Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
1
Information Security Management
Maturity Model
2
3
4
Methods
 A method is the
complete
definition of how
to make
repeatable a
complex activity.
5
Concepts
 Clear concepts
help mapping real
problems with the
framework
provided by the
method.
 They give the
method i...
6
Principles
 Generic high level do’s, don’ts and how to’s.
7
Roles
 Defined roles guarantee that
everyone knows his
responsibilities, and there are no
unassigned responsibilities.
...
8
Processes
 The task is performed equally regardless of who
performs it.
 Makes planning easier.
 It produces somethin...
9
Deliverables
 Document activity
 Results
 Measure progress and
success
 Less dependencies
 Better communication
 R...
10
Techniques
 Capture and reuse lessons learnt
 Improve productivity and quality
 Less dependencies of individual tale...
11
 Why
 What
 Who
 How
 When
 Resources
 Responsibilities
12
Index
1. ISM3 Charter
2. Benefits Realization (Business objectives,
Security objectives)
3. Results Oriented Management...
13
Index
1. ISM3 Charter
2. Benefits Realization (Business objectives,
Security objectives)
3. Results Oriented Management...
14
Charter
 The Problem
 Lack of guidance for the infosec community on managing
the information security function using ...
15
Charter
 Objectives
 Fill the gap between ISMS as defined in ISO27001, best
practices in ISO27002, and the need for c...
16
Index
1. ISM3 Charter
2. Benefits Realization (Business objectives,
Security objectives)
3. Results Oriented Management...
17
Asking the Right Questions
 What questions would you ask in
order to keep the Confidentiality,
Availability and Integr...
18
Contrarian view of
business and security
19
Security seen as
part of the business
20
Protect the asset
21
Protect business
bjectives
22
 “We want to prevent attacks from succeeding”.
With this approach, to be secure means to be
invulnerable.
 An inciden...
23
 “We want to guarantee that our business
objectives are met”. With this approach, to be
secure means to be reliable, d...
24
ISM3 Business Focus
 Business Objectives: Resilience depends on
security objectives.
 Security Objectives are derived...
25
Benefits Realization
Business Goals and Obligations removed in order to simplify and focus.
26
ISM3 - What needs protection?
 Business Objectives examples:
 Paying taxes in time;
 Invoice all products and servic...
27
ISM3 - What protection is needed?
 Business Objectives.
 Security Objectives examples:
 “Secrets should be accessibl...
28
ISM3 - Is protection successful?
 Business Objectives.
 Security Objectives.
 Security Targets examples.
 “Less tha...
29
Benefits Realization
30
Operational Definitions for Security
 ISM3 borrows the concept of operational definition
from the scientific method.
...
31
Operational Definitions for Security
 Remove ambiguity, enable agreement.
 Switch from “what is” to “how you measure”...
32
Asking the Right Questions
 What questions would you ask in
order to keep the Confidentiality,
Availability and Integr...
33
Asking the Right Questions
1. Who are the users of the system?
2. Do they need to be specifically authorized?
3. From w...
34
Asking the Right Questions
9. Will the system handle intellectual property?
10. What are the different locations subjec...
35
Security Objectives
36
 Use of services and physical and logical access to
repositories and systems is restricted to authorized users;
Access...
37
 Secrets (industrial, trade) are accessible to authorized
users only;
Access Control
38
 Personal information of clients and employees is
accessible for a valid purpose to authorized users only,
preserves t...
39
 Intellectual property
(licensed, copyrighted,
patented and trademarks) is
accessible to authorized
users only;
 Thir...
40
 Users are accountable for the repositories and
messages they create or modify;
 Users are accountable for their acce...
41
 Accurate time
and date is
reflected in all
records;
Access
Control
42
 Availability of repositories, services and channels
exceeds Customer needs;
 Reliability and performance of services...
43
 Repositories are retained at least as long as
Customer requirements;
 Expired or end of life-cycle repositories are
...
44
 Precision, relevance (up-to-
date), completeness and
consistency of repositories
exceeds Customer needs;
Quality Obje...
45
Technical Objectives
* Keep systems free of weaknesses.
* Keep systems that need to be visible
from not trusted systems...
