Upload
vicente-aceituno
View
2.137
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
1
Information Security Management Maturity Model
2
3
Methods
A method is the complete
definition of how to make
repeatable a complex activity.
4
Concepts
Clear concepts help mapping real problems with the
framework provided by the
method. They give the method internal
coherence.
5
Principles
Generic high level do’s, don’ts and how to’s.
6
Roles
Defined roles guarantee that everyone knows his
responsibilities, and there are no unassigned responsibilities.
Every task performed needs one person or team that is
responsible to carry it out.
7
Processes
The task is performed equally regardless of who performs it.
Makes planning easier. It produces something with value for the business.
8
Deliverables Document activity
Results
Measure progress and success
Less dependencies Better communication
Reminder
9
Techniques
Capture and reuse lessons learnt Improve productivity and quality
Less dependencies of individual talent Produce deliverables
10
Why What Who How When Resources Responsibilities
11
Index1. ISM3 Charter2. Benefits Realization (Business objectives,
Security objectives)3. Results Oriented Management (Management
Practices, Processes, Process Metrics)4. Continuous Improvement (Management
Capability, Management Maturity)5. ISMS Success (Operational definition of
incident, Business Targets, Security Targets)6. Levels of Responsibility7. Return of Investment8. Communication and Cooperation (Operational
definitions)9. Certification (Certifiable Maturity Levels)10. Summary
12
Index1. ISM3 Charter2. Benefits Realization (Business objectives,
Security objectives)3. Results Oriented Management (Management
Practices, Processes, Process Metrics)4. Continuous Improvement (Management
Capability, Management Maturity)5. ISMS Success (Operational definition of
incident, Business Targets, Security Targets)6. Levels of Responsibility7. Return of Investment8. Communication and Cooperation (Operational
definitions)9. Certification (Certifiable Maturity Levels)10. Summary
13
Charter
The Problem Lack of guidance for the infosec community on managing the
information security function using metrics and maturity models.
Existing infosec frameworks and standards for the most part fail to tie information security controls and management to business objectives. As such, they provide laundry lists of best practice controls, but they leave it to the information security management at each organization to determine which controls have applicability based upon many internal factors.
Existing frameworks are also not tailored for various kinds of organizations. SMBs, large enterprises, e-commerce, and military/defense have different requirements
14
Charter
Objectives Fill the gap between ISMS as defined in ISO27001, best
practices in ISO27002, and the need for continuous improvement in infosec using metrics and maturity models.
Help organizations to identify and achieve levels of security appropriate to their industry, risk profile, and size.
Provide organizations with certification opportunities for infosec management program
Provide basis for an ecosystem to develop around ISM3, including trainers, certification, consultants.
15
Index1. ISM3 Charter2. Benefits Realization (Business objectives,
Security objectives)3. Results Oriented Management (Management
Practices, Processes, Process Metrics)4. Continuous Improvement (Management
Capability, Management Maturity)5. ISMS Success (Operational definition of
incident, Business Targets, Security Targets)6. Levels of Responsibility7. Return of Investment8. Communication and Cooperation (Operational
definitions)9. Certification (Certifiable Maturity Levels)10. Summary
16
Asking the Right Questions
What questions would you ask in order to keep the Confidentiality, Availability and Integrity of the systems used by Human Resources?
17
Contrarian view of business and security
18
Security seen as part of the business
19
Protect the asset
20
Protect business bjectives
21
“We want to prevent attacks from succeeding”. With this approach, to be secure means to be invulnerable.
An incident is any loss of confidentiality, integrity or availability.
You look at a piece of data and think: Is it confidential, has it got integrity, is it available?
Traditional approach to security:
22
“We want to guarantee that our business objectives are met”. With this approach, to be secure means to be reliable, despite attacks, accidents and errors.
An incident is a failure to meet a security objective resulting from accidents, errors or attacks.
Using ISM3 you look at a piece of data and think: What properties of this data must be protected for it to have business value?
ISM3 style Approach:
23
ISM3 Business Focus
Business Objectives: Resilience depends on security objectives.
