Sudarsan Jayaraman - Open information security management maturity model

1. Open Information Security Management Maturity Model An Overview 25th May, 2011 Presented by : Sudarsan Jayaraman, CISA, CISM, ITIL –V3 Expert, ISO 20000 (C), ISO 27001 LA, COBIT (F) Director – Technology Risk Services 2. Today’s Discussion Points Current Information Security Management Practices Open Information Security Management Maturity Model (O-ISM3) – An Overview Implementation Approach and Potential Benefits? 3. Do you agree ? QUESTION: Does Information Security Compliance Projects improve the security posture of an organization? 4. Do you agree ? ANSWER:NO , Information Security Compliance Projects are not helping the organization and it is more of documentation of controls rather than security implementation. QUESTION: Does Information Security Compliance Projects improve the security posture of an organization? 5. Organization Concerns Management Concerns Inadequate view of Information security functioning Increase in number security incidents High cost of Information security and low ROI IT staffing issues Lack of knowledge of critical systems Information Security not measurableCISO’s Concerns No clear view on business requirements Budget cuts and less IT spending Deliver projects to meet business growth Compliance requirements from various agencies Demonstrate value to business Improve security and privacy controls Improving quality of Information security delivery 6. Governance – A Balancing act Governance is about: Performance Improving profitability, efficiency, effectiveness, and growth Conformance Adhering to legislation, internal policies, and audit requirements Conformance Performance 7. What is Information Security Governance? 8. International Standards in Information Security ISO/IEC 27001 Series Information Technology – Security Techniques - Information Security Management SystemRequirements O – ISM3 –Open Group Information Security Management Maturity Model Standard of Good Practice for Information Security from Information Security Forum 9. Common issues in the current standard Metrics allow finding incidents and faults in the process, enabling continuous improvement. Yes No Metrics Incident: Breach of a security objective Incident: Breach of CIA Security Objectives Attacks prevention Errors prevention Accidents prevention Attacks prevention Information Quality should focus on addressing business interestsInformation qualities: Business Compliance Technical Information qualities: Confidentiality Availability Integrity Link between business goals and information security Focus on business objectives/goals and derive security objectives and targets from business requirement Top - Down Bottom-up Business approach Process based management is easier to integrate with Cobit, ISO 9001 and ITIL Controls don’t have defined output, but processes do. This means processes can be managed using metrics of the outputs. Process Based Controls Based Paradigm Implications Requirements Current ISMS Criteria 10. IT Standards and FrameworkIT Governance COBIT ISO 27000/ Open ISM3/ ISF series ITIL Business Requirements WHAT HOW VAL ITIT Service Management ISO/IEC 20000 ISO/IEC38500 Project Management PMI - PMBOK 11. Characteristics of a Framework Has General Acceptability Among Organizations Helps Meet Regulatory Requirements Control Framework Defines a Common Language Provides Sharper Business Focus Ensures Process Orientation 12. O-ISM3 – Information Security Management Maturity Model O-ISM3main characteristics are: Business-focused Process-oriented Measurement-driven O-ISM3 Framework Characteristics 13. About Open ISM3 ISM3 was developed by ISM3 consortium and it is developed by team headed byMr. Vicente Aceituno The ISM3 is now adopted by Open Group and the latest version is released on Feb 2011 The Open Group is a vendor- and technology-neutral consortium. Other standards - The Open Group Architecture Framework( TOGAF® ) 14. Highlights of O-ISM3 Enable the creation of ISM systems that are fully aligned with the business mission and compliance needs.Applicable to any organization regardless of size, context and resources.Enable organizations to prioritize and optimize their investment in information security.Enable continuous improvement of ISM systems using metrics 15. ISM3 Process GP-1 Knowledge Management GP-2 ISM and BusinessAudit Implementing O-ISM3 GP-3 ISM Design and Evolution Generic Practices Strategic Practices SSP-1 Report to Stakeholders SSP-2 Coordination SSP-4 Define Division of Duties rules SSP-6 Allocate Resources for Information Security Tactical Practices TSP-1 Report to Strategic Management TSP-2 Manage Allocated Resources TSP-3 Define Security Targets and Security Objectives TSP-4 Service Level Management TSP-6 Security Architecture TSP-7 Background Checks TSP-8 Personnel Security TSP-9 Security Personnel Training TSP-10 Disciplinary Process TSP-11 Security Awareness TSP-13 Insurance Management TSP-14 Information Operations 16. ISM3 Process - Operational Practices OSP-1 Report to Tactical Management OSP-2 Security Procurement Lifecycle Control OSP-3 Inventory Management OSP-4 Information Systems IT Managed Domain Change Control OSP-5 IT Managed Domain Patching OSP-6 IT Managed Domain Clearing OSP-7 IT Managed Domain HardeningOSP-8 Software Development Life-cycle Control OSP-9 Security Measures Change