SlideShare une entreprise Scribd logo

Security Maturity Assessment

Télécharger en tant que PPT, PDF
Claude Baudoin
Claude Baudoin
TechnologieBusiness
1  sur  12
Schlumberger Public Assessing the Security Maturity of an Organization Claude R. Baudoin Colin R. Elliott
Overview Organizations need to measure their level of readiness w.r.t. security risks  You cannot improve what you do not measure This is an irrational exercise absent a standard or methodology that provides objective and comparable measurements Schlumberger Public A standard like ISO 17799 does not automatically allow an organization to:  establish its level of compliance  measures progress over time  decide on required actions  prioritize them in view of finite budgets and resources We have developed a new assessment tool, the Security Maturity Assessment  based on the SEI Capability Maturity Model (CMM) approach  includes practical advice on how to conduct an assessment  fits within an overall security improvement plan  patent pending
The Challenge The CIO or CSO needs to know:  How secure am I?  Am I better off now than I was at this time last year? Schlumberger Public  Am I spending the right amount of money?  How do I compare with my peers? Conflicting inputs and constraints:  Clients and regulators demand provable assurances  Vendors propose products  Budget constraints
A Source for Best Practices – ISO 17799 Originally “British Standard 7799” Adopted internationally as ISO 17799 in 2000 Divides security into 10 areas:  Information Security Policy Schlumberger Public  Organizational Security  Asset Classification and Control  Personnel Security  Physical and Environmental Security  Communication and Operations Management  Access Control  System Development and Maintenance  Business Continuity Management  Compliance
“Capability Maturity Model” Concept Created in 1995 by the Software Engineering Level 5: Optimizing • Process Change Management Continuous process capability Institute (SEI) at improvement • Defect Prevention • Technology Change Management Carnegie-Mellon Level 4: Managed Schlumberger Public Product quality planning; tracking University to improve of measured software progress. • Software and Quality Management • Quantitative Process Management Level 3: Defined software processes Software process defined and institutionalized to provide • Organization Process Focus • Organization Process Definition 5 levels product quality control. • Training Program • Integrated Software Management • Software Product Engineering “Key Process Areas” Level 2: Repeatable • Intergroup Coordination • Peer Reviews must be in place to Management oversight and tracking of projects; stable • Requirements Management qualify for each level planning and product baselines. • Project Planning • Project Tracking / Oversight Level 1: Initial • Subcontract Management Widely adopted by the Ad hoc, unpredictable, chaotic. • Configuration Management software industry
Mapping ISO 17799 to Maturity Levels 3.1.1 Information Security Policy Document “A policy document should be approved by management, published and communicated, as appropriate, to all employees. It should state Defined management commitment and set out the Schlumberger Public organization’s approach to managing information security.” Managed 3.1.2 Review and Evaluation “The policy should have an owner” There should be a “defined review process” Optimized ensuring that “a review takes place in response to any changes affecting the basis of the original risk assessment…”  Regroup these three 4.1.7 Independent review of information security concerns into Levels 3, 4 The implementation of the Information Security and 5 of the same row of Policy should be “reviewed independently to the assessment matrix provide assurance that organizational practices properly reflect the policy.”
The Assessment Matrix (sample row) ISO 17799 Level 1 Level 2 Level 3 Level 4 (Managed) Level 5 Categories (Initial) (Repeatable) (Defined) (Optimizing) Level • Informal, ad • Formal & • Enforced & • Dynamic Definitions hoc documented measured • Process exists • Not written (in writing) • Responsibilities for catching down, may be are defined deviations and communicated explicitly making through constant Schlumberger Public coaching improvements III.1 Information Coverage of No Security policy exists, Specific policy Security policy covers Clear responsibilities Security Security Policy security but as a general exists supporting all areas of business. and mechanisms in Policy Review of policy in statement. business goals, Security policy is place to upgrade effective place Inferring what is clearly stating in owned by appropriate policy if required after implementation specifically mandated detail what is functions including IT every breach of policy, of information or prohibited requires mandated or but also Finance, HR, and if business security policy consulting specialized prohibited. Legal, etc. changes occur such Review of personnel. A "normal" person Organization policies as acquisition, Information No regular reviews. can easily define the roles and divestiture, or major Security Policy understand it. responsibilities in changes in business Reviews carried following procedures. processes. out at intervals, Reviews carried out -- but no clear intervals and management responsibility for the responsibility to reviews are defined trigger reviews or explicitly in the policy. exploit results A report on non- compliance is created and distributed to the business units for their review and action.
SMA – Part of an Overall Security Improvement Process Schlumberger Public 2. Security 3. Corrective Maturity Action Plan Assessment 1. Management Awareness and Commitment 5. Ongoing 4. Action Plan Monitoring Execution
Conducting the Assessment Communicate the purpose and process of the assessment Determine who will be interviewed Conduct the interviews and collect documentation Schlumberger Public Ask follow-up questions Tabulate the results Evaluate the results and form an initial conclusion Present the draft of the assessment results to the client Obtain any information to correct factual errors or omissions Deliver the final report
Pragmatic Aspects of an Assessment Interviewee Selection and Psychology  Include non-IT and non-manager personnel  Each type of person in the organization has hopes and fear Schlumberger Public  They have agendas, which often conflict Objective Questions  Bad question: “Do you think you have a good security policy?”  Good question: “Were you asked to read and sign a security policy when you joined the company?”  A good question allows independent verification Judging SMA Levels  CMM levels are much easier to apply than 0—10 scales
Presenting the Results Graphically Schlumberger Public
cbaudoin@cebe-itkm.com