Security Objectives are derived from business, compliance and technical needs and limitations. This are the goals of the ISM.
Security Targets measure the achievement of security objectives in business terms.
24
Benefits Realization
Business Goals and Obligations removed in order to simplify and focus.
25
ISM3 - What needs protection?
Business Objectives examples: Paying taxes in time; Invoice all products and services provided; Keep any records needed to pass successfully any audit, like a
tax audit or a software licenses audit.
Security Objectives. Security Targets.
26
ISM3 - What protection is needed?
Business Objectives. Security Objectives examples:
“Secrets should be accessible to authorized users only” “Repositories with Personal information have to be registered
with the Data Protection agency” “Systems are as free of weaknesses as possible”
Security Targets.
27
ISM3 - Is protection successful?
Business Objectives. Security Objectives. Security Targets examples.
“Less than 2 secrets revealed every year, accounting for loses of less than 0.1% of the value of the company”
“Fewer than one incident every two years where a Repository with Personal Information s not registered”
“Medium update level in the DMZ environment below 3 days”
28
Benefits Realization
29
Operational Definitions for Security
ISM3 borrows the concept of operational definition from the scientific method.
Under an operational definition, any measurable characteristic is defined by the methodology used to measure it, without any attempt to describe or define the nature of the measured characteristic.
Repeatable, as the measurement can the performed as often as needed with consistent results,
Independent of the observer, as any observer following the measurement methodology will achieve the same result
30
Operational Definitions for Security Remove ambiguity, enable agreement. Switch from “what is” to “how you measure”. You don’t need to know what “mass” is in order to know
the weight of something.
31
Asking the Right Questions
What questions would you ask in order to keep the Confidentiality, Availability and Integrity of the systems used by Human Resources?
32
Asking the Right Questions
1. Who are the users of the system?
2. Do they need to be specifically authorized?
3. From whom do we want to protect the system’s information?
4. Will any part of the system be located in publicly accessible locations?
5. Will the system handle personal information of clients, potential clients, stockholders, or employees?
6. What are the different locations subject to diverse regulations in terms of handling of personal information and data breach disclosure where parts of the system will be located?
7. Will the system use licensed information from third parties?
8. What are the different locations subject to diverse regulations in terms of licensed information where parts of the system will be located?
33
Asking the Right Questions
9. Will the system handle intellectual property?
10. What are the different locations subject to diverse regulations in terms of intellectual property where parts of the system will be located?
11. When should the system be performing normally (e.g., 8×5)?
12. How many interruptions are acceptable?
13. What would be the longest acceptable interruption?
14. What is the maximum amount of transactions that can be lost because of an interruption?
15. For how long will the system’s data be archived?
16. If the data needs to be deleted, when should this happen?
17. What is the maximum acceptable fraction of records with wrong information?
18. What is the maximum fraction of records that can be missing?
34
Security Objectives
35
Use of services and physical and logical access to repositories and systems is restricted to authorized users;
Access Control
36
Secrets (industrial, trade) are accessible to authorized users only;
Access Control
37
Personal information of clients and employees is accessible for a valid purpose to authorized users only, preserves their anonymity if necessary, and is held for no longer than required.
Access Control
38
Intellectual property (licensed, copyrighted, patented and trademarks) is accessible to authorized users only;
Third party services and repositories are appropriately licensed and accessible only to authorized users;
Access Control
39
Users are accountable for the repositories and messages they create or modify;
Users are accountable for their acceptance of contracts and agreements.
Users are accountable for their use of services.
Access Control
40
Accurate time and date is reflected in all records;
Access Control
41
Availability of repositories, services and channels exceeds Customer needs;
Reliability and performance of services and channels exceeds Customer needs;
Volatility of services and channels within Customer needs;
Priority Objectives
42
Repositories are retained at least as long as Customer requirements;
Expired or end of life-cycle repositories are permanently destroyed;
Durability Objectives
43
Precision, relevance (up-to-date), completeness and consistency of repositories exceeds Customer needs;
Quality Objectives
44
Technical Objectives
* Keep systems free of weaknesses.* Keep systems that need to be visible from not trusted systems the least visible possible.* Have systems run trusted services only.* Keep electricity, temperature and humidity within controlled limits.
