information security risks management maturity model (isrm3)
TRANSCRIPT
1
A Model to Assess the Maturity Level of the Risk Management Process
in Information Security
Janice MayerUniversidade do Vale do Rio dos Sinos (UNISINOS)
Leonardo Lemes Fagundes Universidade do Vale do Rio dos Sinos (UNISINOS)
[email protected] | Fone: 55 51 35911100 - branch 1775
4rd IFIP/IEEE International Workshop on BDIM - 9 June 2009
2
Summary
� Introduction
� Risk Management
� Risk Management Maturity Model In Information Security (MMGRseg)
� Case study
� Conclusion
3
Introduction
� Information: one of the most valuable assets.
� Risk Management(RM): an essential front.
� Achieve compliance: laws, standards and regulations.
� Meet mandatory requirements for the certification of an Information Security Management System.
4
Motivation
� Companies need to implement RM.
� There is no maturity model aimed at RM in Information Security.
� Maturity model identifies deficiencies in process structure and management.
� To provide improvements with the predictability, control and effectiveness.
5
Objective
� Describes the structure of a model for the assessment of the maturity level of the RM process in the realm of Information Security.
6
Risk Management
Risk Management Process, as per standard ISO/IEC 27005:2008
7
Risk Management Maturity Model
In Information Security (MMGRseg)
� MMGRseg is comprised of a set of requirements and best practices, which provides a formal structure.
� Aligned with standard ISO/IEC 27005.
8
Structure - MMGRseg
� Comprised of:
� three stages;
� five maturity levels;
� forty-three control objectives;
� one control map;
� one assessment instrument relative to the maturity level of the activities of the RM process;
� an accountability matrix relative to each activity of the process; and
� a risk scorecard.
9
Stages - MMGRseg
� Steered for three stages:
� Immaturity: processes are improvised.
� Maturity: processes are already defined, standardized and controlled.
� Excellence: optimized processes.
10
Maturity levels - MMGRseg
M
A
T
U
R
I
T
Y
L
E
V
E
L
S
STAGES
11
Control Objective - MMGRseg
� CD1 Context Definition:
� CD1.1. Define the basic criteria for Risk Assessment
� CD1.2. Define the basic criteria for Impact Assessment
� CD1.3. Define the basic criteria for Risk Acceptance
� CD1.4. Establish the scope and the constraints of the risk management process
� CD1.5. Establish and maintain an organization
� CD1.6. Develop a risk management policy
� CD1.7. Establish a standard for RM processes
� CD1.8. Audit the Context Definition activity
� CD1.9. Collect and store information
12
Control Objective - MMGRseg
� AA1 Risk Analysis/Assessment:
� AA1.1. Identify the Risks
� AA1.2. Estimate the Risks
� AA1.3. Assess the Risks
� AA1.4. Standardize the Assessment process
� AA1.5. Automatize the Analysis/Assessment process
� AA1.6. Audit the Risk Analysis/Assessment activity
� AA1.7. Avoid rework
� AA1.8. Revise the process of risk estimation
13
Control Objective - MMGRseg
� RT1. Risk treatment:
� RT1.1. Select an appropriate Treatment option
� RT1.2. Define a Risk Treatment plan
� RT1.3. Implement Risk Treatment plan
� RT1.4. Define how to measure the effectiveness of controls
� RT1.5. Calculate Residual Risks
� RT1.6. Standardize the Risk Treatment process
� RT1.7. Audit the Risk Treatment activity
� RT1.8. Improve the Risk Treatment process
14
Control Objective - MMGRseg
� RA1. Risk Acceptance:
� RA1.1. Verify the description of the Treatment plan
� RA1.2. Analyze and approve the acceptance criteria
� RA1.3. Verify the residual risk
� RA1.4. List the accepted risks
� RA1.5. Standardize the Risk Acceptance process
� RA1.6. Audit the Risk Acceptance activity
� RA1.7. Revise the Risk Acceptance process
15
Control Objective - MMGRseg
� RC1. Risk Communication:
� RC1.1. Implement awareness plan
� RC1.2. Make stakeholders able to identify and communicate risks
� RC1.3. Standardize the Risk Communication activity
� RC1.4. Audit the Risk Communication activity
� RC1.5. Exchange and/or share risk-related information
� RC1.6. Critical analysis of Risk Communication
16
Control Objective - MMGRseg
� MA1. Monitoring and Critical Analysis:
� MA1.1. Verify the alignment of the RM process with business objectives
� MA1.2. Monitor, critically analyze and improve the risk management processs
� MA1.3. Standardize the Monitoring and Critical Analysis activity
� MA1.4. Audit the Monitoring and Critical Analysis activity
� MA1.5. Improve the Risk Management process
17
Control Map - MMGRseg
Risk Management activities Maturity Levels
Level 1 Level 2 Level 3 Level 4 Level 5
Context definition No control isimplemented
CD1.1, CD1.2 and
CD1.3
CD1.4, CD1.5, CD1.6
and CD1.7CD1.8 CD1.9
Risk Analysis/Assessment
No control isimplemented AA1.1 and
AA1.2 AA1.3, AA1.4
and AA1.5 AA1.6 AA1.7
andAA1.8
Risk Treatment No control isimplemented RT1.1
RT1.2, RT1.3, RT1.4, RT1.5
and RT1.6 RT1.7 RT1.8
Risk Acceptance No control isimplemented RA1.1 and
RA1.2 RA1.3, RA1.4
and RA1.5 RA1.6 RA1.7
Risk Communication
No control isimplemented RC1.1 RC1.2 and
RC1.3 RC1.4
andRC1.5
RC1.6
Monitoring and Critical Risk Analysis
No control isimplemented MA1.1 MA1.2 and
MA1.3 MA1.4 MA1.5
18
Assessment perspective - MMGRseg
� Continuous representation.