Recommandé

Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity ModelConferencias FIST
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)leolemes
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 

Recommandé

Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity ModelConferencias FIST
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)leolemes
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessmentGeorge Delikouras
 
PTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAPTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAGeorge Delikouras
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...Booz Allen Hamilton
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementComputer Aid, Inc
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestHank Eng, CISSP, CISA, CISM
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security StrategyDonald Tabone
 
It governance product
It governance productIt governance product
It governance productArul Nambi
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Killing the Myth: Agile & CMMI
Killing the Myth: Agile & CMMIKilling the Myth: Agile & CMMI
Killing the Myth: Agile & CMMITomasz Wykowski, CST
 

Contenu connexe

Tendances

The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
PTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAPTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAGeorge Delikouras
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...Booz Allen Hamilton
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security StrategyDonald Tabone
 
It governance product
It governance productIt governance product
It governance productArul Nambi
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 

Tendances (20)

The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessment
 
PTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAPTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIA
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-Latest
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security Strategy
 
It governance product
It governance productIt governance product
It governance product
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 

Similaire à Security Maturity Assessment

Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Capability Maturity Model Integration
Capability Maturity Model IntegrationCapability Maturity Model Integration
Capability Maturity Model IntegrationAAKASH S
 
3. financial controllership
3. financial controllership3. financial controllership
3. financial controllershipJudy Ricamara
 
A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAADaniel P Wallace
 
Dean.david
Dean.davidDean.david
Dean.davidNASAPMC
 
Achieving integrated mandatory compliance with ISO 31000
Achieving integrated mandatory compliance with ISO 31000Achieving integrated mandatory compliance with ISO 31000
Achieving integrated mandatory compliance with ISO 31000PECB
 
RAMS 2013 Calculating roi when implementing a dfr program by mike silverman
RAMS 2013 Calculating roi when implementing a dfr program by mike silvermanRAMS 2013 Calculating roi when implementing a dfr program by mike silverman
RAMS 2013 Calculating roi when implementing a dfr program by mike silvermanAccendo Reliability
 
Software quality system - Quality Engineering
Software quality system - Quality EngineeringSoftware quality system - Quality Engineering
Software quality system - Quality EngineeringYash Trivedi
 