46
Use case – Malware Management
 Use case – ISM3-less management
 Motivation: Clean viruses or your business will sink....
47
 Use Case – ISM3-style management
 Motivation: Unfortunately systems, specially Windows and malware prone.
We should ...
48
Index
1. ISM3 Charter
2. Benefits Realization (Business objectives,
Security objectives)
3. Results Oriented Management...
49
Definitions
Process OSP-6 Environment Clearing
Description This process covers procedures for secure clearing of reposi...
50
Definitions
Description: The activity performed in the process.
Rationale: How the process contributes to specific an...
51
Definitions
Activity: Metric description of the volume of work
products produced.
Scope: Metric description showing h...
52
Definitions
Process Owner: Every process should have one and no
more than one process owner.
Related Processes: Other...
53
 Managing is achieving results with
the resources available for it.
 There are specific activities for
management: “M...
54
 Assessment. How well the process
matches the organization's needs and
compliance goals.
Management Practices
55
 Benefits realization:
Show how achieving
security objectives
contributes to
achieving business
objectives.
Management...
56
 Planning. Organizing and forecasting
the amount, assignment and
milestones of tasks, resources,
budget, deliverables ...
57
 Testing:
Assessment
of whether
process
outputs are
as expected
when test
data is put
in.
Management Practices
58
 Monitoring: Checking whether the outputs
of the process and the resources used are
normal?, acceptable? Improving? Be...
59
 Improving:
Making changes
in the process to
make it more
suitable for the
purpose, or to
reduce usage of
resources.
M...
60
 Audit. Whether the
process inputs,
activities and
results match their
documentation.
Management Practices
61
 Certify:
Whether the
process inputs,
process
documentation,
activities and
results comply
with a pre-
defined
standar...
62
 Therefore, there is a
strong link between the
metrics used and
capability.
Management
 You can perform few managemen...
63
 The more
sophisticated your
management
practices, the higher
your capability.
Management and Capability
64
Types of Process Metrics
 A quantitative
measurement
that can be
interpreted in the
context of a
series of previous
or...
65
Types of Process Metrics
 Activity: Number of
outputs produced
and their mean age.
66
Types of Process Metrics
Scope: Percentage of all
inputs producers covered.
67
Types of Process Metrics
 Unavailability: Number,
frequency and duration of
interruptions in the normal
operation of t...
68
Types of Process Metrics
 Effectiveness:
Number, mean
time between
inputs and
percentage of
Inputs that
produce an
Out...
69
Types of Process Metrics
 Efficiency: Ratio
between the number of
outputs submitted and
the available resources
for th...
70
Types of Process Metrics
 Load:
Percentage
of
resources
reserved
for the
process in
actual use.
71
Types of Process Metrics
 Quality: Measure of the fitness
for purpose of the outputs.
72
 Description of what is measured
 How is the metric measured
 How often is the measurement
taken
 How are the thres...
73
What are metrics good for?
 Enable performing management practices.
 Determine whether security objectives are met
(t...
74
Index
1. ISM3 Charter
2. Benefits Realization (Business objectives,
Security objectives)
3. Results Oriented Management...
75
 What you can’t measure you can’t manage.
 What you can’t manage you can’t improve.
 ISM3 uses PDCA per process & Me...
76
ISM3 Process Capability
77
Security & Security Investment
Security
Investment
Cost
% People
 Mayfield’s Paradox
 It cost an infinite amount of m...
78
Security Investment, Maturity Level & Risk
N
one
Basic
Level
SM
E
Level
eCom
m
erce
Level
Enterprise
LevelM
ilitary
Lev...
79
ISM3 Maturity Levels
 Defines one basic maturity level
 Defined level is minimal set of processes without which you d...
80
ISM3 Maturity Levels
Low Investment Medium Investment High Investment
High
Benefit
OSP-12: User Registration
SSP-4: Def...
81
ISM3 Flexibility
 ISM3 is adaptable to organizations with different
missions and contexts.
 ISM3 is adaptable to orga...
82
Index
1. ISM3 Charter
2. Benefits Realization (Business objectives,
Security objectives)
3. Results Oriented Management...
83
Incidents =
Failure
84
Incidents =
Opportunity for
Improvement
85
(But…
Don’t make the same
mistake twice.
