Introducing O-ISM3

1

Information Security Management Maturity Model

2

3

Methods

A method is the complete

definition of how to make

repeatable a complex activity.

4

Concepts

Clear concepts help mapping real problems with the

framework provided by the

method. They give the method internal

coherence.

5

Principles

Generic high level do’s, don’ts and how to’s.

6

Roles

Defined roles guarantee that everyone knows his

responsibilities, and there are no unassigned responsibilities.

Every task performed needs one person or team that is

responsible to carry it out.

7

Processes

The task is performed equally regardless of who performs it.

Makes planning easier. It produces something with value for the business.

8

Deliverables Document activity

Results

Measure progress and success

Less dependencies Better communication

Reminder

9

Techniques

Capture and reuse lessons learnt Improve productivity and quality

Less dependencies of individual talent Produce deliverables

10

Why What Who How When Resources Responsibilities

11

Index1. ISM3 Charter2. Benefits Realization (Business objectives,

Security objectives)3. Results Oriented Management (Management

Practices, Processes, Process Metrics)4. Continuous Improvement (Management

Capability, Management Maturity)5. ISMS Success (Operational definition of

incident, Business Targets, Security Targets)6. Levels of Responsibility7. Return of Investment8. Communication and Cooperation (Operational

definitions)9. Certification (Certifiable Maturity Levels)10. Summary

12







13

Charter

The Problem Lack of guidance for the infosec community on managing the

information security function using metrics and maturity models.

Existing infosec frameworks and standards for the most part fail to tie information security controls and management to business objectives. As such, they provide laundry lists of best practice controls, but they leave it to the information security management at each organization to determine which controls have applicability based upon many internal factors.

Existing frameworks are also not tailored for various kinds of organizations. SMBs, large enterprises, e-commerce, and military/defense have different requirements

14

Charter

Objectives Fill the gap between ISMS as defined in ISO27001, best

practices in ISO27002, and the need for continuous improvement in infosec using metrics and maturity models.

Help organizations to identify and achieve levels of security appropriate to their industry, risk profile, and size.

Provide organizations with certification opportunities for infosec management program

Provide basis for an ecosystem to develop around ISM3, including trainers, certification, consultants.

15







16

Asking the Right Questions

What questions would you ask in order to keep the Confidentiality, Availability and Integrity of the systems used by Human Resources?

17

Contrarian view of business and security

18

Security seen as part of the business

19

Protect the asset

20

Protect business bjectives

21

“We want to prevent attacks from succeeding”. With this approach, to be secure means to be invulnerable.

An incident is any loss of confidentiality, integrity or availability.

You look at a piece of data and think: Is it confidential, has it got integrity, is it available?

Traditional approach to security:

22

“We want to guarantee that our business objectives are met”. With this approach, to be secure means to be reliable, despite attacks, accidents and errors.

An incident is a failure to meet a security objective resulting from accidents, errors or attacks.

Using ISM3 you look at a piece of data and think: What properties of this data must be protected for it to have business value?

ISM3 style Approach:

23

ISM3 Business Focus

Business Objectives: Resilience depends on security objectives.

Security Objectives are derived from business, compliance and technical needs and limitations. This are the goals of the ISM.

Security Targets measure the achievement of security objectives in business terms.

24

Benefits Realization

Business Goals and Obligations removed in order to simplify and focus.

25

ISM3 - What needs protection?

Business Objectives examples: Paying taxes in time; Invoice all products and services provided; Keep any records needed to pass successfully any audit, like a

tax audit or a software licenses audit.

Security Objectives. Security Targets.

26

ISM3 - What protection is needed?

Business Objectives. Security Objectives examples:

“Secrets should be accessible to authorized users only” “Repositories with Personal information have to be registered

with the Data Protection agency” “Systems are as free of weaknesses as possible”

Security Targets.

27

ISM3 - Is protection successful?

Business Objectives. Security Objectives. Security Targets examples.

“Less than 2 secrets revealed every year, accounting for loses of less than 0.1% of the value of the company”

“Fewer than one incident every two years where a Repository with Personal Information s not registered”

“Medium update level in the DMZ environment below 3 days”

28

Benefits Realization

29

Operational Definitions for Security

ISM3 borrows the concept of operational definition from the scientific method.

