SlideShare une entreprise Scribd logo

Security Maturity Assessment

Télécharger en tant que PPT, PDF
Claude Baudoin
Claude Baudoin
TechnologieBusiness
1  sur  12
Schlumberger Public Assessing the Security Maturity of an Organization Claude R. Baudoin Colin R. Elliott
Overview Organizations need to measure their level of readiness w.r.t. security risks  You cannot improve what you do not measure This is an irrational exercise absent a standard or methodology that provides objective and comparable measurements Schlumberger Public A standard like ISO 17799 does not automatically allow an organization to:  establish its level of compliance  measures progress over time  decide on required actions  prioritize them in view of finite budgets and resources We have developed a new assessment tool, the Security Maturity Assessment  based on the SEI Capability Maturity Model (CMM) approach  includes practical advice on how to conduct an assessment  fits within an overall security improvement plan  patent pending
The Challenge The CIO or CSO needs to know:  How secure am I?  Am I better off now than I was at this time last year? Schlumberger Public  Am I spending the right amount of money?  How do I compare with my peers? Conflicting inputs and constraints:  Clients and regulators demand provable assurances  Vendors propose products  Budget constraints
A Source for Best Practices – ISO 17799 Originally “British Standard 7799” Adopted internationally as ISO 17799 in 2000 Divides security into 10 areas:  Information Security Policy Schlumberger Public  Organizational Security  Asset Classification and Control  Personnel Security  Physical and Environmental Security  Communication and Operations Management  Access Control  System Development and Maintenance  Business Continuity Management  Compliance
“Capability Maturity Model” Concept Created in 1995 by the Software Engineering Level 5: Optimizing • Process Change Management Continuous process capability Institute (SEI) at improvement • Defect Prevention • Technology Change Management Carnegie-Mellon Level 4: Managed Schlumberger Public Product quality planning; tracking University to improve of measured software progress. • Software and Quality Management • Quantitative Process Management Level 3: Defined software processes Software process defined and institutionalized to provide • Organization Process Focus • Organization Process Definition 5 levels product quality control. • Training Program • Integrated Software Management • Software Product Engineering “Key Process Areas” Level 2: Repeatable • Intergroup Coordination • Peer Reviews must be in place to Management oversight and tracking of projects; stable • Requirements Management qualify for each level planning and product baselines. • Project Planning • Project Tracking / Oversight Level 1: Initial • Subcontract Management Widely adopted by the Ad hoc, unpredictable, chaotic. • Configuration Management software industry
Mapping ISO 17799 to Maturity Levels 3.1.1 Information Security Policy Document “A policy document should be approved by management, published and communicated, as appropriate, to all employees. It should state Defined management commitment and set out the Schlumberger Public organization’s approach to managing information security.” Managed 3.1.2 Review and Evaluation “The policy should have an owner” There should be a “defined review process” Optimized ensuring that “a review takes place in response to any changes affecting the basis of the original risk assessment…”  Regroup these three 4.1.7 Independent review of information security concerns into Levels 3, 4 The implementation of the Information Security and 5 of the same row of Policy should be “reviewed independently to the assessment matrix provide assurance that organizational practices properly reflect the policy.”
The Assessment Matrix (sample row) ISO 17799 Level 1 Level 2 Level 3 Level 4 (Managed) Level 5 Categories (Initial) (Repeatable) (Defined) (Optimizing) Level • Informal, ad • Formal & • Enforced & • Dynamic Definitions hoc documented measured • Process exists • Not written (in writing) • Responsibilities for catching down, may be are defined deviations and communicated explicitly making through constant Schlumberger Public coaching improvements III.1 Information Coverage of No Security policy exists, Specific policy Security policy covers Clear responsibilities Security Security Policy security but as a general exists supporting all areas of business. and mechanisms in Policy Review of policy in statement. business goals, Security policy is place to upgrade effective place Inferring what is clearly stating in owned by appropriate policy if required after implementation specifically mandated detail what is functions including IT every breach of policy, of information or prohibited requires mandated or but also Finance, HR, and if business security policy consulting specialized prohibited. Legal, etc. changes occur such Review of personnel. A "normal" person Organization policies as acquisition, Information No regular reviews. can easily define the roles and divestiture, or major Security Policy understand it. responsibilities in changes in business Reviews carried following procedures. processes. out at intervals, Reviews carried out -- but no clear intervals and management responsibility for the responsibility to reviews are defined trigger reviews or explicitly in the policy. exploit results A report on non- compliance is created and distributed to the business units for their review and action.
SMA – Part of an Overall Security Improvement Process Schlumberger Public 2. Security 3. Corrective Maturity Action Plan Assessment 1. Management Awareness and Commitment 5. Ongoing 4. Action Plan Monitoring Execution
Conducting the Assessment Communicate the purpose and process of the assessment Determine who will be interviewed Conduct the interviews and collect documentation Schlumberger Public Ask follow-up questions Tabulate the results Evaluate the results and form an initial conclusion Present the draft of the assessment results to the client Obtain any information to correct factual errors or omissions Deliver the final report
Pragmatic Aspects of an Assessment Interviewee Selection and Psychology  Include non-IT and non-manager personnel  Each type of person in the organization has hopes and fear Schlumberger Public  They have agendas, which often conflict Objective Questions  Bad question: “Do you think you have a good security policy?”  Good question: “Were you asked to read and sign a security policy when you joined the company?”  A good question allows independent verification Judging SMA Levels  CMM levels are much easier to apply than 0—10 scales
Presenting the Results Graphically Schlumberger Public
cbaudoin@cebe-itkm.com

