Upload
nooralmousa
View
1.264
Download
4
Embed Size (px)
DESCRIPTION
Citation preview
2. Todays Discussion Points
3. Do you agree ? QUESTION: Does Information Security Compliance Projects improve the security posture of an organization? 4. Do you agree ? ANSWER:NO , Information Security Compliance Projects are not helping the organization and it is more of documentation of controls rather than security implementation. QUESTION: Does Information Security Compliance Projects improve the security posture of an organization? 5. Organization Concerns
6. Governance A Balancing act
Conformance Performance 7. What is Information Security Governance? 8. International Standards in Information Security
9. Common issues in the current standard Metrics allow finding incidents and faults in the process, enabling continuous improvement. Yes No Metrics Incident: Breach of a security objective Incident: Breach of CIA
Attacks prevention Information Quality should focus on addressing business interests
Link between business goals and information security Focus on business objectives/goals and derive security objectives and targets from business requirement Top - Down Bottom-up Business approach Process based management is easier to integrate with Cobit, ISO 9001 and ITIL Controls dont have defined output, but processes do. This means processes can be managed using metrics of the outputs. Process Based Controls Based Paradigm Implications Requirements Current ISMS Criteria 10. IT Standards and FrameworkIT Governance COBIT ISO 27000/ Open ISM3/ ISF series ITIL Business Requirements WHAT HOW VAL ITIT Service Management ISO/IEC 20000 ISO/IEC38500 Project Management PMI - PMBOK 11. Characteristics of a Framework Has General Acceptability Among Organizations Helps Meet Regulatory Requirements Control Framework Defines a Common Language Provides Sharper Business Focus Ensures Process Orientation 12. O-ISM3 Information Security Management Maturity Model
O-ISM3 Framework Characteristics 13. About Open ISM3
14. Highlights of O-ISM3
15. ISM3 Process
Generic Practices Strategic Practices
Tactical Practices
16. ISM3 Process - Operational Practices
Operational Practices
17. Sample Process Description.. Project Quant Related methodologies OSP-4: Information Systems IT Managed Domain Change Control OSP-9: Security Measures Change Control Related processes Supervisor: TSP-14 Process Owner Process Owner: Information Systems Management Responsibilities
Quality Up-to-date services in every IT managed domain Services Update Level Report (OSP-4) Metrics Report (TSP-4) Outputs Inventory of Assets (OSP-3) Inputs OSP-051: Services update level report template OSP-052: Services Patching Management procedure Documentation Patching prevents incidents arising from the exploitation of known weaknesses in services. Value This process covers the ongoing update of services to prevent incidents related to known weaknesses, enhancing the reliability of the updated systems. Description OSP-5:IT Managed Domain Patching Process 18. O-ISM3 Goals Prevent and mitigateIncidents ,Optimisethe use of information,money, people, timeand infrastructure. GenericGoals Defines SecurityObjectivesconsistentwith organizationalobjectives,protectingstakeholdersInterests. StrategicGoals Provide feedback toStrategicManagement; Manage budget,people and otherresources allocatedto informationsecurity TacticalGoals Provide feedback toTacticalManagement,Carry out processesfor incidentprevention,Detection, And mitigation. OperationalGoals 19. O ISM3 An Information Security Management Maturity Model
BusinessObjectives Security Objectives Security Targets 20. O-ISM3 Security Management Levels
Strategic Managers Tactical Managers Operational Managers Stakeholders Report Report Report 21. Significant Features of O-ISM3
22. O-ISM3 Capability Levels
* * * * * * * Documentation * * * * * * Activity Metric Type * * * * * * Scope * * * * * * Effectiveness * * * * * * Unavailability * * * * * Load * * Quality * Efficiency Planning Benefits realization Optimization Optimized Assessment Controlled Monitor Managed Test Defined Audit, Certify Initial Management practices Enabled Capability Level 23. O-ISM3 ImplementationOperational BusinessObjectives (Objectives, Security Targets) Dependency Analysis Operationalized Security Objectives (Objectives, Security Targets) Priority (Objectives,Security Targets) Durability (Objectives,Security Targets) Quality (Objectives,Security Targets) Access Control (Objectives,Security Targets) Technical (Objectives,Security Targets) OSP -15, OSP-26, Others OSP -6, OSP-10, OSP-27, Others OSP-21, Others OSP -3, OSP-11,OSP-12, OSP-14, Others OSP -5, OSP-7,OSP-16, OSP-17, Others Business Objectivesand Incidents Security Objectivesand Incidents ISM3 Processes and Metrics 24. Typical Implementation Approach Open ISM3Implementation Approach 25. Potential Benefits
26.
27.
28.