O-ISM3 Executive Summary

O-ISM3

Open - Information Security Management Maturity Model

O-ISM3 is an Information Security Management Method

A method is the complete definition of how to make repeatable a complex activity

O-ISM3 is a Standard

+

+

+

O-ISM3 is Compatible

O-ISM3 is not about Compliance

O-ISM3 is about Results

Security Investment, Maturity Level & Risk

Security Investment

Risk

Risk Reduction/Additional SecurityInvestment

O-ISM3 has Maturity Levels…

Security Investment, Maturity Level & Risk

Security Investment

Risk

Risk Reduction/Additional SecurityInvestment

… in order to cater for different requirements and resources

O-ISM3 Metrics are built-in

Activity. Scope. Efficacy. Efficiency.

Risk Assessment is not compulsory

InternalNetwork

DMZMobileUsers

InternalUsers

WiFiNetworks

Govern

ance

Infrastructure

Hum

an

Resources

Prod

uction

Logistics

Adm

inistrationIT

Advertising

Research

Procurem

ent

Sale

s

Busine

ssIntelligence

Financing /

Accounting

Maintenance

Relationships

Legal

O-ISM3 helps tuning: How much security is enough?

Use case – Malware Management

Use case – ISM3-less management Motivation: Clean viruses or your business will sink. Objective: No system should get a virus ever Activity: Install antivirus on personal computers, servers, mail

servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.

Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.

Success criterion: When no system gets ever a virus. Continuous improvement: Add more antimalware controls

(Tripwire, CORE, etc)

Use Case – ISM3-style management Motivation: Unfortunately systems, specially Windows and malware prone.

We should invest proportionally to the damage they can make. Goal: Systems should accomplish their business role with or without

malware. Activity: Install antimalware in vulnerable systems. Measure activity, scope,

update and availability of antimalware. Consider other measures, like using less malware prone systems.

Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.

Success criterion: When protected system play their business role without interruption or degradation.

Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI.

Use case – Malware Management

ISMS Method Standard published by The Open Group Compatible with ISO2700x, CobIT, ITIL, etc. Focus on results, not on compliance. Maturity Levels adapt to different resources

and requirements. Uses Processes instead of Controls. Metrics are included, they don't need to be

developed anew. Risk Assessment is optional. Security objectives and targets help

handling: How much security is enough?

Summary

Learn to implement High Performance Security Management Processes

http://cli.gs/ism3

Web www.inovement.esVideo Blog youtube.com/user/vaceitunoBlog ism3.comTwitter twitter.com/vaceitunoPresentationsslideshare.net/vaceituno/presentations

Articles slideshare.net/vaceituno/documents