Recommandé

Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity ModelConferencias FIST
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)leolemes
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 

Recommandé

Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity ModelConferencias FIST
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)Information Security Risks Management Maturity Model (ISRM3)
Information Security Risks Management Maturity Model (ISRM3)leolemes
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessmentGeorge Delikouras
 
PTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAPTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAGeorge Delikouras
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...Booz Allen Hamilton
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementComputer Aid, Inc
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestHank Eng, CISSP, CISA, CISM
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security StrategyDonald Tabone
 
It governance product
It governance productIt governance product
It governance productArul Nambi
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Killing the Myth: Agile & CMMI
Killing the Myth: Agile & CMMIKilling the Myth: Agile & CMMI
Killing the Myth: Agile & CMMITomasz Wykowski, CST
 

Contenu connexe

Tendances

The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
PTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAPTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAGeorge Delikouras
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...Booz Allen Hamilton
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security StrategyDonald Tabone
 
It governance product
It governance productIt governance product
It governance productArul Nambi
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 

Tendances (20)

The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessment
 
PTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAPTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIA
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-Latest
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security Strategy
 
It governance product
It governance productIt governance product
It governance product
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 

Similaire à Security Maturity Assessment

Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Capability Maturity Model Integration
Capability Maturity Model IntegrationCapability Maturity Model Integration
Capability Maturity Model IntegrationAAKASH S
 
3. financial controllership
3. financial controllership3. financial controllership
3. financial controllershipJudy Ricamara
 
A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAADaniel P Wallace
 
Dean.david
Dean.davidDean.david
Dean.davidNASAPMC
 
Achieving integrated mandatory compliance with ISO 31000
Achieving integrated mandatory compliance with ISO 31000Achieving integrated mandatory compliance with ISO 31000
Achieving integrated mandatory compliance with ISO 31000PECB
 
RAMS 2013 Calculating roi when implementing a dfr program by mike silverman
RAMS 2013 Calculating roi when implementing a dfr program by mike silvermanRAMS 2013 Calculating roi when implementing a dfr program by mike silverman
RAMS 2013 Calculating roi when implementing a dfr program by mike silvermanAccendo Reliability
 
Software quality system - Quality Engineering
Software quality system - Quality EngineeringSoftware quality system - Quality Engineering
Software quality system - Quality EngineeringYash Trivedi
 
