Upload File

sudarsan jayaraman - open information security management maturity model

  • Home
  • Documents
  • Sudarsan Jayaraman - Open information security management maturity model
28
Open Information Security Management Maturity Model Open Information Security Management Maturity Model An Overview An Overview 25th May, 2011 25th May, 2011 Presented by: Sudarsan Jayaraman, CISA, CISM, ITIL –V3 Expert, ISO 20000 (C), ISO 27001 LA, COBIT (F) Director – Technology Risk Services

Upload: nooralmousa

Post on 22-Jan-2015

1.264 views

Category:

Documents


4 download

Report

DESCRIPTION

 

TRANSCRIPT

  • 1. Open Information Security Management Maturity Model An Overview 25th May, 2011 Presented by : Sudarsan Jayaraman, CISA, CISM, ITIL V3 Expert, ISO 20000 (C), ISO 27001 LA, COBIT (F) Director Technology Risk Services

2. Todays Discussion Points

  • Current Information Security Management Practices
  • Open Information Security Management Maturity Model (O-ISM3) An Overview
  • Implementation Approach and Potential Benefits?

3. Do you agree ? QUESTION: Does Information Security Compliance Projects improve the security posture of an organization? 4. Do you agree ? ANSWER:NO , Information Security Compliance Projects are not helping the organization and it is more of documentation of controls rather than security implementation. QUESTION: Does Information Security Compliance Projects improve the security posture of an organization? 5. Organization Concerns

  • Management Concerns
  • Inadequate view of Information security functioning
  • Increase in number security incidents
  • High cost of Information security and low ROI
  • IT staffing issues
  • Lack of knowledge of critical systems
  • Information Security not measurable
  • CISOs Concerns
  • No clear view on business requirements
  • Budget cuts and less IT spending
  • Deliver projects to meet business growth
  • Compliance requirements from various agencies
  • Demonstrate value to business
  • Improve security and privacy controls
  • Improving quality of Information security delivery

6. Governance A Balancing act

  • Governance is about:
    • Performance
      • Improving profitability, efficiency, effectiveness, and growth
    • Conformance
      • Adhering to legislation, internal policies, and audit requirements

Conformance Performance 7. What is Information Security Governance? 8. International Standards in Information Security

  • ISO/IEC 27001 Series Information Technology Security Techniques - Information Security Management SystemRequirements
  • O ISM3 Open Group Information Security Management Maturity Model
  • Standard of Good Practice for Information Security from Information Security Forum

9. Common issues in the current standard Metrics allow finding incidents and faults in the process, enabling continuous improvement. Yes No Metrics Incident: Breach of a security objective Incident: Breach of CIA

  • Security Objectives
  • Attacks prevention
  • Errors prevention
  • Accidents prevention

Attacks prevention Information Quality should focus on addressing business interests

  • Information qualities:
  • Business
  • Compliance
  • Technical
  • Information qualities:
  • Confidentiality
  • Availability
  • Integrity

Link between business goals and information security Focus on business objectives/goals and derive security objectives and targets from business requirement Top - Down Bottom-up Business approach Process based management is easier to integrate with Cobit, ISO 9001 and ITIL Controls dont have defined output, but processes do. This means processes can be managed using metrics of the outputs. Process Based Controls Based Paradigm Implications Requirements Current ISMS Criteria 10. IT Standards and FrameworkIT Governance COBIT ISO 27000/ Open ISM3/ ISF series ITIL Business Requirements WHAT HOW VAL ITIT Service Management ISO/IEC 20000 ISO/IEC38500 Project Management PMI - PMBOK 11. Characteristics of a Framework Has General Acceptability Among Organizations Helps Meet Regulatory Requirements Control Framework Defines a Common Language Provides Sharper Business Focus Ensures Process Orientation 12. O-ISM3 Information Security Management Maturity Model

  • O-ISM3main characteristics are:
    • Business-focused
    • Process-oriented
    • Measurement-driven