Press Any Key to Continue
45
Use case – Malware Management
Use case – ISM3-less management Motivation: Clean viruses or your business will sink. Objective: No system should get a virus ever Activity: Install antivirus on personal computers, servers, mail
servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.
Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.
Success criterion: When no system gets ever a virus. Continuous improvement: Add more antimalware controls
(Tripwire, CORE, etc)
46
Use Case – ISM3-style management Motivation: Unfortunately systems, specially Windows and malware prone.
We should invest proportionally to the damage they can make. Goal: Systems should accomplish their business role with or without
malware. Activity: Install antimalware in vulnerable systems. Measure activity, scope,
update and availability of antimalware. Consider other measures, like using less malware prone systems.
Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.
Success criterion: When protected system play their business role without interruption or degradation.
Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI.
Use case – Malware Management
47
Index1. ISM3 Charter2. Benefits Realization (Business objectives,
Security objectives)3. Results Oriented Management (Management
Practices, Processes, Metrics)4. Continuous Improvement (Management
Capability, Management Maturity)5. ISMS Success (Operational definition of
incident, Business Targets, Security Targets)6. Levels of Responsibility7. Return of Investment8. Communication and Cooperation (Operational
definitions)9. Certification (Certifiable Maturity Levels)10. Summary
48
Definitions
Process OSP-6 Environment Clearing
Description This process covers procedures for secure clearing of repositories to prevent disclosure of information.
Rationale Clearing or destroying of repositories is required to prevent disclosure incidents when an information system leaves an environment or passes outside the control of the organization.
Documentation OSP-061-Repository Clearing Procedure. OSP-062-Clearing Report Template
Inputs Inventory of Assets Alerts and Fixes Report
Work Products Cleared Repositories Clearing Report Metrics Report
Activity Number of Work Products submitted
Scope Percentage of information systems susceptible to be cleared when changing state in the environment
Update Time since last Work Products submission Mean time between Work Products submissions Time since last information system clearing
Availability Not Applicable
Process owner Information Systems Management
Related Processes
OSP-4 Information Systems Environment Change Control OSP-22 Alerts Monitoring
Related Methodologies
Not Applicable
49
Definitions
Description: The activity performed in the process.
Rationale: How the process contributes to specific and generic goals.
Documentation: Policies, Procedures and Templates Process Definitions needed to describe and perform the process.
Inputs: Inputs to the process. (Inputs in italics or obtained from sources other than documents)
Work Products: Results of the process. (Work Products in italics are work products other than documents)
50
Definitions
Activity: Metric description of the volume of work products produced.
Scope: Metric description showing how much of the organisation or the environment is covered by the process.
Efficiency
Efficacy
Load
Quality
Unavailability: Metric description of the period of time that a process has performed as expected upon demand, and the frequency and duration of interruptions.
51
Definitions
Process Owner: Every process should have one and no more than one process owner.
Related Processes: Other ISM3 processes that are required to generate key inputs.
Related Methodologies: Well-known methodologies and best practices.
52
Managing is achieving results with the resources available for it.
There are specific activities for management: “Management Practices”
Management
53
Assessment. How well the process matches the organization's needs and compliance goals.
Management Practices
54
Benefits realization: Show how achieving
security objectives contributes to
achieving business objectives.
Management Practices
55
Planning. Organizing and forecasting the amount, assignment and milestones of tasks, resources, budget, deliverables and performance of a process.
Management Practices
56
Testing: Assessment of whether process outputs are as expected when test data is put in.
Management Practices
57
Monitoring: Checking whether the outputs of the process and the resources used are
normal?, acceptable? Improving? Better than the Joneses?
Management Practices
58
Improving: Making changes in the process to make it more suitable for the purpose, or to reduce usage of resources.
Management Practices
59
Audit. Whether the process inputs, activities and results match their documentation.
Management Practices
60
Certify: Whether the process inputs, process documentation, activities and results comply with a pre-defined standard, law or regulation.
