© Vicente Aceituno

Security Maturity Model

First Improvised Security Testing Conference

Madrid 18/7/2003

2© Vicente Aceituno, smmodel@yahoogroups.com

“You are only as strong as your weakest link”

3© Vicente Aceituno, smmodel@yahoogroups.com

In 1995, Nick Leeson traded derivatives bringing Barings Bank bankrupt.

Information systems were not at fault.

4© Vicente Aceituno, smmodel@yahoogroups.com

…an Organization is much more than information systems…

Infrastructure

Trademark & Prestige

Information Systems People

Financial AssetsKnow-How

5© Vicente Aceituno, smmodel@yahoogroups.com

Are we sure auditing an information system will make an Organization safer in the long run?

How about…�Organization issues.�Security Targets (Policy) issues.�Security Investment Performance issues.

A perfectly configured and patched system won’t stay that way for long

in an Insecure Organization!

6© Vicente Aceituno, smmodel@yahoogroups.com

OK. How can we know how secure an Organization is and how to make it safer?

7© Vicente Aceituno, smmodel@yahoogroups.com

Introducing the Security Maturity Model

SMM describes the maturity of an organization depending on:� Assignment and supervision of responsibilities.� Security organization.� Security practices.

� Policies:� Expectation-driven targets.� Distributed Policy Enforcement Responsibility.

� Access Control management.� Independent audits.� Quantitative data gathering.� Etc…

� Security investment management.

8© Vicente Aceituno, smmodel@yahoogroups.com

SMM Level 1 - Initial

Security is not acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or individual efforts. The presence of incidents invariably leads to the maximum impact that could be expected.

9© Vicente Aceituno, smmodel@yahoogroups.com

SMM Level 2 - Acknowledged

Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or some organizational efforts. The presence of incidents doesn’t always lead to the maximum impact that could be expected. � Expectations, incidents, and assets are sometimes

evaluated.� Security measures are taken until the budget is exhausted.

The results of the organizational efforts fades with time.

From here on “Evaluation” means: Identify, Classify, Prioritize, Value

10© Vicente Aceituno, smmodel@yahoogroups.com

SMM Level 3 - Defined

Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or continuous organizational efforts. The presence of incidents normally doesn’t lead to the maximum impact that could be expected. � Expectations, incidents and assets are sometimes evaluated.� Security measures are taken until the budget is exhausted.� Organizational security responsibilities are defined. � A Security Policy exists.� Assets are accessed using sessions.� Security measures are audited.

The results of the organizational efforts are permanent.

11© Vicente Aceituno, smmodel@yahoogroups.com

SMM Level 4 - ManagedSecurity is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents virtually never leads to the maximum impact that could be expected.� Expectations, incidents and assets are evaluated.� The best security measures are taken considering the

budget.� Organizational security responsibilities are defined.� A Security Norms Framework exist and is applied.� Assets are accessed using sessions only.� Security measures are audited.� Responsibilities are partitioned and supervised.� A “Continuity of Operations Plan” exists. This plan considers

the organization’s current status, and is properly implemented.

The results of the organizational efforts are permanent.

12© Vicente Aceituno, smmodel@yahoogroups.com

SMM Level 5 - OptimumSecurity is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents doesn’t lead to the maximum impact that could be expected.� Expectations, incidents and assets are evaluated quantitatively.� The best security measures are taken considering the budget. It can

be determined if the budget is consistent with the targets defined by the Security Norms Framework.

� Organizational security responsibilities are defined.� A Security Norms Framework exist and is applied.� Assets are accessed using sessions only.� Security measures are audited.� Responsibilities are partitioned and supervised.� A “Continuity of Operations Plan” exists. This plan considers the

organization’s evolution and is properly implemented.� Quantitative information is collected about incidents or close calls.� Security measures are selected using objective criteria.

The results of the organizational efforts are permanent.

13© Vicente Aceituno, smmodel@yahoogroups.com

SMM – Security Norms FrameworkSecurity Policies as a single document are not flexible enough in a big organization and quickly become worthless.� An effective Security Policy describes the high-level

principles that describe the targets (why) and the strategies (what) to reach them.

� The Security Norms develop the strategies describing the scope (where and when) of the security practices.

� The Security Standards develop the norms with specifications per domain, than can be checked.

� Security Procedures develop standards and norms and give a step-by-step description of the who and how of the practice. The Operations Continuity Plan is a procedure that specifies how to act when a catastrophe happens.

� The Fair Use norm informs users about their obligations when using the organization’s systems.

� The Third Party Agreements define mutual security commitments at the organization’s borders with others.

SMM

14© Vicente Aceituno, smmodel@yahoogroups.com

SMM –Sublevels.

Depending on the degree of integration of the existing practices, such as:� Theorized: The practice is identified as compulsory in the

Security Norms Framework, but the scope norms, standards and procedures don’t exist.

� Procedured: There are norms, standards & procedures for this practice.

� Implemented: The norms of the practice are actually used.� Verified: The results of the procedures used are audited

periodically.� Integrated: Circumvention of the norms of the practice is

insignificant.

…an organization may occupy any sublevel within a given level.

SMM

15© Vicente Aceituno, smmodel@yahoogroups.com

SMM – Summary.

Using SMM you can:� Determine what is your organization’s maturity.� Set a maturity target.� Plan for maturity enhancement.

Benefits:� Every partial result of achieving the higher SMM Levels won’t

depend any longer on external contractors. Ever.� Improve customer and stockholder's trust on the

organization.� Maximize turnover of Security Investment. � Avoid non-technical security risks, setting an environment

where there are no weak links.

SMM

© Vicente Aceituno18 de Julio de 2003Open Content Licencedwww.opencontent.org/opl.shtml

SMM

This presentation is just an overview. The SMM is being further developed at the smmodel Group smmodel@yahoogroups.comgroups.yahoo.com/group/smmodel