Under an operational definition, any measurable characteristic is defined by the methodology used to measure it, without any attempt to describe or define the nature of the measured characteristic.

Repeatable, as the measurement can the performed as often as needed with consistent results,

Independent of the observer, as any observer following the measurement methodology will achieve the same result

30

Operational Definitions for Security Remove ambiguity, enable agreement. Switch from “what is” to “how you measure”. You don’t need to know what “mass” is in order to know

the weight of something.

31


What questions would you ask in order to keep the Confidentiality, Availability and Integrity of the systems used by Human Resources?

32


1. Who are the users of the system?

2. Do they need to be specifically authorized?

3. From whom do we want to protect the system’s information?

4. Will any part of the system be located in publicly accessible locations?

5. Will the system handle personal information of clients, potential clients, stockholders, or employees?

6. What are the different locations subject to diverse regulations in terms of handling of personal information and data breach disclosure where parts of the system will be located?

7. Will the system use licensed information from third parties?

8. What are the different locations subject to diverse regulations in terms of licensed information where parts of the system will be located?

33


9. Will the system handle intellectual property?

10. What are the different locations subject to diverse regulations in terms of intellectual property where parts of the system will be located?

11. When should the system be performing normally (e.g., 8×5)?

12. How many interruptions are acceptable?

13. What would be the longest acceptable interruption?

14. What is the maximum amount of transactions that can be lost because of an interruption?

15. For how long will the system’s data be archived?

16. If the data needs to be deleted, when should this happen?

17. What is the maximum acceptable fraction of records with wrong information?

18. What is the maximum fraction of records that can be missing?

34

Security Objectives

35

Use of services and physical and logical access to repositories and systems is restricted to authorized users;

Access Control

36

Secrets (industrial, trade) are accessible to authorized users only;

Access Control

37

Personal information of clients and employees is accessible for a valid purpose to authorized users only, preserves their anonymity if necessary, and is held for no longer than required.

Access Control

38

Intellectual property (licensed, copyrighted, patented and trademarks) is accessible to authorized users only;

Third party services and repositories are appropriately licensed and accessible only to authorized users;

Access Control

39

Users are accountable for the repositories and messages they create or modify;

Users are accountable for their acceptance of contracts and agreements.

Users are accountable for their use of services.

Access Control

40

Accurate time and date is reflected in all records;

Access Control

41

Availability of repositories, services and channels exceeds Customer needs;

Reliability and performance of services and channels exceeds Customer needs;

Volatility of services and channels within Customer needs;

Priority Objectives

42

Repositories are retained at least as long as Customer requirements;

Expired or end of life-cycle repositories are permanently destroyed;

Durability Objectives

43

Precision, relevance (up-to-date), completeness and consistency of repositories exceeds Customer needs;

Quality Objectives

44

Technical Objectives

* Keep systems free of weaknesses.* Keep systems that need to be visible from not trusted systems the least visible possible.* Have systems run trusted services only.* Keep electricity, temperature and humidity within controlled limits.

Press Any Key to Continue

45

Use case – Malware Management

Use case – ISM3-less management Motivation: Clean viruses or your business will sink. Objective: No system should get a virus ever Activity: Install antivirus on personal computers, servers, mail

servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.

Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.

Success criterion: When no system gets ever a virus. Continuous improvement: Add more antimalware controls

(Tripwire, CORE, etc)

46

Use Case – ISM3-style management Motivation: Unfortunately systems, specially Windows and malware prone.

We should invest proportionally to the damage they can make. Goal: Systems should accomplish their business role with or without

malware. Activity: Install antimalware in vulnerable systems. Measure activity, scope,

update and availability of antimalware. Consider other measures, like using less malware prone systems.

Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.

Success criterion: When protected system play their business role without interruption or degradation.

Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI.

Use case – Malware Management

47



Practices, Processes, Metrics)4. Continuous Improvement (Management




48

Definitions

Process OSP-6 Environment Clearing

Description This process covers procedures for secure clearing of repositories to prevent disclosure of information.