O-ISM3 Framework Characteristics 13. About Open ISM3

  • ISM3 was developed by ISM3 consortium and it is developed by team headed byMr. Vicente Aceituno
  • The ISM3 is now adopted by Open Group and the latest version is released on Feb 2011
  • The Open Group is a vendor- and technology-neutral consortium.
  • Other standards - The Open Group Architecture Framework( TOGAF )

14. Highlights of O-ISM3

  • Enable the creation of ISM systems that are fully aligned with the business mission and compliance needs.
  • Applicable to any organization regardless of size, context and resources.
  • Enable organizations to prioritize and optimize their investment in information security.
  • Enable continuous improvement of ISM systems using metrics

15. ISM3 Process

  • GP-1 Knowledge Management
  • GP-2 ISM and BusinessAudit
  • Implementing O-ISM3
  • GP-3 ISM Design and Evolution

Generic Practices Strategic Practices

  • SSP-1 Report to Stakeholders
  • SSP-2 Coordination
  • SSP-4 Define Division of Duties rules
  • SSP-6 Allocate Resources for Information Security

Tactical Practices

  • TSP-1 Report to Strategic Management
  • TSP-2 Manage Allocated Resources
  • TSP-3 Define Security Targets and Security Objectives
  • TSP-4 Service Level Management
  • TSP-6 Security Architecture
  • TSP-7 Background Checks
  • TSP-8 Personnel Security
  • TSP-9 Security Personnel Training
  • TSP-10 Disciplinary Process
  • TSP-11 Security Awareness
  • TSP-13 Insurance Management
  • TSP-14 Information Operations

16. ISM3 Process - Operational Practices

  • OSP-1 Report to Tactical Management
  • OSP-2 Security Procurement
  • Lifecycle Control
  • OSP-3 Inventory Management
  • OSP-4 Information Systems IT Managed Domain Change Control
  • OSP-5 IT Managed Domain Patching
  • OSP-6 IT Managed Domain Clearing
  • OSP-7 IT Managed Domain Hardening
  • OSP-8 Software Development Life-cycle Control
  • OSP-9 Security Measures Change Control
  • OSP-16 Segmentation and Filtering Management
  • OSP-17 Malware Protection Management

Operational Practices

  • Access and Environmental Control
  • OSP-11 Access control
  • OSP-12 User Registration
  • OSP-14 Physical Environment Protection Management
  • Availability Control
  • OSP-10 Backup Management
  • OSP-15 Operations Continuity Management
  • OSP-26 Enhanced Reliability and Availability Management
  • OSP-27 Archiving Management
  • OSP-16 Segmentation and Filtering Management
  • Testing and Auditing
  • OSP-19 Internal Technical Audit
  • OSP-20 Incident Emulation
  • OSP-21 Information Quality and Compliance Assessment
  • Monitoring
  • OSP-22 Alerts Monitoring
  • OSP-23 Internal Events Detection and Analysis
  • OSP-28 External Events Detection and Analysis
  • Incident Handling
  • OSP-24 Handling of incidents and near-incidents
  • OSP-25 Forensics

17. Sample Process Description.. Project Quant Related methodologies OSP-4: Information Systems IT Managed Domain Change Control OSP-9: Security Measures Change Control Related processes Supervisor: TSP-14 Process Owner Process Owner: Information Systems Management Responsibilities

  • Update level, calculated as follows:
  • The update level for a specific information system is equal to the sum of the days outstandingfor all pending security patches.
  • The IT managed domain update level is equal to the sum of the individual update levels, dividedby the number of information systems.
  • The lower this metric, the better. This metric allows checking of the progress of the patching process,
  • and comparison of the update level of different IT managed domains.

