SlideShare a Scribd company logo

Sudarsan Jayaraman - Open information security management maturity model

Download as PPT, PDF
N
nooralmousa
1 of 28
Open Information Security Management Maturity Model An Overview 25th May, 2011 Presented by : Sudarsan Jayaraman, CISA, CISM, ITIL –V3 Expert, ISO 20000 (C), ISO 27001 LA, COBIT (F) Director – Technology Risk Services
Today’s Discussion Points ,[object Object],[object Object],[object Object]
Do you agree ? QUESTION: Does Information Security Compliance Projects improve the security posture of an organization?
Do you agree ? ANSWER: NO , Information Security Compliance Projects are not helping the organization and it is more of documentation of controls rather than security implementation. QUESTION: Does Information Security Compliance Projects improve the security posture of an organization?
Organization Concerns ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Governance – A Balancing act ,[object Object],[object Object],[object Object],[object Object],[object Object],Conformance Performance
What is Information Security Governance?
International Standards in Information Security ,[object Object],[object Object],[object Object]
Common issues in the current standard Metrics allow finding incidents and faults in the process, enabling continuous improvement. Yes No Metrics Incident: Breach of a security objective Incident: Breach of CIA ,[object Object],[object Object],[object Object],[object Object],Attacks prevention Information Quality should focus on addressing business interests ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Link between business goals and information security Focus on business objectives/goals and derive security objectives and targets from business requirement Top - Down Bottom-up Business approach Process based management is easier to integrate with Cobit, ISO 9001 and ITIL Controls don’t have defined output, but processes do. This means processes can be managed using metrics of the outputs. Process Based Controls Based Paradigm Implications Requirements Current ISMS Criteria
IT Standards and Framework IT Governance COBIT ISO 27000/ Open ISM3/ ISF series ITIL Business Requirements WHAT HOW VAL IT IT Service Management ISO/IEC 20000 ISO/IEC38500 Project Management PMI - PMBOK
Characteristics of a Framework Has General Acceptability Among Organizations Helps Meet Regulatory Requirements Control Framework Defines a Common Language Provides Sharper Business Focus Ensures Process Orientation
O-ISM3 – Information Security Management Maturity Model ,[object Object],[object Object],[object Object],[object Object],O-ISM3 Framework Characteristics
About Open ISM3 ,[object Object],[object Object],[object Object],[object Object]
Highlights of O-ISM3 ,[object Object],[object Object],[object Object],[object Object]
ISM3 Process ,[object Object],[object Object],[object Object],[object Object],Generic Practices Strategic Practices ,[object Object],[object Object],[object Object],[object Object],Tactical Practices ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ISM3 Process - Operational Practices ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Operational Practices ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Sample Process Description….. Project Quant Related methodologies OSP-4: Information Systems IT Managed Domain Change Control OSP-9: Security Measures Change Control Related processes Supervisor: TSP-14 Process Owner Process Owner: Information Systems Management Responsibilities ,[object Object],[object Object],[object Object],[object Object],[object Object],Quality Up-to-date services in every IT managed domain Services Update Level Report (OSP-4) Metrics Report (TSP-4) Outputs Inventory of Assets (OSP-3) Inputs OSP-051: Services update level report template OSP-052: Services Patching Management procedure Documentation Patching prevents incidents arising from the exploitation of known weaknesses in services. Value This process covers the ongoing update of services to prevent incidents related to known weaknesses, enhancing the reliability of the updated systems. Description OSP-5:IT Managed Domain Patching Process
O-ISM3 Goals Prevent and mitigate Incidents ,Optimise the use of information, money, people, time and infrastructure. Generic Goals Defines Security Objectives consistent with organizational objectives, protecting stakeholders Interests. Strategic Goals Provide feedback to Strategic Management; Manage budget, people and other resources allocated to information security Tactical Goals Provide feedback to Tactical Management, Carry out processes for incident prevention, Detection, And mitigation. Operational Goals
O – ISM3 An Information Security Management Maturity Model ,[object Object],[object Object],[object Object],Business Objectives Security Objectives Security Targets
O-ISM3 Security Management Levels ,[object Object],[object Object],[object Object],Strategic Managers Tactical Managers Operational Managers Stakeholders Report Report Report
Significant Features of O-ISM3 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
O-ISM3 – Capability Levels ,[object Object],[object Object],* * * * * * * Documentation * * * * * * Activity Metric Type * * * * * * Scope * * * * * * Effectiveness * * * * * * Unavailability * * * * * Load * * Quality * Efficiency Planning Benefits realization Optimization Optimized Assessment Controlled Monitor Managed Test Defined Audit, Certify Initial Management practices Enabled Capability Level
O-ISM3 Implementation Operational Business Objectives (Objectives, Security Targets) Dependency Analysis Operationalized Security Objectives (Objectives, Security Targets) Priority (Objectives, Security Targets) Durability (Objectives, Security Targets) Quality (Objectives, Security Targets) Access Control (Objectives, Security Targets) Technical (Objectives, Security Targets) OSP -15, OSP-26, Others OSP -6, OSP-10, OSP-27, Others OSP-21, Others OSP -3, OSP-11,OSP-12, OSP-14, Others OSP -5, OSP-7,OSP-16, OSP-17, Others Business Objectives and Incidents Security Objectives and Incidents ISM3 Processes and Metrics
Typical Implementation Approach Open – ISM3 Implementation Approach
Potential Benefits ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]
[object Object]
 

