View
1.852
Download
1
Category
Preview:
DESCRIPTION
Citation preview
O-ISM3
Open - Information Security Management Maturity Model
O-ISM3 is an Information Security Management Method
A method is the complete definition of how to make repeatable a complex activity
O-ISM3 is a Standard
+
+
+
O-ISM3 is Compatible
O-ISM3 is not about Compliance
O-ISM3 is about Results
Security Investment, Maturity Level & Risk
Security Investment
Risk
Risk Reduction/Additional SecurityInvestment
O-ISM3 has Maturity Levels…
Security Investment, Maturity Level & Risk
Security Investment
Risk
Risk Reduction/Additional SecurityInvestment
… in order to cater for different requirements and resources
O-ISM3 Metrics are built-in
Activity. Scope. Efficacy. Efficiency.
Risk Assessment is not compulsory
InternalNetwork
DMZMobileUsers
InternalUsers
WiFiNetworks
Govern
ance
Infrastructure
Hum
an
Resources
Prod
uction
Logistics
Adm
inistrationIT
Advertising
Research
Procurem
ent
Sale
s
Busine
ssIntelligence
Financing /
Accounting
Maintenance
Relationships
Legal
O-ISM3 helps tuning: How much security is enough?
Use case – Malware Management
Use case – ISM3-less management Motivation: Clean viruses or your business will sink. Objective: No system should get a virus ever Activity: Install antivirus on personal computers, servers, mail
servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.
Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.
Success criterion: When no system gets ever a virus. Continuous improvement: Add more antimalware controls
(Tripwire, CORE, etc)
Use Case – ISM3-style management Motivation: Unfortunately systems, specially Windows and malware prone.
We should invest proportionally to the damage they can make. Goal: Systems should accomplish their business role with or without
malware. Activity: Install antimalware in vulnerable systems. Measure activity, scope,
update and availability of antimalware. Consider other measures, like using less malware prone systems.
Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.
Success criterion: When protected system play their business role without interruption or degradation.
Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI.
Use case – Malware Management
ISMS Method Standard published by The Open Group Compatible with ISO2700x, CobIT, ITIL, etc. Focus on results, not on compliance. Maturity Levels adapt to different resources
and requirements. Uses Processes instead of Controls. Metrics are included, they don't need to be
developed anew. Risk Assessment is optional. Security objectives and targets help
handling: How much security is enough?
Summary
Learn to implement High Performance Security Management Processes
http://cli.gs/ism3
Web www.inovement.esVideo Blog youtube.com/user/vaceitunoBlog ism3.comTwitter twitter.com/vaceitunoPresentationsslideshare.net/vaceituno/presentations
Articles slideshare.net/vaceituno/documents
Recommended