Rationale Clearing or destroying of repositories is required to prevent disclosure incidents when an information system leaves an environment or passes outside the control of the organization.

Documentation OSP-061-Repository Clearing Procedure. OSP-062-Clearing Report Template

Inputs Inventory of Assets Alerts and Fixes Report

Work Products Cleared Repositories Clearing Report Metrics Report

Activity Number of Work Products submitted

Scope Percentage of information systems susceptible to be cleared when changing state in the environment

Update Time since last Work Products submission Mean time between Work Products submissions Time since last information system clearing

Availability Not Applicable

Process owner Information Systems Management

Related Processes

OSP-4 Information Systems Environment Change Control OSP-22 Alerts Monitoring

Related Methodologies

Not Applicable

49

Definitions

Description: The activity performed in the process.

Rationale: How the process contributes to specific and generic goals.

Documentation: Policies, Procedures and Templates Process Definitions needed to describe and perform the process.

Inputs: Inputs to the process. (Inputs in italics or obtained from sources other than documents)

Work Products: Results of the process. (Work Products in italics are work products other than documents)

50

Definitions

Activity: Metric description of the volume of work products produced.

Scope: Metric description showing how much of the organisation or the environment is covered by the process.

Efficiency

Efficacy

Load

Quality

Unavailability: Metric description of the period of time that a process has performed as expected upon demand, and the frequency and duration of interruptions.

51

Definitions

Process Owner: Every process should have one and no more than one process owner.

Related Processes: Other ISM3 processes that are required to generate key inputs.

Related Methodologies: Well-known methodologies and best practices.

52

Managing is achieving results with the resources available for it.

There are specific activities for management: “Management Practices”

Management

53

Assessment. How well the process matches the organization's needs and compliance goals.

Management Practices

54

Benefits realization: Show how achieving

security objectives contributes to

achieving business objectives.


55

Planning. Organizing and forecasting the amount, assignment and milestones of tasks, resources, budget, deliverables and performance of a process.


56

Testing: Assessment of whether process outputs are as expected when test data is put in.


57

Monitoring: Checking whether the outputs of the process and the resources used are

normal?, acceptable? Improving? Better than the Joneses?


58

Improving: Making changes in the process to make it more suitable for the purpose, or to reduce usage of resources.


59

Audit. Whether the process inputs, activities and results match their documentation.


60

Certify: Whether the process inputs, process documentation, activities and results comply with a pre-defined standard, law or regulation.


61

Therefore, there is a strong link between the metrics used and capability.

Management

You can perform few management practices without metrics.

62

The more sophisticated your management practices, the higher your capability.

Management and Capability

63

Types of Process Metrics

A quantitative measurement that can be interpreted in the context of a series of previous or equivalent measurements

64


Activity: Number of outputs produced and their mean age.

65


Scope: Percentage of all inputs producers covered.

66


Unavailability: Number, frequency and duration of interruptions in the normal operation of the process.

67


Effectiveness: Number, mean time between inputs and percentage of Inputs that produce an Output.

68


Efficiency: Ratio between the number of outputs submitted and the available resources for this process in actual use.

69

Types of Process Metrics Load:

Percentage of resources reserved for the process in actual use.

70


Quality: Measure of the fitness for purpose of the outputs.

71

Description of what is measuredHow is the metric measuredHow often is the measurement

takenHow are the thresholds calculatedCurrent range of values considered

normal for the metricBest possible value of the metricUnits of measurement

Metrics Specification

72

What are metrics good for?

Enable performing management practices. Determine whether security objectives are met

(test success); Show how security objectives contribute to

business objectives; Measure how changes in a process improve (or

not) the ISM system; Inform decisions to fix or improve the ISM

processes. Detect significant anomalies (tell normal from

abnormal, saving investigation efforts); SLAs, Outsourcing

73







74

What you can’t measure you can’t manage. What you can’t manage you can’t improve. ISM3 uses PDCA per process & Metrics for

continuous improvement. The higher the capability of a process, the

better opportunities for improvement arise.

ISM3 - Continuous Improvement

75

ISM3 Process Capability

76

Security & Security Investment

Security

Investment

Cost

% People

Mayfield’s Paradox It cost an infinite amount of money

both to give everyone access to a system, and to prevent everyone access to the same system.

