Vicente AceitunoBoston, July 2010

© ISM3 Consortium 2010

A Revolution in Security: ISM evolution with ISM3

Mike Jerbic

Edward Stansfeld

Anthony Nelson

Anup Narayanan

Ian Dobson

Jim Hietala

2002

2010

ScientificMethod

•Confidenciality•Integrity•Availability•Non-Repudiation•Authorization•Authentication•Audit•Privacy•Secrecy•Intellectual Property

Feedback Loop

Modeling

QualityManagement

A Maturity Model

For Security Management?

Evolution

+

+

+

Revolution

One-size-fits-all

Security Investment, Maturity Level & Risk

Security Investment

Risk

Risk Reduction/Additional SecurityInvestment

Business and context fit

Doorman Mentality

Manager Mentality

Threats

Deliverables

Incidents = Failure

Incidents = Opportunity for Improvement

(But…

Don’t make the same mistake twice.

& Learn from the mistakes of others)

Preventing policy violations

Providing value

Contrarian view of business and security

Security seen as part of the business.

Destination: Compliance

Origin:Compliance

Risk Management Techniques

+Continuous ImprovementTechniques

Invulnerability

Return on Investment

Protect the asset

Protect business objectives

ConfidentialityIntegrityAvailability

…Non-Repudiation…Authorization

…Authentication…Audit

…Privacy…Secrecy

…Intellectual Property

Operational definitions of security objectivesand business objectives

Business Objectives

Access for Authorized Users

…where and when necessary.

Unathorized user access denial

Responsibility

Secrets

Privacy

Intellectual Property

Information available for as long as necessary…

…but not after it has expired.

Comply with laws and regulations

Keep systems protected

Improvement using lagging indicators.

Test & Audit

Certification

Improvement using leading indicators

Metrics

Management Practices

Continuous Improvement

Capability Level Basic Defined Managed Controlled Optimized

Management Practices Enabled

Audit, Certify Test Monitor Planning

Benefits Realization Assessment Optimization

Documentation * * * * * * *

Met

ric

Typ

e

Activity * * * * * *

Scope * * * * * *

Unavailability * * * * * *

Effectiveness * * * * * *

Load * * * * *

Quality * *

Efficiency *

Management Practices

Planning

Test

Monitor

Assessment

Assessment

Improvement

Benefits Realization

Value

Metrics

Activity

Scope

Unavailability

Effectiveness

Efficiency

Load

Quality

Metrics

79

Measurement

80

Interpretation

Representation

Representation

83

Investigation

Capability Level Basic Defined Managed Controlled Optimized

Management Practices Enabled

Audit, Certify Test Monitor Planning

Benefits Realization Assessment Optimization

Documentation * * * * * * *

Met

ric

Typ

e

Activity * * * * * *

Scope * * * * * *

Unavailability * * * * * *

Effectiveness * * * * * *

Load * * * * *

Quality * *

Efficiency *