Security Maturity Assessment
-
Upload
claude-baudoin -
Category
Technology
-
view
5.626 -
download
0
Transcript of Security Maturity Assessment
![Page 1: Security Maturity Assessment](https://reader036.fdocuments.net/reader036/viewer/2022082123/588212731a28ab3f4c8b4c0f/html5/thumbnails/1.jpg)
Sch
lum
berg
er P
ub
lic
Assessing the Security Maturity
of an Organization
Claude R. Baudoin
Colin R. Elliott
![Page 2: Security Maturity Assessment](https://reader036.fdocuments.net/reader036/viewer/2022082123/588212731a28ab3f4c8b4c0f/html5/thumbnails/2.jpg)
Sch
lum
berg
er P
ub
lic
Overview
Organizations need to measure their level of readiness w.r.t. security risks
You cannot improve what you do not measure
This is an irrational exercise absent a standard or methodology that provides
objective and comparable measurements
A standard like ISO 17799 does not automatically allow an organization to:
establish its level of compliance
measures progress over time
decide on required actions
prioritize them in view of finite budgets and resources
We have developed a new assessment tool, the Security Maturity Assessment
based on the SEI Capability Maturity Model (CMM) approach
includes practical advice on how to conduct an assessment
fits within an overall security improvement plan
patent pending
![Page 3: Security Maturity Assessment](https://reader036.fdocuments.net/reader036/viewer/2022082123/588212731a28ab3f4c8b4c0f/html5/thumbnails/3.jpg)
Sch
lum
berg
er P
ub
lic
The Challenge
The CIO or CSO needs to know:
How secure am I?
Am I better off now than I was at this time last year?
Am I spending the right amount of money?
How do I compare with my peers?
Conflicting inputs and constraints:
Clients and regulators demand provable assurances
Vendors propose products
Budget constraints
![Page 4: Security Maturity Assessment](https://reader036.fdocuments.net/reader036/viewer/2022082123/588212731a28ab3f4c8b4c0f/html5/thumbnails/4.jpg)
Sch
lum
berg
er P
ub
lic
A Source for Best Practices – ISO 17799
Originally “British Standard 7799”
Adopted internationally as ISO 17799 in 2000
Divides security into 10 areas:
Information Security Policy
Organizational Security
Asset Classification and Control
Personnel Security
Physical and Environmental Security
Communication and Operations
Management
Access Control
System Development and Maintenance
Business Continuity Management
Compliance
![Page 5: Security Maturity Assessment](https://reader036.fdocuments.net/reader036/viewer/2022082123/588212731a28ab3f4c8b4c0f/html5/thumbnails/5.jpg)
Sch
lum
berg
er P
ub
lic
“Capability Maturity Model” Concept
Created in 1995 by the
Software Engineering
Institute (SEI) at
Carnegie-Mellon
University to improve
software processes
5 levels
“Key Process Areas”
must be in place to
qualify for each level
Widely adopted by the
software industry
• Requirements Management
• Project Planning
• Project Tracking / Oversight
• Subcontract Management
• Configuration Management
• Organization Process Focus
• Organization Process Definition
• Training Program
• Integrated Software Management
• Software Product Engineering
• Intergroup Coordination
• Peer Reviews
• Software and Quality Management
• Quantitative Process Management
• Process Change Management
• Defect Prevention
• Technology Change Management
Level 1: Initial
Ad hoc, unpredictable, chaotic.
Level 2: Repeatable
Management oversight and
tracking of projects; stable
planning and product baselines.
Level 3: Defined
Software process defined and
institutionalized to provide
product quality control.
Level 4: Managed
Product quality planning; tracking
of measured software progress.
Level 5: Optimizing
Continuous process capability
improvement
![Page 6: Security Maturity Assessment](https://reader036.fdocuments.net/reader036/viewer/2022082123/588212731a28ab3f4c8b4c0f/html5/thumbnails/6.jpg)
Sch
lum
berg
er P
ub
lic
Mapping ISO 17799 to Maturity Levels
3.1.1 Information Security Policy Document
“A policy document should be approved by management, published and communicated, as appropriate, to all employees. It should state management commitment and set out the organization’s approach to managing information security.”