Measuring the Results of your Agile Adoption
Measuring the Results of your Agile AdoptionMeasuring the Results of your Agile Adoption
Measuring the Results of your Agile AdoptionSoftware Guru
 
Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...
Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...
Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...Priyank Jain
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Carl Booth
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Software Process Improvement
Software Process ImprovementSoftware Process Improvement
Software Process ImprovementBilal Shah
 
Internal auditor training
Internal auditor trainingInternal auditor training
Internal auditor trainingqauditor11
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementECC International
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 

Similaire à Security Maturity Assessment (20)

Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance Services
 
Killing the Myth: Agile & CMMI
Killing the Myth: Agile & CMMIKilling the Myth: Agile & CMMI
Killing the Myth: Agile & CMMI
 
Capability Maturity Model Integration
Capability Maturity Model IntegrationCapability Maturity Model Integration
Capability Maturity Model Integration
 
Bpo risk management
Bpo risk managementBpo risk management
Bpo risk management
 
3. financial controllership
3. financial controllership3. financial controllership
3. financial controllership
 
A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAA
 
Dean.david
Dean.davidDean.david
Dean.david
 
Achieving integrated mandatory compliance with ISO 31000
Achieving integrated mandatory compliance with ISO 31000Achieving integrated mandatory compliance with ISO 31000
Achieving integrated mandatory compliance with ISO 31000
 
Cmmi (2)
Cmmi (2)Cmmi (2)
Cmmi (2)
 
Cmmi
CmmiCmmi
Cmmi
 
RAMS 2013 Calculating roi when implementing a dfr program by mike silverman
RAMS 2013 Calculating roi when implementing a dfr program by mike silvermanRAMS 2013 Calculating roi when implementing a dfr program by mike silverman
RAMS 2013 Calculating roi when implementing a dfr program by mike silverman
 
Software quality system - Quality Engineering
Software quality system - Quality EngineeringSoftware quality system - Quality Engineering
Software quality system - Quality Engineering
 
Measuring the Results of your Agile Adoption
Measuring the Results of your Agile AdoptionMeasuring the Results of your Agile Adoption
Measuring the Results of your Agile Adoption
 
Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...
Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...
Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Software Process Improvement
Software Process ImprovementSoftware Process Improvement
Software Process Improvement
 
Internal auditor training
Internal auditor trainingInternal auditor training
Internal auditor training
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 

Dernier

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Dernier (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Security Maturity Assessment

