are only
as strong as your weakest link” 2 © Vicente Aceituno, smmodel@yahoogroups.com
3.
In 1995, Nick
Leeson traded derivatives bringing Barings Bank bankrupt. Information systems were not at fault. 3 © Vicente Aceituno, smmodel@yahoogroups.com
4.
…an Organization is
much more than information systems… Information Infrastructure Systems People Trademark & Know-How Prestige Financial Assets 4 © Vicente Aceituno, smmodel@yahoogroups.com
5.
Are we sure
auditing an information system will make an Organization safer in the long run? How about… Organization issues. Security Targets (Policy) issues. Security Investment Performance issues. A perfectly configured and patched system won’t stay that way for long in an Insecure Organization! 5 © Vicente Aceituno, smmodel@yahoogroups.com
6.
OK. How can
we know how secure an Organization is and how to make it safer? 6 © Vicente Aceituno, smmodel@yahoogroups.com
7.
Introducing the Security
Maturity Model SMM describes the maturity of an organization depending on: Assignment and supervision of responsibilities. Security organization. Security practices. Policies: Expectation-driven targets. Distributed Policy Enforcement Responsibility. Access Control management. Independent audits. Quantitative data gathering. Etc… Security investment management. 7 © Vicente Aceituno, smmodel@yahoogroups.com
8.
SMM Level 1
- Initial Security is not acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or individual efforts. The presence of incidents invariably leads to the maximum impact that could be expected. 8 © Vicente Aceituno, smmodel@yahoogroups.com
9.
SMM Level 2
- Acknowledged Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or some organizational efforts. The presence of incidents doesn’t always lead to the maximum impact that could be expected. Expectations, incidents, and assets are sometimes evaluated. Security measures are taken until the budget is exhausted. The results of the organizational efforts fades with time. From here on “Evaluation” means: Identify, Classify, Prioritize, Value 9 © Vicente Aceituno, smmodel@yahoogroups.com
10.
SMM Level 3
- Defined Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or continuous organizational efforts. The presence of incidents normally doesn’t lead to the maximum impact that could be expected. Expectations, incidents and assets are sometimes evaluated. Security measures are taken until the budget is exhausted. Organizational security responsibilities are defined. A Security Policy exists. Assets are accessed using sessions. Security measures are audited. The results of the organizational efforts are permanent. 10 © Vicente Aceituno, smmodel@yahoogroups.com
11.
SMM Level 4
- Managed Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents virtually never leads to the maximum impact that could be expected. Expectations, incidents and assets are evaluated. The best security measures are taken considering the budget. Organizational security responsibilities are defined. A Security Norms Framework exist and is applied. Assets are accessed using sessions only. Security measures are audited. Responsibilities are partitioned and supervised. A “Continuity of Operations Plan” exists. This plan considers the organization’s current status, and is properly implemented. The results of the organizational efforts are permanent. 11 © Vicente Aceituno, smmodel@yahoogroups.com
12.
SMM Level 5
- Optimum Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents doesn’t lead to the maximum impact that could be expected. Expectations, incidents and assets are evaluated quantitatively. The best security measures are taken considering the budget. It can be determined if the budget is consistent with the targets defined by the Security Norms Framework. Organizational security responsibilities are defined. A Security Norms Framework exist and is applied. Assets are accessed using sessions only. Security measures are audited. Responsibilities are partitioned and supervised. A “Continuity of Operations Plan” exists. This plan considers the organization’s evolution and is properly implemented. Quantitative information is collected about incidents or close calls. Security measures are selected using objective criteria. The results of the organizational efforts are permanent. 12 © Vicente Aceituno, smmodel@yahoogroups.com
13.
SMM
SMM – Security Norms Framework Security Policies as a single document are not flexible enough in a big organization and quickly become worthless. An effective Security Policy describes the high-level principles that describe the targets (why) and the strategies (what) to reach them. The Security Norms develop the strategies describing the scope (where and when) of the security practices. The Security Standards develop the norms with specifications per domain, than can be checked. Security Procedures develop standards and norms and give a step-by-step description of the who and how of the practice. The Operations Continuity Plan is a procedure that specifies how to act when a catastrophe happens. The Fair Use norm informs users about their obligations when using the organization’s systems. The Third Party Agreements define mutual security commitments at the organization’s borders with others. 13 © Vicente Aceituno, smmodel@yahoogroups.com
14.
SMM
SMM –Sublevels. Depending on the degree of integration of the existing practices, such as: Theorized: The practice is identified as compulsory in the Security Norms Framework, but the scope norms, standards and procedures don’t exist. Procedured: There are norms, standards & procedures for this practice. Implemented: The norms of the practice are actually used. Verified: The results of the procedures used are audited periodically. Integrated: Circumvention of the norms of the practice is insignificant. …an organization may occupy any sublevel within a given level. 14 © Vicente Aceituno, smmodel@yahoogroups.com
15.
SMM
SMM – Summary. Using SMM you can: Determine what is your organization’s maturity. Set a maturity target. Plan for maturity enhancement. Benefits: Every partial result of achieving the higher SMM Levels won’t depend any longer on external contractors. Ever. Improve customer and stockholder's trust on the organization. Maximize turnover of Security Investment. Avoid non-technical security risks, setting an environment where there are no weak links. 15 © Vicente Aceituno, smmodel@yahoogroups.com
16.
This presentation is
just an overview. The SMM is being further developed at the smmodel Group smmodel@yahoogroups.com groups.yahoo.com/group/smmodel © Vicente Aceituno 18 de Julio de 2003 Open Content Licenced www.opencontent.org/opl.shtml SMM
Jetzt herunterladen