& Learn from the
mistakes of others)
86
ISMS Success
 A security target specifies the maximum number and
impact of incidents that is acceptable.
 An occurren...
87
Index
1. ISM3 Charter
2. Benefits Realization (Business objectives,
Security objectives)
3. Results Oriented Management...
88
ISM3 Responsibility Guidance
 Transparency: Responsibilities and reporting
channels should be clearly defined, documen...
89
 Deal with broad goals, coordination and
provision of resources;
 Deal with the design and implementation of the
ISM ...
90
Strategic Managers
Tactical Managers
Operational Managers
Stakeholders
Report
Report
Report
Levels of Responsibility - ...
91
Strategic Practices
Tactical Practices
Operational Practices
Generic Practices
Specific Goals
Specific Goals
Specific G...
92
Index
1. ISM3 Charter
2. Benefits Realization (Business objectives,
Security objectives)
3. Results Oriented Management...
93
Generic Goals
 Prevent and mitigate incidents that could
jeopardize the organization’s property and the
output of prod...
94
Strategic Goals
 Provides leadership and coordination of:
 Information security;
 Physical security;
 Workplace sec...
95
Tactical Goals
 Provide feedback to Strategic Management;
 Define the environment for Operational
Management.
 Defin...
96
Operational Goals
 Provide feedback to Tactical Management,
including Incident Reports;
 Identify and protect assets;...
97
Generic Practices
 GP-1 Knowledge Management
 GP-2 ISM System Audit
 GP-3 ISM Design and Evolution
Generic
Practices
98
 SSP-1 Report to Stakeholders
 SSP-2 Coordination
 SSP-3 Strategic vision
 SSP-4 Define Division of Duties rules
 ...
99
 TSP-1 Report to strategic management
 TSP-2 Manage allocated resources
 TSP-3 Define Security Targets and Security ...
100
Operational Practices
 OSP-1 Report to tactical management
 OSP-2 Security Procurement
 OSP-3 Inventory Management
...
101
Operational Practices
 OSP-11 Access control
 OSP-12 User Registration
 OSP-14 Physical Environment Protection
Mana...
102
Operational Practices
 OSP-22 Alerts Monitoring
 OSP-28 External Events Detection and
Analysis
 OSP-23 Internal Eve...
103
Index
1. ISM3 Charter
2. Benefits Realization (Business objectives,
Security objectives)
3. Results Oriented Managemen...
104
Summary
1. Business Focused
2. Process Orientation
3. Manageable (with Metrics)
4. Compatible (ITIL, ISO27001, ISO9001...
105
Information Security that makes Business
Sense
inovement.es/oism3
Web www.inovement.es
Video Blog youtube.com/user/vac...
Nächste SlideShare
Wird geladen in …5
×

Introducing O-ISM3

7.852 Aufrufe

Veröffentlicht am

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Introducing O-ISM3

  1. 1. 1 Information Security Management Maturity Model
  2. 2. 2
  3. 3. 3
  4. 4. 4 Methods  A method is the complete definition of how to make repeatable a complex activity.
  5. 5. 5 Concepts  Clear concepts help mapping real problems with the framework provided by the method.  They give the method internal coherence.
  6. 6. 6 Principles  Generic high level do’s, don’ts and how to’s.
  7. 7. 7 Roles  Defined roles guarantee that everyone knows his responsibilities, and there are no unassigned responsibilities.  Every task performed needs one person or team that is responsible to carry it out.
  8. 8. 8 Processes  The task is performed equally regardless of who performs it.  Makes planning easier.  It produces something with value for the business.
  9. 9. 9 Deliverables  Document activity  Results  Measure progress and success  Less dependencies  Better communication  Reminder
  10. 10. 10 Techniques  Capture and reuse lessons learnt  Improve productivity and quality  Less dependencies of individual talent  Produce deliverables
  11. 11. 11  Why  What  Who  How  When  Resources  Responsibilities
  12. 12. 12 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
  13. 13. 13 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
  14. 14. 14 Charter  The Problem  Lack of guidance for the infosec community on managing the information security function using metrics and maturity models.  Existing infosec frameworks and standards for the most part fail to tie information security controls and management to business objectives. As such, they provide laundry lists of best practice controls, but they leave it to the information security management at each organization to determine which controls have applicability based upon many internal factors.  Existing frameworks are also not tailored for various kinds of organizations. SMBs, large enterprises, e-commerce, and military/defense have different requirements
  15. 15. 15 Charter  Objectives  Fill the gap between ISMS as defined in ISO27001, best practices in ISO27002, and the need for continuous improvement in infosec using metrics and maturity models.  Help organizations to identify and achieve levels of security appropriate to their industry, risk profile, and size.  Provide organizations with certification opportunities for infosec management program  Provide basis for an ecosystem to develop around ISM3, including trainers, certification, consultants.