CMU – CERT study: The more you spend, the less

difference it makes on your security.

77

Security Investment, Maturity Level & Risk

None

Basic

Leve

l

SME L

evel

eCom

mer

ce L

evel

Enter

prise

Lev

el

Milit

ary L

evel

Security Investment

Risk

Risk Reduction/Additional SecurityInvestment

ISM3 Maturity Levels

(Qualitative Graphic. Risk Reduction / Extra Security Investment, scaled x40 for readability)

78

ISM3 Maturity Levels

Defines one basic maturity level Defined level is minimal set of processes without which you don’t

have an ISMS Certified capability and maturity moved to separate

conformance/certification documentation

Maturity levels documented in separate documents will be market driven projects

Guidance given on historical/empirical economical process sequencing and continuous improvement

79

ISM3 Maturity Levels Low Investment Medium Investment High Investment

High Benefit

OSP-12: User Registration

SSP-4: Define TPSRSR Rules

TSP-6: Define IT Managed Domains and Lifecycles

GP-2: ISM System and Business Audit

OSP-14: Physical Environment Protection Management

OSP-7: IT Managed Domain Hardening

OSP-8: Software Development Lifecycle Control

OSP-19: Internal Technical Audit

OSP-4: Information Systems IT Managed Domain Change Control

OSP-9: Security Measures Change Control

OSP-26: Enhanced Reliability and Availability Management

Medium Benefit

TSP-11: Security Awareness

TSP-8: Personnel Security

TS8P-:9 Security Personnel Training

OSP-3: Inventory Management

OSP-2: Security Procurement

OSP-6: IT Managed Domain Clearing

OSP-27: Archiving Management

OSP-15: Operations Continuity Management

OSP-20: Incident Emulation

Low Benefit

TSP-10: Disciplinary Process

TSP-13: Insurance Management

OSP-22: Alerts Monitoring

OSP-28: External Events Detection and Analysis

OSP-23: Internal Events Detection and Analysis

OSP-24: Handling of Incidents and Near-incidents

OSP-25: Forensics

TSP-7: Background Checks

TSP-14: Information Operations

80

ISM3 Flexibility

ISM3 is adaptable to organizations with different missions and contexts.

ISM3 is adaptable to organizations with different resources. Security investment is driven by business need. Some organizations may not have a huge budget for Information

Security ( 20 / 80 Rule). Maturity levels describe different levels of sophistication of ISM

systems. Organizations can identify appropriate processes, choose a

level suitable for them, and show implementation progress.

81







82

Incidents = Failure

83

Incidents = Opportunity for

Improvement

84

(But…

Don’t make the same mistake twice.

& Learn from the mistakes of others)

85

ISMS Success

A security target specifies the maximum number and impact of incidents that is acceptable.

An occurrence of an incident does not by itself mean that a ISM system has failed.

ISM defines success as, not whether an incident has occurred, but whether the security target related to that incident has been met.

Meeting all security targets throughout the year means that the ISM system has been successful, regardless of the incidents that occurred during that period.

Incidents and failed security targets lead to improvements in the cycle of continuous improvement of the ISMS.

86






definitions)9. Certification (Certifiable Maturity Levels)10. Advantages11. Summary

87

ISM3 Responsibility Guidance

Transparency: Responsibilities and reporting channels should be clearly defined, documented and communicated.

Partitioning: All instances of ISM processes should have one and only one Process Owner.

Supervision: All ISM processes should have at least one supervisor.

Rotation: All sensitive processes should be transferred periodically to another competent process owner.

Separation: No process owner will own incompatible processes.

88

Deal with broad goals, coordination and provision of resources;

Deal with the design and implementation of the ISM system, specific goals and management of resources;

Deal with achieving defined goals by means of technical processes.