� Each one of the six activities of the Risk Management process is assessed individually.
� The company is able to verify which activity needs to receive greater focus
� Provides specific guidance for each activity in regards to the necessary steps for an upper maturity level to be achieved.
19
Assessment perspective - MMGRseg
Examples of assessment hypothesis of the Maturity Level through MMGRseg
20
Accountability Matrix - MMGRseg
Contro
ls
CE
O
CFO
Busin
ess E
xecutive
CIO
Busin
ess Sen
ior
Man
agem
ent
Head
Operatio
ns
Chief A
rchitect
Head
D
evelopm
ent
Head
IT
Adm
inistratio
n
Com
plian
ce, A
udit, R
isk and
Secu
rity
CD1.1 R/A C C C I
CD1.2 R/A C C C I
CD1.3 R/A C C C I
CD1.4 R/A
CD1.5 R/A
CD1.6 I C R C R/A C C C C C
CD1.7 R/A
CD1.8 A
R=Responsible; A=Accountable, C=Consulted and I=Informed.
21
Risk Scorecard - MMGRseg
� Every process must have defined goals and aims making it possible to measure the degree of success in their execution.
� In so doing, metrics need to be defined according to the SMARRT model (Specific, Measurable, Actionable, Realistic, Results-oriented and Timely).
� In the MMGRSeg model, the measurement of all the six activities of the risk management process must be based on SMARRT.
22
Case study - MMGRseg
� Designed as a questionnaire – based on the control objectives;
� 35 questions, uses the Likert scale
CD AA RT RA RC MA
Level 2 Q3 Q9 Q15 Q21 Q26 Q31
Level 3 Q4, Q5, Q6
Q10, Q11, Q12
Q16, Q17, Q18 Q22, Q23 Q27, Q28 Q32, Q33
Level 4 Q7 Q13 Q19 Q24 Q29 Q34
Level 5 Q8 Q14 Q20 Q25 Q30 Q35
CD = Context definition, AA = Risk Analysis/Assessment, RT = Risk Treatment, RA = Risk Acceptance, RC = Risk Communication and MA = Monitoring and Critical Analysis of the Risk.
23
Case study - MMGRseg
� The latter was sent as a convenience sample comprised of 31 companies;
� Feedback was received from 12 of them;
� Only 3 out of the 12 respondent companies managed to achieve above level 1;
� The remaining respondent companies could only achieve maturity level 1 in the six activities of the RM process for IS.
24
Conclusion
� This is a meaningful contribution to the development to the field of information security, aligned with ISO/IEC 27005;
� It is comprised of a set of requirements and best practices:
� three stages: immaturity, maturity e excellence;
� five maturity levels: Initial, Known, Standardized, Managed and Optimized;
� forty-three control objectives;
� one control map;
� one assessment instrument relative to the maturity level of the activities of the RM process;
� an accountability matrix relative to each activity of the process; and
� a risk scorecard.
25
Conclusion
� All this can be used by the organization to:
� identify the weaknesses and/or deficiencies and the possibilities for improvements in the process, guiding investments in IS;
� directing the investments in Information Security;
� foster segmented benchmarking;
� disseminate the risk management culture all over the company;
� achieve effectiveness in the continuous improvement process of Risk Management in Information Security; and
� advise certification projects of Information Security ManagementSystems (ISMS) and Business Continuity.