Measuring the Results of your Agile Adoption
Measuring the Results of your Agile AdoptionMeasuring the Results of your Agile Adoption
Measuring the Results of your Agile AdoptionSoftware Guru
 
Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...
Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...
Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...Priyank Jain
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Carl Booth
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Software Process Improvement
Software Process ImprovementSoftware Process Improvement
Software Process ImprovementBilal Shah
 
Internal auditor training
Internal auditor trainingInternal auditor training
Internal auditor trainingqauditor11
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementECC International
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 

Similaire à Security Maturity Assessment (20)

Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance Services
 
Killing the Myth: Agile & CMMI
Killing the Myth: Agile & CMMIKilling the Myth: Agile & CMMI
Killing the Myth: Agile & CMMI
 
Capability Maturity Model Integration
Capability Maturity Model IntegrationCapability Maturity Model Integration
Capability Maturity Model Integration
 
Bpo risk management
Bpo risk managementBpo risk management
Bpo risk management
 
3. financial controllership
3. financial controllership3. financial controllership
3. financial controllership
 
A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAA
 
Dean.david
Dean.davidDean.david
Dean.david
 
Achieving integrated mandatory compliance with ISO 31000
Achieving integrated mandatory compliance with ISO 31000Achieving integrated mandatory compliance with ISO 31000
Achieving integrated mandatory compliance with ISO 31000
 
Cmmi (2)
Cmmi (2)Cmmi (2)
Cmmi (2)
 
Cmmi
CmmiCmmi
Cmmi
 
RAMS 2013 Calculating roi when implementing a dfr program by mike silverman
RAMS 2013 Calculating roi when implementing a dfr program by mike silvermanRAMS 2013 Calculating roi when implementing a dfr program by mike silverman
RAMS 2013 Calculating roi when implementing a dfr program by mike silverman
 
Software quality system - Quality Engineering
Software quality system - Quality EngineeringSoftware quality system - Quality Engineering
Software quality system - Quality Engineering
 
Measuring the Results of your Agile Adoption
Measuring the Results of your Agile AdoptionMeasuring the Results of your Agile Adoption
Measuring the Results of your Agile Adoption
 
Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...
Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...
Note on Implementation Strategy -A Harvard Business Review Kenneth R. An...
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Software Process Improvement
Software Process ImprovementSoftware Process Improvement
Software Process Improvement
 
Internal auditor training
Internal auditor trainingInternal auditor training
Internal auditor training
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 

Dernier

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Security Maturity Assessment