Quality Up-to-date services in every IT managed domain Services Update Level Report (OSP-4) Metrics Report (TSP-4) Outputs Inventory of Assets (OSP-3) Inputs OSP-051: Services update level report template OSP-052: Services Patching Management procedure Documentation Patching prevents incidents arising from the exploitation of known weaknesses in services. Value This process covers the ongoing update of services to prevent incidents related to known weaknesses, enhancing the reliability of the updated systems. Description OSP-5:IT Managed Domain Patching Process 18. O-ISM3 Goals Prevent and mitigateIncidents ,Optimisethe use of information,money, people, timeand infrastructure. GenericGoals Defines SecurityObjectivesconsistentwith organizationalobjectives,protectingstakeholdersInterests. StrategicGoals Provide feedback toStrategicManagement; Manage budget,people and otherresources allocatedto informationsecurity TacticalGoals Provide feedback toTacticalManagement,Carry out processesfor incidentprevention,Detection, And mitigation. OperationalGoals 19. O ISM3 An Information Security Management Maturity Model

  • O-ISM3 is a framework for managing information security in the context of business objectives.
  • Business objectives and security objectives are aligned, information security becomes a key contributor to the common goal of achieving the business objectives.
  • Security objectives and security targets are expressed in tangible, specific, and measurable terms.

BusinessObjectives Security Objectives Security Targets 20. O-ISM3 Security Management Levels

  • Strategic Management: Managers involved in the long-term alignment of IT with business needs
  • Tactical Management: Managers involved in the allocation of resources and the configuration and management of the ISMS.
  • Operational Management: Managers involved in setting up, operating, and monitoring specific processes.

Strategic Managers Tactical Managers Operational Managers Stakeholders Report Report Report 21. Significant Features of O-ISM3

  • The significant features of O-ISM3 are:
  • Metrics for Information Security
  • Capability Levels
  • Maturity Levels
  • Process based
  • Adopts best practices
  • Accreditation.

22. O-ISM3 Capability Levels

  • Capability is a property of how a process is managed
  • Process capability is determined by the metrics the process produces.

* * * * * * * Documentation * * * * * * Activity Metric Type * * * * * * Scope * * * * * * Effectiveness * * * * * * Unavailability * * * * * Load * * Quality * Efficiency Planning Benefits realization Optimization Optimized Assessment Controlled Monitor Managed Test Defined Audit, Certify Initial Management practices Enabled Capability Level 23. O-ISM3 ImplementationOperational BusinessObjectives (Objectives, Security Targets) Dependency Analysis Operationalized Security Objectives (Objectives, Security Targets) Priority (Objectives,Security Targets) Durability (Objectives,Security Targets) Quality (Objectives,Security Targets) Access Control (Objectives,Security Targets) Technical (Objectives,Security Targets) OSP -15, OSP-26, Others OSP -6, OSP-10, OSP-27, Others OSP-21, Others OSP -3, OSP-11,OSP-12, OSP-14, Others OSP -5, OSP-7,OSP-16, OSP-17, Others Business Objectivesand Incidents Security Objectivesand Incidents ISM3 Processes and Metrics 24. Typical Implementation Approach Open ISM3Implementation Approach 25. Potential Benefits

  • Maturity Levels make easier to prioritize and optimize investment in information security.
  • It scales to small and big organizations. The use of separate process in every environment prevents using procedures for restrictive environments all over the organization.
  • Business Focused
  • Process Orientation
  • Manageable (with Metrics)
  • Compatible (ITIL, ISO27001, ISO9001, Cobit)
  • Adaptable
  • Flexible
  • Open Standard, readily available

26.

  • Q & A ???

27.

  • Thank you for your participation

28.


Sudarsan Brochure

E-Government Situating Canada. Maturity of e-Government Delivery e-government maturity (Accenture) e-government maturity (Accenture) – service maturity

The Evolution of High Maturity - ndiastorage.blob.core ... · “High Maturity” has always been “special” in the world of capability maturity models. High maturity concepts

Farewell to Dr. K. Jayaraman - fao.orgcombined issue, we focus on Conference 2013 successfully visible among the teak community by Farewell to Dr. K. Jayaraman Dr. P.K. Thulasidas