ControlOSP-16 Segmentation and Filtering Management OSP-17 Malware Protection ManagementOperational Practices Access and Environmental Control OSP-11 Access controlOSP-12 User RegistrationOSP-14 Physical Environment Protection ManagementAvailability Control OSP-10 Backup ManagementOSP-15 Operations Continuity Management OSP-26 Enhanced Reliability and Availability Management OSP-27 Archiving ManagementOSP-16 Segmentation and Filtering Management Testing and Auditing OSP-19 Internal Technical Audit OSP-20 Incident Emulation OSP-21 Information Quality and Compliance Assessment Monitoring OSP-22 Alerts MonitoringOSP-23 Internal Events Detection and Analysis OSP-28 External Events Detection and Analysis Incident Handling OSP-24 Handling of incidents and near-incidentsOSP-25 Forensics 17. Sample Process Description….. Project Quant Related methodologies OSP-4: Information Systems IT Managed Domain Change Control OSP-9: Security Measures Change Control Related processes Supervisor: TSP-14 Process Owner Process Owner: Information Systems Management Responsibilities Update level, calculated as follows: The update level for a specific information system is equal to the sum of the days outstandingfor all pending security patches. The IT managed domain update level is equal to the sum of the individual update levels, dividedby the number of information systems. The lower this metric, the better. This metric allows checking of the progress of the patching process, and comparison of the update level of different IT managed domains. Quality Up-to-date services in every IT managed domain Services Update Level Report (OSP-4) Metrics Report (TSP-4) Outputs Inventory of Assets (OSP-3) Inputs OSP-051: Services update level report template OSP-052: Services Patching Management procedure Documentation Patching prevents incidents arising from the exploitation of known weaknesses in services. Value This process covers the ongoing update of services to prevent incidents related to known weaknesses, enhancing the reliability of the updated systems. Description OSP-5:IT Managed Domain Patching Process 18. O-ISM3 Goals Prevent and mitigateIncidents ,Optimisethe use of information,money, people, timeand infrastructure. GenericGoals Defines SecurityObjectivesconsistentwith organizationalobjectives,protectingstakeholdersInterests. StrategicGoals Provide feedback toStrategicManagement; Manage budget,people and otherresources allocatedto informationsecurity TacticalGoals Provide feedback toTacticalManagement,Carry out processesfor incidentprevention,Detection, And mitigation. OperationalGoals 19. O – ISM3 An Information Security Management Maturity Model O-ISM3 is a framework for managing information security in the context of business objectives. Business objectives and security objectives are aligned, information security becomes a key contributor to the common goal of achieving the business objectives. Security objectives and security targets are expressed in tangible, specific, and measurable terms. BusinessObjectives Security Objectives Security Targets 20. O-ISM3 Security Management Levels Strategic Management: Managers involved in the long-term alignment of IT with business needs Tactical Management: Managers involved in the allocation of resources and the configuration and management of the ISMS. Operational Management: Managers involved in setting up, operating, and monitoring specific processes. Strategic Managers Tactical Managers Operational Managers Stakeholders Report Report Report 21. Significant Features of O-ISM3 The significant features of O-ISM3 are: Metrics for Information Security Capability Levels Maturity Levels Process based Adopts best practices Accreditation. 22. O-ISM3 – Capability Levels Capability is a property of how a process is managed Process capability is determined by the metrics the process produces. * * * * * * * Documentation * * * * * * Activity Metric Type * * * * * * Scope * * * * * * Effectiveness * * * * * * Unavailability * * * * * Load * * Quality * Efficiency Planning Benefits realization Optimization Optimized Assessment Controlled Monitor Managed Test Defined Audit, Certify Initial Management practices Enabled Capability Level 23. O-ISM3 ImplementationOperational BusinessObjectives (Objectives, Security Targets) Dependency Analysis Operationalized Security Objectives (Objectives, Security Targets) Priority (Objectives,Security Targets) Durability (Objectives,Security Targets) Quality (Objectives,Security Targets) Access Control (Objectives,Security Targets) Technical (Objectives,Security Targets) OSP -15, OSP-26, Others OSP -6, OSP-10, OSP-27, Others OSP-21, Others OSP -3, OSP-11,OSP-12, OSP-14, Others OSP -5, OSP-7,OSP-16, OSP-17, Others Business Objectivesand Incidents Security Objectivesand Incidents ISM3 Processes and Metrics 24. Typical Implementation Approach Open – ISM3Implementation Approach 25. Potential Benefits Maturity Levels make easier to prioritize and optimize investment in information security. It scales to small and big organizations. The use of separate process in every environment prevents using procedures for restrictive environments all over the organization. Business Focused Process Orientation Manageable (with Metrics) Compatible (ITIL, ISO27001, ISO9001, Cobit) AdaptableFlexible Open Standard, readily available 26. Q & A ??? 27. Thank you for your participation 28.