© Vicente Aceituno
Security Maturity Model
First Improvised Security Testing Conference
Madrid 18/7/2003
2© Vicente Aceituno, [email protected]
“You are only as strong as your weakest link”
3© Vicente Aceituno, [email protected]
In 1995, Nick Leeson traded derivatives bringing Barings Bank bankrupt.
Information systems were not at fault.
4© Vicente Aceituno, [email protected]
…an Organization is much more than information systems…
Infrastructure
Trademark & Prestige
Information Systems People
Financial AssetsKnow-How
5© Vicente Aceituno, [email protected]
Are we sure auditing an information system will make an Organization safer in the long run?
How about…�Organization issues.�Security Targets (Policy) issues.�Security Investment Performance issues.
A perfectly configured and patched system won’t stay that way for long
in an Insecure Organization!
6© Vicente Aceituno, [email protected]
OK. How can we know how secure an Organization is and how to make it safer?
7© Vicente Aceituno, [email protected]
Introducing the Security Maturity Model
SMM describes the maturity of an organization depending on:� Assignment and supervision of responsibilities.� Security organization.� Security practices.
� Policies:� Expectation-driven targets.� Distributed Policy Enforcement Responsibility.
� Access Control management.� Independent audits.� Quantitative data gathering.� Etc…
� Security investment management.
8© Vicente Aceituno, [email protected]
SMM Level 1 - Initial
Security is not acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or individual efforts. The presence of incidents invariably leads to the maximum impact that could be expected.
9© Vicente Aceituno, [email protected]
SMM Level 2 - Acknowledged
Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or some organizational efforts. The presence of incidents doesn’t always lead to the maximum impact that could be expected. � Expectations, incidents, and assets are sometimes
evaluated.� Security measures are taken until the budget is exhausted.
The results of the organizational efforts fades with time.
From here on “Evaluation” means: Identify, Classify, Prioritize, Value
10© Vicente Aceituno, [email protected]
SMM Level 3 - Defined
Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or continuous organizational efforts. The presence of incidents normally doesn’t lead to the maximum impact that could be expected. � Expectations, incidents and assets are sometimes evaluated.� Security measures are taken until the budget is exhausted.� Organizational security responsibilities are defined. � A Security Policy exists.� Assets are accessed using sessions.� Security measures are audited.
The results of the organizational efforts are permanent.
11© Vicente Aceituno, [email protected]
SMM Level 4 - ManagedSecurity is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents virtually never leads to the maximum impact that could be expected.� Expectations, incidents and assets are evaluated.� The best security measures are taken considering the
budget.� Organizational security responsibilities are defined.� A Security Norms Framework exist and is applied.� Assets are accessed using sessions only.� Security measures are audited.� Responsibilities are partitioned and supervised.� A “Continuity of Operations Plan” exists. This plan considers
the organization’s current status, and is properly implemented.
The results of the organizational efforts are permanent.
12© Vicente Aceituno, [email protected]
SMM Level 5 - OptimumSecurity is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents doesn’t lead to the maximum impact that could be expected.� Expectations, incidents and assets are evaluated quantitatively.� The best security measures are taken considering the budget. It can
be determined if the budget is consistent with the targets defined by the Security Norms Framework.
� Organizational security responsibilities are defined.� A Security Norms Framework exist and is applied.� Assets are accessed using sessions only.� Security measures are audited.� Responsibilities are partitioned and supervised.� A “Continuity of Operations Plan” exists. This plan considers the
organization’s evolution and is properly implemented.� Quantitative information is collected about incidents or close calls.� Security measures are selected using objective criteria.
The results of the organizational efforts are permanent.
13© Vicente Aceituno, [email protected]
SMM – Security Norms FrameworkSecurity Policies as a single document are not flexible enough in a big organization and quickly become worthless.� An effective Security Policy describes the high-level
principles that describe the targets (why) and the strategies (what) to reach them.
� The Security Norms develop the strategies describing the scope (where and when) of the security practices.
� The Security Standards develop the norms with specifications per domain, than can be checked.
� Security Procedures develop standards and norms and give a step-by-step description of the who and how of the practice. The Operations Continuity Plan is a procedure that specifies how to act when a catastrophe happens.
� The Fair Use norm informs users about their obligations when using the organization’s systems.
� The Third Party Agreements define mutual security commitments at the organization’s borders with others.
SMM
14© Vicente Aceituno, [email protected]
SMM –Sublevels.
Depending on the degree of integration of the existing practices, such as:� Theorized: The practice is identified as compulsory in the
Security Norms Framework, but the scope norms, standards and procedures don’t exist.
� Procedured: There are norms, standards & procedures for this practice.
� Implemented: The norms of the practice are actually used.� Verified: The results of the procedures used are audited
periodically.� Integrated: Circumvention of the norms of the practice is
insignificant.
…an organization may occupy any sublevel within a given level.
SMM
15© Vicente Aceituno, [email protected]
SMM – Summary.
Using SMM you can:� Determine what is your organization’s maturity.� Set a maturity target.� Plan for maturity enhancement.
Benefits:� Every partial result of achieving the higher SMM Levels won’t
depend any longer on external contractors. Ever.� Improve customer and stockholder's trust on the
organization.� Maximize turnover of Security Investment. � Avoid non-technical security risks, setting an environment
where there are no weak links.
SMM
© Vicente Aceituno18 de Julio de 2003Open Content Licencedwww.opencontent.org/opl.shtml
SMM
This presentation is just an overview. The SMM is being further developed at the smmodel Group [email protected]/group/smmodel