Sudarsan Jayaraman - Open information security management maturity model
1. Open Information Security Management Maturity Model An Overview 25th May, 2011 Presented by : Sudarsan Jayaraman, CISA, CISM, ITIL –V3 Expert, ISO 20000 (C), ISO 27001 LA, COBIT (F) Director – Technology Risk Services
2.
3. Do you agree ? QUESTION: Does Information Security Compliance Projects improve the security posture of an organization?
4. Do you agree ? ANSWER: NO , Information Security Compliance Projects are not helping the organization and it is more of documentation of controls rather than security implementation. QUESTION: Does Information Security Compliance Projects improve the security posture of an organization?
10. IT Standards and Framework IT Governance COBIT ISO 27000/ Open ISM3/ ISF series ITIL Business Requirements WHAT HOW VAL IT IT Service Management ISO/IEC 20000 ISO/IEC38500 Project Management PMI - PMBOK
11. Characteristics of a Framework Has General Acceptability Among Organizations Helps Meet Regulatory Requirements Control Framework Defines a Common Language Provides Sharper Business Focus Ensures Process Orientation
12.
13.
14.
15.
16.
17.
18. O-ISM3 Goals Prevent and mitigate Incidents ,Optimise the use of information, money, people, time and infrastructure. Generic Goals Defines Security Objectives consistent with organizational objectives, protecting stakeholders Interests. Strategic Goals Provide feedback to Strategic Management; Manage budget, people and other resources allocated to information security Tactical Goals Provide feedback to Tactical Management, Carry out processes for incident prevention, Detection, And mitigation. Operational Goals
Maturity levels are design so more important (ROSI wise) processes are in level 1 and so on. This makes easier to prioritize and schedule investment. ISO9001 management principles can be applied to security, as process have defined outputs that can be acted on. Levels 1-3 can be certified the same way ISO9001 management systems are. Level 4 can be certified ISO9001 wise or ISO27001 if ISO27001 requirements are met. Level 5 requires ISM3 Consortium involvement, as metrics are not compulsory for ISO27001. Frequently strict requirements for critical production systems spill all over IT, making management and use of information needlessly more difficult and expensive to use. The environment concept links lifecycles