Recommended

Adarsh Resume ISO27001
Adarsh Resume ISO27001Adarsh Resume ISO27001
Adarsh Resume ISO27001Adarsh HIRENALLUR
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security Malachi Jones
 
Iso 27001
Iso 27001Iso 27001
Iso 27001Adam Miller
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002pgpmikey
 

Recommended

Adarsh Resume ISO27001
Adarsh Resume ISO27001Adarsh Resume ISO27001
Adarsh Resume ISO27001Adarsh HIRENALLUR
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security Malachi Jones
 
Iso 27001
Iso 27001Iso 27001
Iso 27001Adam Miller
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002pgpmikey
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
How to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachHow to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachPECB
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
LogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMLogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMDenitsa Dimova
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4Obrina Candra, CISA, ISMS-LA
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCreekside Marketing Group, LLC
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
Values: A Manager's Guide
Values: A Manager's GuideValues: A Manager's Guide
Values: A Manager's GuideCynthia Scott
 

More Related Content

What's hot

Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
How to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachHow to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachPECB
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
LogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMLogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMDenitsa Dimova
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 

What's hot (20)

What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
How to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachHow to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approach
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
 
LogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMLogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEM
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 

Viewers also liked

Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
Values: A Manager's Guide
Values: A Manager's GuideValues: A Manager's Guide
Values: A Manager's GuideCynthia Scott
 
Link Reclamation Strategies
Link Reclamation Strategies Link Reclamation Strategies
Link Reclamation Strategies patrickstox
 
Everyone Screws Up HTTPS
Everyone Screws Up HTTPSEveryone Screws Up HTTPS
Everyone Screws Up HTTPSpatrickstox
 
Discovering Values: The Key to Unlocking Employee Engagement
Discovering Values: The Key to Unlocking Employee EngagementDiscovering Values: The Key to Unlocking Employee Engagement
Discovering Values: The Key to Unlocking Employee EngagementCynthia Scott
 
NLP Sitemap SMX 2016 Patrick Stox Latest In Advanced Technical SEO
NLP Sitemap SMX 2016 Patrick Stox Latest In Advanced Technical SEONLP Sitemap SMX 2016 Patrick Stox Latest In Advanced Technical SEO
NLP Sitemap SMX 2016 Patrick Stox Latest In Advanced Technical SEOpatrickstox
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...XEventsHospitality
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introductionaqel aqel
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
How to Link Personal Values with Team Values
How to Link Personal Values with Team ValuesHow to Link Personal Values with Team Values
How to Link Personal Values with Team ValuesCynthia Scott
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTripwire
 

