O-ISM3 v2.0 Executive Summary

Open Information Security Management Maturity Model

Vicente Canal @vaceituno (c) 2017

Vicente A. Canal

com@ism3.com - Skype: vaceituno

Blog - ism3.comLinkedin - linkedin.com/in/vaceitunoVideo Blog - youtube.com/user/vaceitunoTwitter - twitter.com/vaceitunoPresentations - slideshare.net/vaceituno/presentationsArticles - slideshare.net/vaceituno/documents

What is the Open Information SecurityManagement Maturity Model v2.0?

O-ISM3 is a Standard method published by The Open Group that is Compatible with the most popular information security Standards.

O-ISM3 is the only Standard that introduces the use of short cycle continuous improvement in information security.

A method is the complete

definition of how to make

repeatable a complex activity

Method

O-ISM3 is an Information Security

Management Method

The Open Group is a leader in the development of open, vendor-neutral IT standards and certifications: Oversees leading enterprise architecture standard: TOGAF™ and

risk management FAIR™ Certification of products and professionals: ITAC, UNIX, etc.

O-ISM3 is an information security management maturity standard published by The Open Group.

Standard

+ O-ISM3

O-ISM3 is Compatible

+ O-ISM3

+ O-ISM3

With O-ISM3 you can have complianceand continuous improvement

Compliance Most best practices are published

a standards for compliance.

Improvement comes through better compliance between audits or between updates of the standard.

Incidents are seen only as a failure…

But the use of resources might be higher that necessary.

Continuous Improvement You can still use best practices

from compliance standards.

Improvement comes through improving value or saving resources, triggered by collection of metrics.

Incidents are seen as an opportunity for improvement…

But it requires a high level of maturity, including the use of metrics.

O-ISM3 Continuous improvement

Achieving higher value with the same resources

Achieving the same value with fewer resources

O-ISM3 Continuous improvement

Producing Better Results

Contribute to Business Needs

Tuning Priorities

Better Use of Resources

O-ISM3 ToolBox for Continuous Improvement

Metrics Security Objectives

Analysis

Processes Knowledge Management

Continuous Improvement Benefits

Effortless definition of SLA’s.

Feedback on Management decisions

Classification of systems according to Business Criteria.

Better Communication.

Efficient allocation of resources.

Better distribution of responsibilities.

Uniform results regardless of who performs a task.

No vendor lock-in.

O-ISM3 Maturity?

Maturity measures how able is the organization at continuous improvement

O-ISM3 Example:Security of the Application

Lifecycle (SDLA)

Bankia

4th Biggest bank in Spain with 12 million customers

Took the decision to implement O-ISM3 for application security testing in late 2008

The Application Security team achieved an Optimized maturity level in 6 months

Return Of Investment and Maturity

ROI

Maturity

PenetrationTesting

White BoxP.T.

LifecycleIntegration

SecureDesign

ContinuousImprovement

• Before O-ISM3: Motivation: Find any existing vulnerabilities and report them.

Goal: Test all the new applications before going into production.

Activity: Perform pentest of new systems and applications and some on demand ones.

Policy: Test well known applications every so often.

Success criterion: None.

Continuous improvement: Perform more Pentests.

No metrics

Deliverables:

Initial Report

Agreement on what had to be fixed

Final Report

SDLC Security

After O-ISM3 implementation: Motivation: Making systems and applications safer.

Goal: Test the most important applications & systems periodically, and all the new applications & systems.

Activity: Perform planned pentest of new systems and applications. Follow-up if the vulnerabilities found are fixed.

Policy: Applications and systems are classified, and tested with different periodicity depending on their importance.

Success criterion: Perform all planned tests, Perform new tests timely, getting vulnerabilities found fixed.

Continuous improvement: Revise the applications & systems classification periodically

SDLC Security

Higher Maturity Results

0

50

100

150

200

250

2008 2009 2010 2011 2012

WeaknessesFixed

Euros / WeaknessFixed

Weaknesses /ApplicationSecurity Test

Note: Qualitative changes in comparison with 2008 are represented

Higher Maturity Results

0

50

100

150

200

250

300

350

400

2008 2009 2010 2011 2012

Application SecurityTests

Euros / ApplicationSecurity Test

Application SecurityTest Workload

Note: Qualitative changes in comparison with 2008 are represented

Other O-ISM3 example:Malware Protection

Management

Malware Protection Management

Before O-ISM3 Motivation: Clean viruses or your business will sink.

Objective: No system should get a virus ever

Activity: Install antivirus on personal computers, servers, mail servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.

Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.

Success criterion: When no system gets ever a virus.

Continuous improvement: Add more antimalware controls (Tripwire, CORE, etc)

After O-ISM3 Motivation: Unfortunately systems, specially Windows and malware

prone. We should invest proportionally to the damage they can make.

Goal: Systems should accomplish their business role with or without malware.

Activity: Install antimalware in vulnerable systems. Measure activity, scope, update and availability of antimalware. Consider other measures, like using less malware prone systems.

Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.

Success criterion: When protected system play their business role without interruption or degradation.

Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI.

Malware Protection Management

Highlights

O-ISM3 is the only Standard that introduces the use of short cycle continuous improvement in information security.

• Achieving high levels of maturity (working smart, not hard) can be hard if you don’t know how. O-ISM3 can help.

• You can save time and money, improve your security and avoid vendor lock-in using O-ISM3 v2.0

• Get O-ISM3 v2.0 free (with registration) at tiny.cc/oism3v20

• Learn more at: www.ism3.com