  16. 16. 16 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
  17. 17. 17 Asking the Right Questions  What questions would you ask in order to keep the Confidentiality, Availability and Integrity of the systems used by Human Resources?
  18. 18. 18 Contrarian view of business and security
  19. 19. 19 Security seen as part of the business
  20. 20. 20 Protect the asset
  21. 21. 21 Protect business bjectives
  22. 22. 22  “We want to prevent attacks from succeeding”. With this approach, to be secure means to be invulnerable.  An incident is any loss of confidentiality, integrity or availability.  You look at a piece of data and think: Is it confidential, has it got integrity, is it available? Traditional approach to security:
  23. 23. 23  “We want to guarantee that our business objectives are met”. With this approach, to be secure means to be reliable, despite attacks, accidents and errors.  An incident is a failure to meet a security objective resulting from accidents, errors or attacks.  Using ISM3 you look at a piece of data and think: What properties of this data must be protected for it to have business value? ISM3 style Approach:
  24. 24. 24 ISM3 Business Focus  Business Objectives: Resilience depends on security objectives.  Security Objectives are derived from business, compliance and technical needs and limitations. This are the goals of the ISM.  Security Targets measure the achievement of security objectives in business terms.
  25. 25. 25 Benefits Realization Business Goals and Obligations removed in order to simplify and focus.
  26. 26. 26 ISM3 - What needs protection?  Business Objectives examples:  Paying taxes in time;  Invoice all products and services provided;  Keep any records needed to pass successfully any audit, like a tax audit or a software licenses audit.  Security Objectives.  Security Targets.
  27. 27. 27 ISM3 - What protection is needed?  Business Objectives.  Security Objectives examples:  “Secrets should be accessible to authorized users only”  “Repositories with Personal information have to be registered with the Data Protection agency”  “Systems are as free of weaknesses as possible”  Security Targets.
  28. 28. 28 ISM3 - Is protection successful?  Business Objectives.  Security Objectives.  Security Targets examples.  “Less than 2 secrets revealed every year, accounting for loses of less than 0.1% of the value of the company”  “Fewer than one incident every two years where a Repository with Personal Information s not registered”  “Medium update level in the DMZ environment below 3 days”
  29. 29. 29 Benefits Realization
  30. 30. 30 Operational Definitions for Security  ISM3 borrows the concept of operational definition from the scientific method.  Under an operational definition, any measurable characteristic is defined by the methodology used to measure it, without any attempt to describe or define the nature of the measured characteristic.  Repeatable, as the measurement can the performed as often as needed with consistent results,  Independent of the observer, as any observer following the measurement methodology will achieve the same result
  31. 31. 31 Operational Definitions for Security  Remove ambiguity, enable agreement.  Switch from “what is” to “how you measure”.  You don’t need to know what “mass” is in order to know the weight of something.
  32. 32. 32 Asking the Right Questions  What questions would you ask in order to keep the Confidentiality, Availability and Integrity of the systems used by Human Resources?
  33. 33. 33 Asking the Right Questions 1. Who are the users of the system? 2. Do they need to be specifically authorized? 3. From whom do we want to protect the system’s information? 4. Will any part of the system be located in publicly accessible locations? 5. Will the system handle personal information of clients, potential clients, stockholders, or employees? 6. What are the different locations subject to diverse regulations in terms of handling of personal information and data breach disclosure where parts of the system will be located? 7. Will the system use licensed information from third parties? 8. What are the different locations subject to diverse regulations in terms of licensed information where parts of the system will be located?