Viewers also liked (13)

Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
 
Values: A Manager's Guide
Values: A Manager's GuideValues: A Manager's Guide
Values: A Manager's Guide
 
Link Reclamation Strategies
Link Reclamation Strategies Link Reclamation Strategies
Link Reclamation Strategies
 
Everyone Screws Up HTTPS
Everyone Screws Up HTTPSEveryone Screws Up HTTPS
Everyone Screws Up HTTPS
 
Discovering Values: The Key to Unlocking Employee Engagement
Discovering Values: The Key to Unlocking Employee EngagementDiscovering Values: The Key to Unlocking Employee Engagement
Discovering Values: The Key to Unlocking Employee Engagement
 
NLP Sitemap SMX 2016 Patrick Stox Latest In Advanced Technical SEO
NLP Sitemap SMX 2016 Patrick Stox Latest In Advanced Technical SEONLP Sitemap SMX 2016 Patrick Stox Latest In Advanced Technical SEO
NLP Sitemap SMX 2016 Patrick Stox Latest In Advanced Technical SEO
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
 
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introduction
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
How to Link Personal Values with Team Values
How to Link Personal Values with Team ValuesHow to Link Personal Values with Team Values
How to Link Personal Values with Team Values
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security Dashboard
 

Similar to Sudarsan Jayaraman - Open information security management maturity model

ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Information Systems Audit-Related Designations
Information Systems Audit-Related DesignationsInformation Systems Audit-Related Designations
Information Systems Audit-Related DesignationsMichael Lin
 
ADDRESSING CORPORATE CONCERNS
ADDRESSING CORPORATE CONCERNSADDRESSING CORPORATE CONCERNS
ADDRESSING CORPORATE CONCERNSzohaibqadir
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...IJCSIS Research Publications
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integrationMichael Nickle
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention Manish Dixit Ceh
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
Professional designations in it governance
Professional designations in it governanceProfessional designations in it governance
Professional designations in it governancejkllee
 
Professional Designations in IT Governance
Professional Designations in IT GovernanceProfessional Designations in IT Governance
Professional Designations in IT Governancejkllee
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 

Similar to Sudarsan Jayaraman - Open information security management maturity model (20)

ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
Information Systems Audit-Related Designations
Information Systems Audit-Related DesignationsInformation Systems Audit-Related Designations
Information Systems Audit-Related Designations
 
ADDRESSING CORPORATE CONCERNS
ADDRESSING CORPORATE CONCERNSADDRESSING CORPORATE CONCERNS
ADDRESSING CORPORATE CONCERNS
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
It Audit And Forensics
It Audit And ForensicsIt Audit And Forensics
It Audit And Forensics
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
 
Security audit
Security auditSecurity audit
Security audit
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Professional designations in it governance
Professional designations in it governanceProfessional designations in it governance
Professional designations in it governance
 
Professional Designations in IT Governance
Professional Designations in IT GovernanceProfessional Designations in IT Governance
Professional Designations in IT Governance
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 

More from nooralmousa

Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration TestingMr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testingnooralmousa
 
Mr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovationsMr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovationsnooralmousa
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Mr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it securityMr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it securitynooralmousa
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...nooralmousa
 
Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.nooralmousa
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsnooralmousa
 
Ahmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threatAhmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threatnooralmousa
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
Mohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environmentsMohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environmentsnooralmousa
 
Pradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisoPradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisonooralmousa
 
Nabil Malik - Security performance metrics
Nabil Malik - Security performance metricsNabil Malik - Security performance metrics
Nabil Malik - Security performance metricsnooralmousa
 
Khaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keysKhaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keysnooralmousa
 
Hisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloudHisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloudnooralmousa
 
Ghassan farra it security a cio perspective
Ghassan farra it security a cio perspectiveGhassan farra it security a cio perspective
Ghassan farra it security a cio perspectivenooralmousa
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudnooralmousa
 

