Upload
vicente-canal
View
1.584
Download
0
Embed Size (px)
Citation preview
O-ISM3 v2.0 Executive Summary
Open Information Security Management Maturity Model
Vicente Canal @vaceituno (c) 2017
Vicente A. Canal
[email protected] - Skype: vaceituno
Blog - ism3.comLinkedin - linkedin.com/in/vaceitunoVideo Blog - youtube.com/user/vaceitunoTwitter - twitter.com/vaceitunoPresentations - slideshare.net/vaceituno/presentationsArticles - slideshare.net/vaceituno/documents
What is the Open Information SecurityManagement Maturity Model v2.0?
O-ISM3 is a Standard method published by The Open Group that is Compatible with the most popular information security Standards.
O-ISM3 is the only Standard that introduces the use of short cycle continuous improvement in information security.
A method is the complete
definition of how to make
repeatable a complex activity
Method
O-ISM3 is an Information Security
Management Method
The Open Group is a leader in the development of open, vendor-neutral IT standards and certifications: Oversees leading enterprise architecture standard: TOGAF™ and
risk management FAIR™ Certification of products and professionals: ITAC, UNIX, etc.
O-ISM3 is an information security management maturity standard published by The Open Group.
Standard
+ O-ISM3
O-ISM3 is Compatible
+ O-ISM3
+ O-ISM3
With O-ISM3 you can have complianceand continuous improvement
Compliance Most best practices are published
a standards for compliance.
Improvement comes through better compliance between audits or between updates of the standard.
Incidents are seen only as a failure…
But the use of resources might be higher that necessary.
Continuous Improvement You can still use best practices
from compliance standards.
Improvement comes through improving value or saving resources, triggered by collection of metrics.
Incidents are seen as an opportunity for improvement…
But it requires a high level of maturity, including the use of metrics.
O-ISM3 Continuous improvement
Achieving higher value with the same resources
Achieving the same value with fewer resources
O-ISM3 Continuous improvement
Producing Better Results
Contribute to Business Needs
Tuning Priorities
Better Use of Resources
O-ISM3 ToolBox for Continuous Improvement
Metrics Security Objectives
Analysis
Processes Knowledge Management
Continuous Improvement Benefits
Effortless definition of SLA’s.
Feedback on Management decisions
Classification of systems according to Business Criteria.
Better Communication.
Efficient allocation of resources.
Better distribution of responsibilities.
Uniform results regardless of who performs a task.
No vendor lock-in.
O-ISM3 Maturity?
Maturity measures how able is the organization at continuous improvement
O-ISM3 Example:Security of the Application
Lifecycle (SDLA)
Bankia
4th Biggest bank in Spain with 12 million customers
Took the decision to implement O-ISM3 for application security testing in late 2008
The Application Security team achieved an Optimized maturity level in 6 months
Return Of Investment and Maturity
ROI
Maturity
PenetrationTesting
White BoxP.T.
LifecycleIntegration
SecureDesign
ContinuousImprovement
• Before O-ISM3: Motivation: Find any existing vulnerabilities and report them.
Goal: Test all the new applications before going into production.
Activity: Perform pentest of new systems and applications and some on demand ones.
Policy: Test well known applications every so often.
Success criterion: None.
Continuous improvement: Perform more Pentests.
No metrics
Deliverables:
Initial Report
Agreement on what had to be fixed
Final Report
SDLC Security
After O-ISM3 implementation: Motivation: Making systems and applications safer.
Goal: Test the most important applications & systems periodically, and all the new applications & systems.
Activity: Perform planned pentest of new systems and applications. Follow-up if the vulnerabilities found are fixed.
Policy: Applications and systems are classified, and tested with different periodicity depending on their importance.
Success criterion: Perform all planned tests, Perform new tests timely, getting vulnerabilities found fixed.
Continuous improvement: Revise the applications & systems classification periodically
SDLC Security
Higher Maturity Results
0
50
100
150
200
250
2008 2009 2010 2011 2012
WeaknessesFixed
Euros / WeaknessFixed
Weaknesses /ApplicationSecurity Test
Note: Qualitative changes in comparison with 2008 are represented
Higher Maturity Results
0
50
100
150
200
250
300
350
400
2008 2009 2010 2011 2012
Application SecurityTests
Euros / ApplicationSecurity Test
Application SecurityTest Workload
Note: Qualitative changes in comparison with 2008 are represented
Other O-ISM3 example:Malware Protection
Management
Malware Protection Management
Before O-ISM3 Motivation: Clean viruses or your business will sink.
Objective: No system should get a virus ever
Activity: Install antivirus on personal computers, servers, mail servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.
Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.
Success criterion: When no system gets ever a virus.
Continuous improvement: Add more antimalware controls (Tripwire, CORE, etc)
After O-ISM3 Motivation: Unfortunately systems, specially Windows and malware
prone. We should invest proportionally to the damage they can make.
Goal: Systems should accomplish their business role with or without malware.
Activity: Install antimalware in vulnerable systems. Measure activity, scope, update and availability of antimalware. Consider other measures, like using less malware prone systems.
Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.
Success criterion: When protected system play their business role without interruption or degradation.
Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI.
Malware Protection Management
Highlights
O-ISM3 is the only Standard that introduces the use of short cycle continuous improvement in information security.
• Achieving high levels of maturity (working smart, not hard) can be hard if you don’t know how. O-ISM3 can help.
• You can save time and money, improve your security and avoid vendor lock-in using O-ISM3 v2.0
• Get O-ISM3 v2.0 free (with registration) at tiny.cc/oism3v20
• Learn more at: www.ism3.com