Strategic Practices

Tactical Practices

Operational Practices

Levels of Responsibility – Management Levels

89

Strategic Managers

Tactical Managers

Operational Managers

Stakeholders

Report

Report

Report

Levels of Responsibility - Reporting

90

Strategic Practices

Tactical Practices


Generic Practices

Specific Goals

Specific Goals

Specific Goals

Generic Goals

Direct and Provide

Implement and Optimize

Support

Levels of Responsibility

91





incident, Business Targets, Security Targets)6. Levels of Responsibility7. Overview8. Communication and Cooperation (Operational


92

Generic Goals

Prevent and mitigate incidents that could jeopardize the organization’s property and the output of products and services that rely on information systems;

Optimise the use of information, money, people, time and infrastructure.

The work products of an ISM system are: Incident prevention; Incident mitigation;

The intangible work products of an ISM system are: Risk reduction; Trust.

Generic Goals

93

Strategic Goals

Provides leadership and coordination of: Information security; Physical security; Workplace security (outside scope of ISM3); Interaction with organizational units;

Reviews and improves the information security management system;

Provides resources for information security; Defines relationships with other

organisations; Defines Security Objectives consistent with

organizational objectives, protecting stakeholders interests;

Sets the organizational scheme of delegation.

Specific Goals

94

Tactical Goals

Provide feedback to Strategic Management; Define the environment for Operational

Management. Define Security Targets; Define information classes, priorities, durability

and quality groups; Define environments and lifecycles; Select appropriate processes to achieve the

Security Targets; Manage budget, people and other resources

allocated to information security

Specific Goals

95

Operational Goals

Provide feedback to Tactical Management, including Incident Reports;

Identify and protect assets; Protection and support of information systems

throughout their lifecycle; Management of the security measures

lifecycle; Apply allocated resources efficiently and

effectively; Carry out processes for incident prevention,

detection and mitigation (both real time and following an incident).

Specific Goals

96

Generic Practices

GP-1 Knowledge Management GP-2 ISM System Audit GP-3 ISM Design and Evolution

GenericPractices

97

SSP-1 Report to Stakeholders SSP-2 Coordination SSP-3 Strategic vision SSP-4 Define Division of Duties rules SSP-6 Allocate resources for information

security

Strategic Practices

StrategicPractices

98

TSP-1 Report to strategic management TSP-2 Manage allocated resources TSP-3 Define Security Targets and Security Objectives

TSP-4 Service Level Management TSP-6 Security Architecture TSP-7 Background Checks TSP-8 Personnel Security TSP-9 Security Personnel Training TSP-10 Disciplinary Process TSP-11 Security Awareness TSP-13 Insurance Management TSP-14 Information Operations

Tactical Practices

TacticalPractices

99


OSP-1 Report to tactical management OSP-2 Security Procurement OSP-3 Inventory Management OSP-4 Information Systems Environment Change

Control OSP-5 Environment Patching OSP-6 Environment Clearing OSP-7 Environment Hardening OSP-8 Software Development Life-cycle Control OSP-9 Security Measures Change Control OSP-10 Backup & Redundancy Management

OperationalPractices

100


OSP-11 Access control OSP-12 User Registration OSP-14 Physical Environment Protection

Management – OSP-15 Operations Continuity Management OSP-16 Segmentation and Filtering Management OSP-17 Malware Protection Management OSP-19 Internal Technical Audit OSP-20 Incident Emulation OSP-21 Information Quality Probing OSP-26 Enhanced Reliability and Availability

Management


101


OSP-22 Alerts Monitoring OSP-28 External Events Detection and

Analysis OSP-23 Internal Events Detection and Analysis OSP-24 Handling of incidents and near-

incidents OSP-25 Forensics OSP-27 Archiving Management OSP-21 Information Quality and Compliance

Probing


102





incident, Business Targets, Security Targets)6. Levels of Responsibility7. Overview8. Communication and Cooperation (Operational


103

Summary

1. Business Focused

2. Process Orientation

3. Manageable (with Metrics)

4. Compatible (ITIL, ISO27001, ISO9001)

5. Adaptable

6. Flexible

104

Learn to implement High Performance Security Management Processes http://cli.gs/ism3

Web www.inovement.esVideo Blog youtube.com/user/vaceitunoBlog ism3.comTwitter twitter.com/vaceitunoPresentationsslideshare.net/vaceituno/presentations

Articles slideshare.net/vaceituno/documents

105

Technology

Introducing O-ISM3