More from nooralmousa (17)

Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration TestingMr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
 
Mr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovationsMr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovations
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Mr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it securityMr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it security
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
 
Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
 
Ahmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threatAhmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threat
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
Mohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environmentsMohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environments
 
Pradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisoPradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for ciso
 
Nabil Malik - Security performance metrics
Nabil Malik - Security performance metricsNabil Malik - Security performance metrics
Nabil Malik - Security performance metrics
 
Khaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keysKhaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keys
 
Hisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloudHisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloud
 
Ghassan farra it security a cio perspective
Ghassan farra it security a cio perspectiveGhassan farra it security a cio perspective
Ghassan farra it security a cio perspective
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
 

Sudarsan Jayaraman - Open information security management maturity model

  • 1. Open Information Security Management Maturity Model An Overview 25th May, 2011 Presented by : Sudarsan Jayaraman, CISA, CISM, ITIL –V3 Expert, ISO 20000 (C), ISO 27001 LA, COBIT (F) Director – Technology Risk Services
  • 2.
  • 3. Do you agree ? QUESTION: Does Information Security Compliance Projects improve the security posture of an organization?
  • 4. Do you agree ? ANSWER: NO , Information Security Compliance Projects are not helping the organization and it is more of documentation of controls rather than security implementation. QUESTION: Does Information Security Compliance Projects improve the security posture of an organization?
  • 5.
  • 6.
  • 7. What is Information Security Governance?
  • 8.
  • 9.
  • 10. IT Standards and Framework IT Governance COBIT ISO 27000/ Open ISM3/ ISF series ITIL Business Requirements WHAT HOW VAL IT IT Service Management ISO/IEC 20000 ISO/IEC38500 Project Management PMI - PMBOK
  • 11. Characteristics of a Framework Has General Acceptability Among Organizations Helps Meet Regulatory Requirements Control Framework Defines a Common Language Provides Sharper Business Focus Ensures Process Orientation
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18. O-ISM3 Goals Prevent and mitigate Incidents ,Optimise the use of information, money, people, time and infrastructure. Generic Goals Defines Security Objectives consistent with organizational objectives, protecting stakeholders Interests. Strategic Goals Provide feedback to Strategic Management; Manage budget, people and other resources allocated to information security Tactical Goals Provide feedback to Tactical Management, Carry out processes for incident prevention, Detection, And mitigation. Operational Goals
  • 19.
  • 20.
  • 21.
  • 22.
  • 23. O-ISM3 Implementation Operational Business Objectives (Objectives, Security Targets) Dependency Analysis Operationalized Security Objectives (Objectives, Security Targets) Priority (Objectives, Security Targets) Durability (Objectives, Security Targets) Quality (Objectives, Security Targets) Access Control (Objectives, Security Targets) Technical (Objectives, Security Targets) OSP -15, OSP-26, Others OSP -6, OSP-10, OSP-27, Others OSP-21, Others OSP -3, OSP-11,OSP-12, OSP-14, Others OSP -5, OSP-7,OSP-16, OSP-17, Others Business Objectives and Incidents Security Objectives and Incidents ISM3 Processes and Metrics
  • 24. Typical Implementation Approach Open – ISM3 Implementation Approach
  • 25.
  • 26.
  • 27.
  • 28.  

Editor's Notes

  1. Maturity levels are design so more important (ROSI wise) processes are in level 1 and so on. This makes easier to prioritize and schedule investment. ISO9001 management principles can be applied to security, as process have defined outputs that can be acted on. Levels 1-3 can be certified the same way ISO9001 management systems are. Level 4 can be certified ISO9001 wise or ISO27001 if ISO27001 requirements are met. Level 5 requires ISM3 Consortium involvement, as metrics are not compulsory for ISO27001. Frequently strict requirements for critical production systems spill all over IT, making management and use of information needlessly more difficult and expensive to use. The environment concept links lifecycles