  34. 34. 34 Asking the Right Questions 9. Will the system handle intellectual property? 10. What are the different locations subject to diverse regulations in terms of intellectual property where parts of the system will be located? 11. When should the system be performing normally (e.g., 8×5)? 12. How many interruptions are acceptable? 13. What would be the longest acceptable interruption? 14. What is the maximum amount of transactions that can be lost because of an interruption? 15. For how long will the system’s data be archived? 16. If the data needs to be deleted, when should this happen? 17. What is the maximum acceptable fraction of records with wrong information? 18. What is the maximum fraction of records that can be missing?
  35. 35. 35 Security Objectives
  36. 36. 36  Use of services and physical and logical access to repositories and systems is restricted to authorized users; Access Control
  37. 37. 37  Secrets (industrial, trade) are accessible to authorized users only; Access Control
  38. 38. 38  Personal information of clients and employees is accessible for a valid purpose to authorized users only, preserves their anonymity if necessary, and is held for no longer than required. Access Control
  39. 39. 39  Intellectual property (licensed, copyrighted, patented and trademarks) is accessible to authorized users only;  Third party services and repositories are appropriately licensed and accessible only to authorized users; Access Control
  40. 40. 40  Users are accountable for the repositories and messages they create or modify;  Users are accountable for their acceptance of contracts and agreements.  Users are accountable for their use of services. Access Control
  41. 41. 41  Accurate time and date is reflected in all records; Access Control
  42. 42. 42  Availability of repositories, services and channels exceeds Customer needs;  Reliability and performance of services and channels exceeds Customer needs;  Volatility of services and channels within Customer needs; Priority Objectives
  43. 43. 43  Repositories are retained at least as long as Customer requirements;  Expired or end of life-cycle repositories are permanently destroyed; Durability Objectives
  44. 44. 44  Precision, relevance (up-to- date), completeness and consistency of repositories exceeds Customer needs; Quality Objectives
  45. 45. 45 Technical Objectives * Keep systems free of weaknesses. * Keep systems that need to be visible from not trusted systems the least visible possible. * Have systems run trusted services only. * Keep electricity, temperature and humidity within controlled limits. Press Any Key to Continue
  46. 46. 46 Use case – Malware Management  Use case – ISM3-less management  Motivation: Clean viruses or your business will sink.  Objective: No system should get a virus ever  Activity: Install antivirus on personal computers, servers, mail servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.  Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.  Success criterion: When no system gets ever a virus.  Continuous improvement: Add more antimalware controls (Tripwire, CORE, etc)
  47. 47. 47  Use Case – ISM3-style management  Motivation: Unfortunately systems, specially Windows and malware prone. We should invest proportionally to the damage they can make.  Goal: Systems should accomplish their business role with or without malware.  Activity: Install antimalware in vulnerable systems. Measure activity, scope, update and availability of antimalware. Consider other measures, like using less malware prone systems.  Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.  Success criterion: When protected system play their business role without interruption or degradation.  Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI. Use case – Malware Management
  48. 48. 48 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
  49. 49. 49 Definitions Process OSP-6 Environment Clearing Description This process covers procedures for secure clearing of repositories to prevent disclosure of information. Rationale Clearing or destroying of repositories is required to prevent disclosure incidents when an information system leaves an environment or passes outside the control of the organization. Documentation OSP-061-Repository Clearing Procedure. OSP-062-Clearing Report Template Inputs Inventory of Assets Alerts and Fixes Report Work Products Cleared Repositories Clearing Report Metrics Report Activity Number of Work Products submitted Scope Percentage of information systems susceptible to be cleared when changing state in the environment Update Time since last Work Products submission Mean time between Work Products submissions Time since last information system clearing Availability Not Applicable Process owner Information Systems Management Related Processes OSP-4 Information Systems Environment Change Control OSP-22 Alerts Monitoring Related Methodologies Not Applicable
  50. 50. 50 Definitions Description: The activity performed in the process. Rationale: How the process contributes to specific and generic goals. Documentation: Policies, Procedures and Templates Process Definitions needed to describe and perform the process. Inputs: Inputs to the process. (Inputs in italics or obtained from sources other than documents) Work Products: Results of the process. (Work Products in italics are work products other than documents)
  51. 51. 51 Definitions Activity: Metric description of the volume of work products produced. Scope: Metric description showing how much of the organisation or the environment is covered by the process. Efficiency Efficacy Load Quality Unavailability: Metric description of the period of time that a process has performed as expected upon demand, and the frequency and duration of interruptions.