3.1.2 Review and Evaluation
“The policy should have an owner”
There should be a “defined review process” ensuring that “a review takes place in response to any changes affecting the basis of the original risk assessment…”
4.1.7 Independent review of information security
The implementation of the Information Security Policy should be “reviewed independently to provide assurance that organizational practices properly reflect the policy.”
Defined
Managed
Optimized
Regroup these three concerns into Levels 3, 4 and 5 of the same row of the assessment matrix
![Page 7: Security Maturity Assessment](https://reader036.fdocuments.net/reader036/viewer/2022082123/588212731a28ab3f4c8b4c0f/html5/thumbnails/7.jpg)
Sch
lum
berg
er P
ub
lic
The Assessment Matrix (sample row)ISO 17799
Categories
Level 1
(Initial)
Level 2
(Repeatable)
Level 3
(Defined)
Level 4 (Managed) Level 5
(Optimizing)
Level
Definitions
• Informal, ad
hoc
• Not written
down, may be
communicated
through
coaching
• Formal &
documented
(in writing)
• Enforced &
measured
• Responsibilities
are defined
explicitly
• Dynamic
• Process exists
for catching
deviations and
making
constant
improvements
III.1 Information
Security
Policy
Coverage of
Security Policy
Review of
effective
implementation
of information
security policy
Review of
Information
Security Policy
No
security
policy in
place
Security policy exists,
but as a general
statement.
Inferring what is
specifically mandated
or prohibited requires
consulting specialized
personnel.
No regular reviews.
Specific policy
exists supporting
business goals,
clearly stating in
detail what is
mandated or
prohibited.
A "normal" person
can easily
understand it.
Reviews carried
out at intervals,
but no clear
management
responsibility to
trigger reviews or
exploit results
Security policy covers
all areas of business.
Security policy is
owned by appropriate
functions including IT
but also Finance, HR,
Legal, etc.
Organization policies
define the roles and
responsibilities in
following procedures.
Reviews carried out --
intervals and
responsibility for the
reviews are defined
explicitly in the policy.
A report on non-
compliance is created
and distributed to the
business units for their
review and action.
Clear responsibilities
and mechanisms in
place to upgrade
policy if required after
every breach of policy,
and if business
changes occur such
as acquisition,
divestiture, or major
changes in business
processes.
![Page 8: Security Maturity Assessment](https://reader036.fdocuments.net/reader036/viewer/2022082123/588212731a28ab3f4c8b4c0f/html5/thumbnails/8.jpg)
Sch
lum
berg
er P
ub
lic
SMA – Part of an Overall Security
Improvement Process
1. Management
Awareness and
Commitment
5. Ongoing
Monitoring
4. Action Plan
Execution
3. Corrective
Action Plan
2. Security
Maturity
Assessment
![Page 9: Security Maturity Assessment](https://reader036.fdocuments.net/reader036/viewer/2022082123/588212731a28ab3f4c8b4c0f/html5/thumbnails/9.jpg)
Sch
lum
berg
er P
ub
lic
Conducting the Assessment
Communicate the purpose and process of the assessment
Determine who will be interviewed
Conduct the interviews and collect documentation
Ask follow-up questions
Tabulate the results
Evaluate the results and form an initial conclusion
Present the draft of the assessment results to the client
Obtain any information to correct factual errors or omissions
Deliver the final report
![Page 10: Security Maturity Assessment](https://reader036.fdocuments.net/reader036/viewer/2022082123/588212731a28ab3f4c8b4c0f/html5/thumbnails/10.jpg)
Sch
lum
berg
er P
ub
lic
Pragmatic Aspects of an Assessment
Interviewee Selection and Psychology
Include non-IT and non-manager personnel
Each type of person in the organization has hopes and fear
They have agendas, which often conflict
Objective Questions
Bad question: “Do you think you have a good security policy?”
Good question: “Were you asked to read and sign a security
policy when you joined the company?”
A good question allows independent verification
Judging SMA Levels
CMM levels are much easier to apply than 0—10 scales
![Page 11: Security Maturity Assessment](https://reader036.fdocuments.net/reader036/viewer/2022082123/588212731a28ab3f4c8b4c0f/html5/thumbnails/11.jpg)
Sch
lum
berg
er P
ub
lic
Presenting the Results Graphically