Management Practices
61
Therefore, there is a strong link between the metrics used and capability.
Management
You can perform few management practices without metrics.
62
The more sophisticated your management practices, the higher your capability.
Management and Capability
63
Types of Process Metrics
A quantitative measurement that can be interpreted in the context of a series of previous or equivalent measurements
64
Types of Process Metrics
Activity: Number of outputs produced and their mean age.
65
Types of Process Metrics
Scope: Percentage of all inputs producers covered.
66
Types of Process Metrics
Unavailability: Number, frequency and duration of interruptions in the normal operation of the process.
67
Types of Process Metrics
Effectiveness: Number, mean time between inputs and percentage of Inputs that produce an Output.
68
Types of Process Metrics
Efficiency: Ratio between the number of outputs submitted and the available resources for this process in actual use.
69
Types of Process Metrics Load:
Percentage of resources reserved for the process in actual use.
70
Types of Process Metrics
Quality: Measure of the fitness for purpose of the outputs.
71
Description of what is measuredHow is the metric measuredHow often is the measurement
takenHow are the thresholds calculatedCurrent range of values considered
normal for the metricBest possible value of the metricUnits of measurement
Metrics Specification
72
What are metrics good for?
Enable performing management practices. Determine whether security objectives are met
(test success); Show how security objectives contribute to
business objectives; Measure how changes in a process improve (or
not) the ISM system; Inform decisions to fix or improve the ISM
processes. Detect significant anomalies (tell normal from
abnormal, saving investigation efforts); SLAs, Outsourcing
73
Index1. ISM3 Charter2. Benefits Realization (Business objectives,
Security objectives)3. Results Oriented Management (Management
Practices, Processes, Process Metrics)4. Continuous Improvement (Management
Capability, Management Maturity)5. ISMS Success (Operational definition of
incident, Business Targets, Security Targets)6. Levels of Responsibility7. Return of Investment8. Communication and Cooperation (Operational
definitions)9. Certification (Certifiable Maturity Levels)10. Summary
74
What you can’t measure you can’t manage. What you can’t manage you can’t improve. ISM3 uses PDCA per process & Metrics for
continuous improvement. The higher the capability of a process, the
better opportunities for improvement arise.
ISM3 - Continuous Improvement
75
ISM3 Process Capability
76
Security & Security Investment
Security
Investment
Cost
% People
Mayfield’s Paradox It cost an infinite amount of money
both to give everyone access to a system, and to prevent everyone access to the same system.
CMU – CERT study: The more you spend, the less
difference it makes on your security.
77
Security Investment, Maturity Level & Risk
None
Basic
Leve
l
SME L
evel
eCom
mer
ce L
evel
Enter
prise
Lev
el
Milit
ary L
evel
Security Investment
Risk
Risk Reduction/Additional SecurityInvestment
ISM3 Maturity Levels
(Qualitative Graphic. Risk Reduction / Extra Security Investment, scaled x40 for readability)
78
ISM3 Maturity Levels
Defines one basic maturity level Defined level is minimal set of processes without which you don’t
have an ISMS Certified capability and maturity moved to separate
conformance/certification documentation
Maturity levels documented in separate documents will be market driven projects
Guidance given on historical/empirical economical process sequencing and continuous improvement
79
ISM3 Maturity Levels Low Investment Medium Investment High Investment
High Benefit
OSP-12: User Registration
SSP-4: Define TPSRSR Rules
TSP-6: Define IT Managed Domains and Lifecycles
GP-2: ISM System and Business Audit
OSP-14: Physical Environment Protection Management
OSP-7: IT Managed Domain Hardening
OSP-8: Software Development Lifecycle Control
OSP-19: Internal Technical Audit
OSP-4: Information Systems IT Managed Domain Change Control
OSP-9: Security Measures Change Control
OSP-26: Enhanced Reliability and Availability Management
Medium Benefit
TSP-11: Security Awareness
TSP-8: Personnel Security
TS8P-:9 Security Personnel Training
OSP-3: Inventory Management
OSP-2: Security Procurement
OSP-6: IT Managed Domain Clearing
OSP-27: Archiving Management
OSP-15: Operations Continuity Management
OSP-20: Incident Emulation
Low Benefit
TSP-10: Disciplinary Process
TSP-13: Insurance Management
OSP-22: Alerts Monitoring
OSP-28: External Events Detection and Analysis
OSP-23: Internal Events Detection and Analysis
OSP-24: Handling of Incidents and Near-incidents
OSP-25: Forensics
TSP-7: Background Checks
TSP-14: Information Operations
80
ISM3 Flexibility
ISM3 is adaptable to organizations with different missions and contexts.