  52. 52. 52 Definitions Process Owner: Every process should have one and no more than one process owner. Related Processes: Other ISM3 processes that are required to generate key inputs. Related Methodologies: Well-known methodologies and best practices.
  53. 53. 53  Managing is achieving results with the resources available for it.  There are specific activities for management: “Management Practices” Management
  54. 54. 54  Assessment. How well the process matches the organization's needs and compliance goals. Management Practices
  55. 55. 55  Benefits realization: Show how achieving security objectives contributes to achieving business objectives. Management Practices
  56. 56. 56  Planning. Organizing and forecasting the amount, assignment and milestones of tasks, resources, budget, deliverables and performance of a process. Management Practices
  57. 57. 57  Testing: Assessment of whether process outputs are as expected when test data is put in. Management Practices
  58. 58. 58  Monitoring: Checking whether the outputs of the process and the resources used are normal?, acceptable? Improving? Better than the Joneses? Management Practices
  59. 59. 59  Improving: Making changes in the process to make it more suitable for the purpose, or to reduce usage of resources. Management Practices
  60. 60. 60  Audit. Whether the process inputs, activities and results match their documentation. Management Practices
  61. 61. 61  Certify: Whether the process inputs, process documentation, activities and results comply with a pre- defined standard, law or regulation. Management Practices
  62. 62. 62  Therefore, there is a strong link between the metrics used and capability. Management  You can perform few management practices without metrics.
  63. 63. 63  The more sophisticated your management practices, the higher your capability. Management and Capability
  64. 64. 64 Types of Process Metrics  A quantitative measurement that can be interpreted in the context of a series of previous or equivalent measurements
  65. 65. 65 Types of Process Metrics  Activity: Number of outputs produced and their mean age.
  66. 66. 66 Types of Process Metrics Scope: Percentage of all inputs producers covered.
  67. 67. 67 Types of Process Metrics  Unavailability: Number, frequency and duration of interruptions in the normal operation of the process.
  68. 68. 68 Types of Process Metrics  Effectiveness: Number, mean time between inputs and percentage of Inputs that produce an Output.
  69. 69. 69 Types of Process Metrics  Efficiency: Ratio between the number of outputs submitted and the available resources for this process in actual use.
  70. 70. 70 Types of Process Metrics  Load: Percentage of resources reserved for the process in actual use.
  71. 71. 71 Types of Process Metrics  Quality: Measure of the fitness for purpose of the outputs.
  72. 72. 72  Description of what is measured  How is the metric measured  How often is the measurement taken  How are the thresholds calculated  Current range of values considered normal for the metric  Best possible value of the metric  Units of measurement Metrics Specification
  73. 73. 73 What are metrics good for?  Enable performing management practices.  Determine whether security objectives are met (test success);  Show how security objectives contribute to business objectives;  Measure how changes in a process improve (or not) the ISM system;  Inform decisions to fix or improve the ISM processes.  Detect significant anomalies (tell normal from abnormal, saving investigation efforts);  SLAs, Outsourcing
  74. 74. 74 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
  75. 75. 75  What you can’t measure you can’t manage.  What you can’t manage you can’t improve.  ISM3 uses PDCA per process & Metrics for continuous improvement.  The higher the capability of a process, the better opportunities for improvement arise. ISM3 - Continuous Improvement
  76. 76. 76 ISM3 Process Capability
  77. 77. 77 Security & Security Investment Security Investment Cost % People  Mayfield’s Paradox  It cost an infinite amount of money both to give everyone access to a system, and to prevent everyone access to the same system.  CMU – CERT study:  The more you spend, the less difference it makes on your security.