  • 1. Schlumberger Public Assessing the Security Maturity of an Organization Claude R. Baudoin Colin R. Elliott
  • 2. Overview Organizations need to measure their level of readiness w.r.t. security risks  You cannot improve what you do not measure This is an irrational exercise absent a standard or methodology that provides objective and comparable measurements Schlumberger Public A standard like ISO 17799 does not automatically allow an organization to:  establish its level of compliance  measures progress over time  decide on required actions  prioritize them in view of finite budgets and resources We have developed a new assessment tool, the Security Maturity Assessment  based on the SEI Capability Maturity Model (CMM) approach  includes practical advice on how to conduct an assessment  fits within an overall security improvement plan  patent pending
  • 3. The Challenge The CIO or CSO needs to know:  How secure am I?  Am I better off now than I was at this time last year? Schlumberger Public  Am I spending the right amount of money?  How do I compare with my peers? Conflicting inputs and constraints:  Clients and regulators demand provable assurances  Vendors propose products  Budget constraints
  • 4. A Source for Best Practices – ISO 17799 Originally “British Standard 7799” Adopted internationally as ISO 17799 in 2000 Divides security into 10 areas:  Information Security Policy Schlumberger Public  Organizational Security  Asset Classification and Control  Personnel Security  Physical and Environmental Security  Communication and Operations Management  Access Control  System Development and Maintenance  Business Continuity Management  Compliance
  • 5. “Capability Maturity Model” Concept Created in 1995 by the Software Engineering Level 5: Optimizing • Process Change Management Continuous process capability Institute (SEI) at improvement • Defect Prevention • Technology Change Management Carnegie-Mellon Level 4: Managed Schlumberger Public Product quality planning; tracking University to improve of measured software progress. • Software and Quality Management • Quantitative Process Management Level 3: Defined software processes Software process defined and institutionalized to provide • Organization Process Focus • Organization Process Definition 5 levels product quality control. • Training Program • Integrated Software Management • Software Product Engineering “Key Process Areas” Level 2: Repeatable • Intergroup Coordination • Peer Reviews must be in place to Management oversight and tracking of projects; stable • Requirements Management qualify for each level planning and product baselines. • Project Planning • Project Tracking / Oversight Level 1: Initial • Subcontract Management Widely adopted by the Ad hoc, unpredictable, chaotic. • Configuration Management software industry
  • 6. Mapping ISO 17799 to Maturity Levels 3.1.1 Information Security Policy Document “A policy document should be approved by management, published and communicated, as appropriate, to all employees. It should state Defined management commitment and set out the Schlumberger Public organization’s approach to managing information security.” Managed 3.1.2 Review and Evaluation “The policy should have an owner” There should be a “defined review process” Optimized ensuring that “a review takes place in response to any changes affecting the basis of the original risk assessment…”  Regroup these three 4.1.7 Independent review of information security concerns into Levels 3, 4 The implementation of the Information Security and 5 of the same row of Policy should be “reviewed independently to the assessment matrix provide assurance that organizational practices properly reflect the policy.”
  • 7. The Assessment Matrix (sample row) ISO 17799 Level 1 Level 2 Level 3 Level 4 (Managed) Level 5 Categories (Initial) (Repeatable) (Defined) (Optimizing) Level • Informal, ad • Formal & • Enforced & • Dynamic Definitions hoc documented measured • Process exists • Not written (in writing) • Responsibilities for catching down, may be are defined deviations and communicated explicitly making through constant Schlumberger Public coaching improvements III.1 Information Coverage of No Security policy exists, Specific policy Security policy covers Clear responsibilities Security Security Policy security but as a general exists supporting all areas of business. and mechanisms in Policy Review of policy in statement. business goals, Security policy is place to upgrade effective place Inferring what is clearly stating in owned by appropriate policy if required after implementation specifically mandated detail what is functions including IT every breach of policy, of information or prohibited requires mandated or but also Finance, HR, and if business security policy consulting specialized prohibited. Legal, etc. changes occur such Review of personnel. A "normal" person Organization policies as acquisition, Information No regular reviews. can easily define the roles and divestiture, or major Security Policy understand it. responsibilities in changes in business Reviews carried following procedures. processes. out at intervals, Reviews carried out -- but no clear intervals and management responsibility for the responsibility to reviews are defined trigger reviews or explicitly in the policy. exploit results A report on non- compliance is created and distributed to the business units for their review and action.
  • 8. SMA – Part of an Overall Security Improvement Process Schlumberger Public 2. Security 3. Corrective Maturity Action Plan Assessment 1. Management Awareness and Commitment 5. Ongoing 4. Action Plan Monitoring Execution
  • 9. Conducting the Assessment Communicate the purpose and process of the assessment Determine who will be interviewed Conduct the interviews and collect documentation Schlumberger Public Ask follow-up questions Tabulate the results Evaluate the results and form an initial conclusion Present the draft of the assessment results to the client Obtain any information to correct factual errors or omissions Deliver the final report
  • 10. Pragmatic Aspects of an Assessment Interviewee Selection and Psychology  Include non-IT and non-manager personnel  Each type of person in the organization has hopes and fear Schlumberger Public  They have agendas, which often conflict Objective Questions  Bad question: “Do you think you have a good security policy?”  Good question: “Were you asked to read and sign a security policy when you joined the company?”  A good question allows independent verification Judging SMA Levels  CMM levels are much easier to apply than 0—10 scales
  • 11. Presenting the Results Graphically Schlumberger Public