ISM3 is adaptable to organizations with different resources. Security investment is driven by business need. Some organizations may not have a huge budget for Information
Security ( 20 / 80 Rule). Maturity levels describe different levels of sophistication of ISM
systems. Organizations can identify appropriate processes, choose a
level suitable for them, and show implementation progress.
81
Index1. ISM3 Charter2. Benefits Realization (Business objectives,
Security objectives)3. Results Oriented Management (Management
Practices, Processes, Process Metrics)4. Continuous Improvement (Management
Capability, Management Maturity)5. ISMS Success (Operational definition of
incident, Business Targets, Security Targets)6. Levels of Responsibility7. Return of Investment8. Communication and Cooperation (Operational
definitions)9. Certification (Certifiable Maturity Levels)10. Summary
82
Incidents = Failure
83
Incidents = Opportunity for
Improvement
84
(But…
Don’t make the same mistake twice.
& Learn from the mistakes of others)
85
ISMS Success
A security target specifies the maximum number and impact of incidents that is acceptable.
An occurrence of an incident does not by itself mean that a ISM system has failed.
ISM defines success as, not whether an incident has occurred, but whether the security target related to that incident has been met.
Meeting all security targets throughout the year means that the ISM system has been successful, regardless of the incidents that occurred during that period.
Incidents and failed security targets lead to improvements in the cycle of continuous improvement of the ISMS.
86
Index1. ISM3 Charter2. Benefits Realization (Business objectives,
Security objectives)3. Results Oriented Management (Management
Practices, Processes, Process Metrics)4. Continuous Improvement (Management
Capability, Management Maturity)5. ISMS Success (Operational definition of
incident, Business Targets, Security Targets)6. Levels of Responsibility7. Return of Investment8. Communication and Cooperation (Operational
definitions)9. Certification (Certifiable Maturity Levels)10. Advantages11. Summary
87
ISM3 Responsibility Guidance
Transparency: Responsibilities and reporting channels should be clearly defined, documented and communicated.
Partitioning: All instances of ISM processes should have one and only one Process Owner.
Supervision: All ISM processes should have at least one supervisor.
Rotation: All sensitive processes should be transferred periodically to another competent process owner.
Separation: No process owner will own incompatible processes.
88
Deal with broad goals, coordination and provision of resources;
Deal with the design and implementation of the ISM system, specific goals and management of resources;
Deal with achieving defined goals by means of technical processes.
Strategic Practices
Tactical Practices
Operational Practices
Levels of Responsibility – Management Levels
89
Strategic Managers
Tactical Managers
Operational Managers
Stakeholders
Report
Report
Report
Levels of Responsibility - Reporting
90
Strategic Practices
Tactical Practices
Operational Practices
Generic Practices
Specific Goals
Specific Goals
Specific Goals
Generic Goals
Direct and Provide
Implement and Optimize
Support
Levels of Responsibility
91
Index1. ISM3 Charter2. Benefits Realization (Business objectives,
Security objectives)3. Results Oriented Management (Management
Practices, Processes, Process Metrics)4. Continuous Improvement (Management
Capability, Management Maturity)5. ISMS Success (Operational definition of
incident, Business Targets, Security Targets)6. Levels of Responsibility7. Overview8. Communication and Cooperation (Operational
definitions)9. Certification (Certifiable Maturity Levels)10. Summary
92
Generic Goals
Prevent and mitigate incidents that could jeopardize the organization’s property and the output of products and services that rely on information systems;
Optimise the use of information, money, people, time and infrastructure.