  78. 78. 78 Security Investment, Maturity Level & Risk N one Basic Level SM E Level eCom m erce Level Enterprise LevelM ilitary Level Security Investment Risk Risk Reduction/ Additional Security Investment ISM3 Maturity Levels (Qualitative Graphic. Risk Reduction / Extra Security Investment, scaled x40 for readability)
  79. 79. 79 ISM3 Maturity Levels  Defines one basic maturity level  Defined level is minimal set of processes without which you don’t have an ISMS  Certified capability and maturity moved to separate conformance/certification documentation  Maturity levels documented in separate documents will be market driven projects  Guidance given on historical/empirical economical process sequencing and continuous improvement
  80. 80. 80 ISM3 Maturity Levels Low Investment Medium Investment High Investment High Benefit OSP-12: User Registration SSP-4: Define TPSRSR Rules TSP-6: Define IT Managed Domains and Lifecycles GP-2: ISM System and Business Audit OSP-14: Physical Environment Protection Management OSP-7: IT Managed Domain Hardening OSP-8: Software Development Lifecycle Control OSP-19: Internal Technical Audit OSP-4: Information Systems IT Managed Domain Change Control OSP-9: Security Measures Change Control OSP-26: Enhanced Reliability and Availability Management Medium Benefit TSP-11: Security Awareness TSP-8: Personnel Security TS8P-:9 Security Personnel Training OSP-3: Inventory Management OSP-2: Security Procurement OSP-6: IT Managed Domain Clearing OSP-27: Archiving Management OSP-15: Operations Continuity Management OSP-20: Incident Emulation Low Benefit TSP-10: Disciplinary Process TSP-13: Insurance Management OSP-22: Alerts Monitoring OSP-28: External Events Detection and Analysis OSP-23: Internal Events Detection and Analysis OSP-24: Handling of Incidents and Near-incidents OSP-25: Forensics TSP-7: Background Checks TSP-14: Information Operations
  81. 81. 81 ISM3 Flexibility  ISM3 is adaptable to organizations with different missions and contexts.  ISM3 is adaptable to organizations with different resources.  Security investment is driven by business need.  Some organizations may not have a huge budget for Information Security ( 20 / 80 Rule).  Maturity levels describe different levels of sophistication of ISM systems.  Organizations can identify appropriate processes, choose a level suitable for them, and show implementation progress.
  82. 82. 82 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
  83. 83. 83 Incidents = Failure
  84. 84. 84 Incidents = Opportunity for Improvement
  85. 85. 85 (But… Don’t make the same mistake twice. & Learn from the mistakes of others)
  86. 86. 86 ISMS Success  A security target specifies the maximum number and impact of incidents that is acceptable.  An occurrence of an incident does not by itself mean that a ISM system has failed.  ISM defines success as, not whether an incident has occurred, but whether the security target related to that incident has been met.  Meeting all security targets throughout the year means that the ISM system has been successful, regardless of the incidents that occurred during that period.  Incidents and failed security targets lead to improvements in the cycle of continuous improvement of the ISMS.
  87. 87. 87 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Return of Investment 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Advantages 11. Summary
  88. 88. 88 ISM3 Responsibility Guidance  Transparency: Responsibilities and reporting channels should be clearly defined, documented and communicated.  Partitioning: All instances of ISM processes should have one and only one Process Owner.  Supervision: All ISM processes should have at least one supervisor.  Rotation: All sensitive processes should be transferred periodically to another competent process owner.  Separation: No process owner will own incompatible processes.