Final-Crisosto - Maturity Indices-March-1-2013.pptfruitandnuteducation.ucdavis.edu/files/162095.pdf · Maturity Stages of Strawberries Fruit Minimum maturity indices ... Maturity

Digital Image Processing_S. Jayaraman, S. Esakkirajan and T. Veerakumar

[IJET V2I4P9] Authors: Praveen Jayasankar , Prashanth Jayaraman ,Rachel Hannah

FWaaS German EichbergerSridar KandaswamyVishwanath Jayaraman

Jayaraman J. Thiagarajan Deepta Rajan Prasanna …Understanding Behavior of Clinical Models under Domain Shifts Jayaraman J. Thiagarajan Lawrence Livermore National Labs [email protected]

P2P Maturity Model Playbook. Business Case for Partnerships P2P Maturity Model –Defining 4 Maturity Models –Defining the 10 Business Functions P2P Maturity

Zodiacal Cloud: The Local Circumstellar Disk Sumita Jayaraman

A Contrarian World Lalgudi Jayaraman and Lakshmi Devnath Virtuoso Performer and Mediocre Biographer

Introduction To Ad Hoc Networks and Routing Protocols Presented By : Karthik Samudram Jayaraman

ATNT Jayaraman Presentation

THE DIAMOND ANVIL CELL AND HIGH PRESSURE RESEARCH … · THE DIAMOND ANVIL CELL AND HIGH PRESSURE RESEARCH A. Jayaraman To cite this version: A. Jayaraman. THE DIAMOND ANVIL CELL

Maturity and Maturity Models in Lean Construction

Radar And Navigational Aids Jayaraman (1053) Kaushik (1059) Ikram (3009) Vignesh (3010)

Measuring Process Maturity: The Business Process Maturity Model

GENERAL ARTICLE Jacques Monod and theAdvent of the Age of ... · Jacques Monod and theAdvent of the Age of Operons R Jayaraman R Jayaraman is an Emeritus Professor of Molecular Biology

RBAC-Capability Project Design Session II Zutao Zhu Derived from Karthick Jayaraman

Maturity Models: assessing maturity of IR practice

Software Monetization Maturity Model Unlocking Growth ... · Software Monetization Maturity Model Overview • What is a “Maturity Model?” – Framework to assess maturity level

MAKING COMPUTER LITERACY MEANINGFUL Neela Jayaraman Heather Tatton-Harris

Motivation • SEI Capability Maturity Model • Maturity ... · PDF file• SEI Capability Maturity Model • Maturity assessment process ... The SEI Capability Maturity Model Results

Knowledge Management @ Accenture Team 3 Katia ArrusJonathan Hayes Cristian OrellanaJay Bashucky Suresh Jayaraman

SIVAJI GANESAN 01. Desam Gnanam Film/Album: Parasakthi Artiste: C.S. Jayaraman 02. Kaa Kaa Kaa Film/Album: Parasakthi Artiste: C.S. Jayaraman 03. Ambigaiye Eswariye

Things You Need In Your Insanely Great Pitch Rajiv Jayaraman 10

Decentralized Certificate Authority - Bargav Jayaraman · Certificate Authority Bargav Jayaraman Hannah Li 1. Review - Creating a Certificate Identity Ownership class/type of certificate

Athira Sudarsan

Maturity Indices and Assessment of Maturity

2018 IAPS reimbursment form · Please send the forms to Jayaraman Sivaguru by email or by post with relevant receipts. Address: Prof. Jayaraman Sivaguru 141 Overman Hall Center for

Karthik Jayaraman Thesis - UMD

CMO of the Year 2015 : Mr. Sudarsan R, Head Marketing-Dell India

Learning image representations tied to ego-motiongrauman/papers/jayaraman-iccv2015.pdf · Learning image representations tied to ego-motion Dinesh Jayaraman ... size that downstream

Harmonised Transparency Template · 5. Maturity of Covered Bonds Initial Maturity Extended Maturity % Total Initial Maturity % Total Extended Maturity G.3.5.1 Weighted Average life