The work products of an ISM system are: Incident prevention; Incident mitigation;
The intangible work products of an ISM system are: Risk reduction; Trust.
Generic Goals
93
Strategic Goals
Provides leadership and coordination of: Information security; Physical security; Workplace security (outside scope of ISM3); Interaction with organizational units;
Reviews and improves the information security management system;
Provides resources for information security; Defines relationships with other
organisations; Defines Security Objectives consistent with
organizational objectives, protecting stakeholders interests;
Sets the organizational scheme of delegation.
Specific Goals
94
Tactical Goals
Provide feedback to Strategic Management; Define the environment for Operational
Management. Define Security Targets; Define information classes, priorities, durability
and quality groups; Define environments and lifecycles; Select appropriate processes to achieve the
Security Targets; Manage budget, people and other resources
allocated to information security
Specific Goals
95
Operational Goals
Provide feedback to Tactical Management, including Incident Reports;
Identify and protect assets; Protection and support of information systems
throughout their lifecycle; Management of the security measures
lifecycle; Apply allocated resources efficiently and
effectively; Carry out processes for incident prevention,
detection and mitigation (both real time and following an incident).
Specific Goals
96
Generic Practices
GP-1 Knowledge Management GP-2 ISM System Audit GP-3 ISM Design and Evolution
GenericPractices
97
SSP-1 Report to Stakeholders SSP-2 Coordination SSP-3 Strategic vision SSP-4 Define Division of Duties rules SSP-6 Allocate resources for information
security
Strategic Practices
StrategicPractices
98
TSP-1 Report to strategic management TSP-2 Manage allocated resources TSP-3 Define Security Targets and Security Objectives
TSP-4 Service Level Management TSP-6 Security Architecture TSP-7 Background Checks TSP-8 Personnel Security TSP-9 Security Personnel Training TSP-10 Disciplinary Process TSP-11 Security Awareness TSP-13 Insurance Management TSP-14 Information Operations
Tactical Practices
TacticalPractices
99
Operational Practices
OSP-1 Report to tactical management OSP-2 Security Procurement OSP-3 Inventory Management OSP-4 Information Systems Environment Change
Control OSP-5 Environment Patching OSP-6 Environment Clearing OSP-7 Environment Hardening OSP-8 Software Development Life-cycle Control OSP-9 Security Measures Change Control OSP-10 Backup & Redundancy Management
OperationalPractices
100
Operational Practices
OSP-11 Access control OSP-12 User Registration OSP-14 Physical Environment Protection
Management – OSP-15 Operations Continuity Management OSP-16 Segmentation and Filtering Management OSP-17 Malware Protection Management OSP-19 Internal Technical Audit OSP-20 Incident Emulation OSP-21 Information Quality Probing OSP-26 Enhanced Reliability and Availability
Management
OperationalPractices
101
Operational Practices
OSP-22 Alerts Monitoring OSP-28 External Events Detection and
Analysis OSP-23 Internal Events Detection and Analysis OSP-24 Handling of incidents and near-
incidents OSP-25 Forensics OSP-27 Archiving Management OSP-21 Information Quality and Compliance
Probing
OperationalPractices
102
Index1. ISM3 Charter2. Benefits Realization (Business objectives,
Security objectives)3. Results Oriented Management (Management
Practices, Processes, Process Metrics)4. Continuous Improvement (Management
Capability, Management Maturity)5. ISMS Success (Operational definition of
incident, Business Targets, Security Targets)6. Levels of Responsibility7. Overview8. Communication and Cooperation (Operational
definitions)9. Certification (Certifiable Maturity Levels)10. Summary
103
Summary
1. Business Focused
2. Process Orientation
3. Manageable (with Metrics)
4. Compatible (ITIL, ISO27001, ISO9001)
5. Adaptable
6. Flexible
104
Learn to implement High Performance Security Management Processes http://cli.gs/ism3
Web www.inovement.esVideo Blog youtube.com/user/vaceitunoBlog ism3.comTwitter twitter.com/vaceitunoPresentationsslideshare.net/vaceituno/presentations
Articles slideshare.net/vaceituno/documents
105