  89. 89. 89  Deal with broad goals, coordination and provision of resources;  Deal with the design and implementation of the ISM system, specific goals and management of resources;  Deal with achieving defined goals by means of technical processes. Strategic Practices Tactical Practices Operational Practices Levels of Responsibility – Management Levels
  90. 90. 90 Strategic Managers Tactical Managers Operational Managers Stakeholders Report Report Report Levels of Responsibility - Reporting
  91. 91. 91 Strategic Practices Tactical Practices Operational Practices Generic Practices Specific Goals Specific Goals Specific Goals Generic Goals Direct and Provide Implement and Optimize Support Levels of Responsibility
  92. 92. 92 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Overview 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
  93. 93. 93 Generic Goals  Prevent and mitigate incidents that could jeopardize the organization’s property and the output of products and services that rely on information systems;  Optimise the use of information, money, people, time and infrastructure.  The work products of an ISM system are:  Incident prevention;  Incident mitigation;  The intangible work products of an ISM system are:  Risk reduction;  Trust. Generic Goals
  94. 94. 94 Strategic Goals  Provides leadership and coordination of:  Information security;  Physical security;  Workplace security (outside scope of ISM3);  Interaction with organizational units;  Reviews and improves the information security management system;  Provides resources for information security;  Defines relationships with other organisations;  Defines Security Objectives consistent with organizational objectives, protecting stakeholders interests;  Sets the organizational scheme of delegation. Specific Goals
  95. 95. 95 Tactical Goals  Provide feedback to Strategic Management;  Define the environment for Operational Management.  Define Security Targets;  Define information classes, priorities, durability and quality groups;  Define environments and lifecycles;  Select appropriate processes to achieve the Security Targets;  Manage budget, people and other resources allocated to information security Specific Goals
  96. 96. 96 Operational Goals  Provide feedback to Tactical Management, including Incident Reports;  Identify and protect assets;  Protection and support of information systems throughout their lifecycle;  Management of the security measures lifecycle;  Apply allocated resources efficiently and effectively;  Carry out processes for incident prevention, detection and mitigation (both real time and following an incident). Specific Goals
  97. 97. 97 Generic Practices  GP-1 Knowledge Management  GP-2 ISM System Audit  GP-3 ISM Design and Evolution Generic Practices
  98. 98. 98  SSP-1 Report to Stakeholders  SSP-2 Coordination  SSP-3 Strategic vision  SSP-4 Define Division of Duties rules  SSP-6 Allocate resources for information security Strategic Practices Strategic Practices
  99. 99. 99  TSP-1 Report to strategic management  TSP-2 Manage allocated resources  TSP-3 Define Security Targets and Security Objectives  TSP-4 Service Level Management  TSP-6 Security Architecture  TSP-7 Background Checks  TSP-8 Personnel Security  TSP-9 Security Personnel Training  TSP-10 Disciplinary Process  TSP-11 Security Awareness  TSP-13 Insurance Management  TSP-14 Information Operations Tactical Practices Tactical Practices
  100. 100. 100 Operational Practices  OSP-1 Report to tactical management  OSP-2 Security Procurement  OSP-3 Inventory Management  OSP-4 Information Systems Environment Change Control  OSP-5 Environment Patching  OSP-6 Environment Clearing  OSP-7 Environment Hardening  OSP-8 Software Development Life-cycle Control  OSP-9 Security Measures Change Control  OSP-10 Backup & Redundancy Management Operational Practices
  101. 101. 101 Operational Practices  OSP-11 Access control  OSP-12 User Registration  OSP-14 Physical Environment Protection Management –  OSP-15 Operations Continuity Management  OSP-16 Segmentation and Filtering Management  OSP-17 Malware Protection Management  OSP-19 Internal Technical Audit  OSP-20 Incident Emulation  OSP-21 Information Quality Probing  OSP-26 Enhanced Reliability and Availability Management Operational Practices
  102. 102. 102 Operational Practices  OSP-22 Alerts Monitoring  OSP-28 External Events Detection and Analysis  OSP-23 Internal Events Detection and Analysis  OSP-24 Handling of incidents and near- incidents  OSP-25 Forensics  OSP-27 Archiving Management  OSP-21 Information Quality and Compliance Probing Operational Practices
  103. 103. 103 Index 1. ISM3 Charter 2. Benefits Realization (Business objectives, Security objectives) 3. Results Oriented Management (Management Practices, Processes, Process Metrics) 4. Continuous Improvement (Management Capability, Management Maturity) 5. ISMS Success (Operational definition of incident, Business Targets, Security Targets) 6. Levels of Responsibility 7. Overview 8. Communication and Cooperation (Operational definitions) 9. Certification (Certifiable Maturity Levels) 10. Summary
  104. 104. 104 Summary 1. Business Focused 2. Process Orientation 3. Manageable (with Metrics) 4. Compatible (ITIL, ISO27001, ISO9001) 5. Adaptable 6. Flexible
  105. 105. 105 Information Security that makes Business Sense inovement.es/oism3 Web www.inovement.es Video Blog youtube.com/user/vaceituno Blog ism3.com Twitter twitter.com/vaceituno Presentations slideshare.net/vaceituno/presentations Articles slideshare.net/vaceituno/documents
  106. 106. 106

×