  • 1. Schlumberger Public Assessing the Security Maturity of an Organization Claude R. Baudoin Colin R. Elliott
  • 2. Overview Organizations need to measure their level of readiness w.r.t. security risks  You cannot improve what you do not measure This is an irrational exercise absent a standard or methodology that provides objective and comparable measurements Schlumberger Public A standard like ISO 17799 does not automatically allow an organization to:  establish its level of compliance  measures progress over time  decide on required actions  prioritize them in view of finite budgets and resources We have developed a new assessment tool, the Security Maturity Assessment  based on the SEI Capability Maturity Model (CMM) approach  includes practical advice on how to conduct an assessment  fits within an overall security improvement plan  patent pending
  • 3. The Challenge The CIO or CSO needs to know:  How secure am I?  Am I better off now than I was at this time last year? Schlumberger Public  Am I spending the right amount of money?  How do I compare with my peers? Conflicting inputs and constraints:  Clients and regulators demand provable assurances  Vendors propose products  Budget constraints
  • 4. A Source for Best Practices – ISO 17799 Originally “British Standard 7799” Adopted internationally as ISO 17799 in 2000 Divides security into 10 areas:  Information Security Policy Schlumberger Public  Organizational Security  Asset Classification and Control  Personnel Security  Physical and Environmental Security  Communication and Operations Management  Access Control  System Development and Maintenance  Business Continuity Management  Compliance
  • 5. “Capability Maturity Model” Concept Created in 1995 by the Software Engineering Level 5: Optimizing • Process Change Management Continuous process capability Institute (SEI) at improvement • Defect Prevention • Technology Change Management Carnegie-Mellon Level 4: Managed Schlumberger Public Product quality planning; tracking University to improve of measured software progress. • Software and Quality Management • Quantitative Process Management Level 3: Defined software processes Software process defined and institutionalized to provide • Organization Process Focus • Organization Process Definition 5 levels product quality control. • Training Program • Integrated Software Management • Software Product Engineering “Key Process Areas” Level 2: Repeatable • Intergroup Coordination • Peer Reviews must be in place to Management oversight and tracking of projects; stable • Requirements Management qualify for each level planning and product baselines. • Project Planning • Project Tracking / Oversight Level 1: Initial • Subcontract Management Widely adopted by the Ad hoc, unpredictable, chaotic. • Configuration Management software industry
  • 6. Mapping ISO 17799 to Maturity Levels 3.1.1 Information Security Policy Document “A policy document should be approved by management, published and communicated, as appropriate, to all employees. It should state Defined management commitment and set out the Schlumberger Public organization’s approach to managing information security.” Managed 3.1.2 Review and Evaluation “The policy should have an owner” There should be a “defined review process” Optimized ensuring that “a review takes place in response to any changes affecting the basis of the original risk assessment…”  Regroup these three 4.1.7 Independent review of information security concerns into Levels 3, 4 The implementation of the Information Security and 5 of the same row of Policy should be “reviewed independently to the assessment matrix provide assurance that organizational practices properly reflect the policy.”
  • 7. The Assessment Matrix (sample row) ISO 17799 Level 1 Level 2 Level 3 Level 4 (Managed) Level 5 Categories (Initial) (Repeatable) (Defined) (Optimizing) Level • Informal, ad • Formal & • Enforced & • Dynamic Definitions hoc documented measured • Process exists • Not written (in writing) • Responsibilities for catching down, may be are defined deviations and communicated explicitly making through constant Schlumberger Public coaching improvements III.1 Information Coverage of No Security policy exists, Specific policy Security policy covers Clear responsibilities Security Security Policy security but as a general exists supporting all areas of business. and mechanisms in Policy Review of policy in statement. business goals, Security policy is place to upgrade effective place Inferring what is clearly stating in owned by appropriate policy if required after implementation specifically mandated detail what is functions including IT every breach of policy, of information or prohibited requires mandated or but also Finance, HR, and if business security policy consulting specialized prohibited. Legal, etc. changes occur such Review of personnel. A "normal" person Organization policies as acquisition, Information No regular reviews. can easily define the roles and divestiture, or major Security Policy understand it. responsibilities in changes in business Reviews carried following procedures. processes. out at intervals, Reviews carried out -- but no clear intervals and management responsibility for the responsibility to reviews are defined trigger reviews or explicitly in the policy. exploit results A report on non- compliance is created and distributed to the business units for their review and action.
  • 8. SMA – Part of an Overall Security Improvement Process Schlumberger Public 2. Security 3. Corrective Maturity Action Plan Assessment 1. Management Awareness and Commitment 5. Ongoing 4. Action Plan Monitoring Execution
  • 9. Conducting the Assessment Communicate the purpose and process of the assessment Determine who will be interviewed Conduct the interviews and collect documentation Schlumberger Public Ask follow-up questions Tabulate the results Evaluate the results and form an initial conclusion Present the draft of the assessment results to the client Obtain any information to correct factual errors or omissions Deliver the final report
  • 10. Pragmatic Aspects of an Assessment Interviewee Selection and Psychology  Include non-IT and non-manager personnel  Each type of person in the organization has hopes and fear Schlumberger Public  They have agendas, which often conflict Objective Questions  Bad question: “Do you think you have a good security policy?”  Good question: “Were you asked to read and sign a security policy when you joined the company?”  A good question allows independent verification Judging SMA Levels  CMM levels are much easier to apply than 0—10 scales
  • 11. Presenting the Results Graphically Schlumberger Public