o-ism3 vs iso27001
DESCRIPTION
TRANSCRIPT
What is broken with ISO27001 and how to fix it using
ISM3 Consortium
Location, EventAuthor, Month, Year
Security Standards
Management: ISM3 Standard of Good Practice for Information Security from ISF. ISO 27001. Cobit by ISACA. IT Baseline Protection by BSI
Risk Management Magerit by Ministerio de Administraciones Públicas (Spain). OCTAVE by Software Engineering Institute. May others.
Products and Systems Engineering: SSE-CMM (ISO/IEC 21827: 2002) ISO15408 Common Criteria
ISMS Certification
Why companies go for ISMS certification? The main reason is that they want to show
they are serious about information security This doesn’t necessarily mean that they are
serious about information security.
ISMS Certification
What is certification good for? It is a driver for implementation of better ISM
practices.
ISMS Certification - Trust
Establishing trust relationships.
ISMS Certification - Trust
A way to evidence the organization's stance on security; A part of a contract to ensure commitment by one of the
parties to security management; A selling point for vendors; A possible requirement for outsourcing providers; A mechanism to ensure mutual understanding of the
services obtained from an security outsourcing provider.
ISMS Certification - Trust
Trust relationships with Third Parties, like Partners, Customers and Suppliers.
ISMS Certification - Challenges
Challenges (1/3) Certification doesn’t guarantee performance.
Performance depends on the budget, the capability and the commitment of those involved in running it.
Certification only guarantees that the cause of faults is not poor process design.
Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders.
ISMS Certification - Challenges
Specification
ISMS Certification - Challenges
Different Implementations
ISMS Certification - Challenges
If you get the same certificate
ISMS Certification - Challenges
For different implementations
ISMS Certification - Challenges
The market reputation you will get is that of the worst implementation
ISMS Certification - Challenges
Challenges (2/3): Some threats fall out of the scope of information
security:– Human error;– Incompetence;– Fraud;– Corruption.
ISMS Certification - Challenges
ISMS Certification – Challenges
Challenges (3/3): Certification alone doesn’t take capability levels
beyond “Managed”:– Undefined. The process might be used, but it is not
defined.– Defined. The process is documented and used.– Managed. The process is Defined and the
results of the process are used to fix and improve the process.
– Controlled. The process is Managed and milestones and need of resources is accurately predicted.
– Optimized. The process is Controlled and improvement leads to a saving in resources.
ISMS Certification - Summary
Certification doesn’t guarantee performance.
Bad performers damage the reputation of all certificate holders.
Traditional approach to security:
“We want to prevent attacks from succeeding”. With this approach, to be secure means to be invulnerable.An incident is any loss of confidentiality, integrity or availability.You look at a piece of data and think: Is it confidential, has it got integrity, is it available?
ISM3 Approach
“We want to guarantee that our business goals are met”. With this approach, to be secure means to be reliable, despite attacks, accidents and errors.An incident is a failure to meet a security objective resulting from accidents, errors or attacks. Using ISM3 you look at a piece of data and think: What properties of this data must be protected for it to have business value?
Comparison
Traditional: The Invoicing Database Confidentiality is HIGH, Availability: HIGH, Integrity is MEDIUM.
ISM3: Invoices should be accessible to the Accountancy department and the Collection department only - Paid Invoices are to be kept for 3 years and destroyed after no more than four years - The system has to register the user account, the date and time of invoice creation. - The system needs to be available 9 to 5 Monday to Friday, with no more than 5 interruptions per week, with a duration of no more than one hour in total, and causing no more 15 Invoices to be re-entered. - There must be less than 5 errors per hundred invoices. - More than 99,8% of products served must be invoiced. - The system is a third party application that which license must be kept current. - The invoicing system keeps personal information, according to the law the database must be registered at the Data Protection agency. -The system must not be visible to systems from outside the company or have any remote access. - The system must be kept in the Data Center under controlled environmental conditions and company safeguards against fire, flood, etc
ISM3 Business Focus
Business Goals
Security Goals
Quality Goals
ISM3 Business Focus
Security Goals
Business Needs and Limitations
Compliance Needs and Limitations
Technical Needs and Limitations
Business Goals
Security Goals Quality Goals
ISM3 Business Focus
Business Goals – Fundamental to the existence of an organization. Resilience depends on security objectives.
Security Objectives are derived from business, compliance and technical needs and limitations. This are the goals of the ISM.
Security Targets measure the achievement of security objectives in business terms.
ISM3 - What needs protection?
Business Objectives examples: Paying taxes in time; Invoice all products and services provided; Keep any records needed to pass
successfully any audit, like a tax audit or a software licenses audit.
Security Objectives. Security Targets.
ISM3 - What protection is needed?
Business Objectives. Security Objectives examples:
Business needs and limitations: “Secrets should be accessible to authorized users only”
Compliance needs and limitations: “Repositories with Personal information have to be registered with the Data Protection agency”
Technical needs and limitations: “Systems are as free of weaknesses as possible”
Security Targets.
ISM3 - Is protection successful?
Business Objectives. Security Objectives. Security Targets examples.
Business targets: “Less than 2 secrets revealed every year, accounting for less than 0.1% of the value of the company”
Compliance targets: “Fewer than one incident every two years where a Repository is not registered”
Technical targets: “Medium update level in the DMZ environment below 3 days”
ISM3 - Continuous Improvement
What you can’t measure you can’t manage.
What you can’t manage you can’t improve.
ISM3 uses PDCA per process & Metrics for continuous improvement.
ISM3 - Continuous Improvement
Security Targets.
Process Management Metrics: Activity. Coverage. Update. Availability.
ISM3 can be used for a better ISO27001 Implementation or alone.
Example for Patching of Critical Systems12.5.2 Technical review of applications after
operating system changes:When operating systems are changed,
business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.
ISM3 & ISO27001
Process OSP-5 Environment Patching
Description This process covers the on-going update of services to prevent incidents related to known weaknesses.
Rationale Patching prevents incidents arising from the exploitation of known weaknesses in services.
Documentation OSP-051-Services Update Level Report Template, OSP-052-Services Patching Management Procedure
Inputs Inventory of Assets, Alerts and Fixes Report
Work Products Up to date services in every environment, Services Update Level Report.
Activity Number of Work Products submitted, Number of patching updates in information systems
Scope Percentage of information systems covered by the process
Update Time since last Work Products submission
Mean time between Work Products submissions
Update level, calculated as follows:
1. Every information system update level is equal to the sum of the number of days old that are all the security patches pending to apply. 2. The environment update level is equal to the sum of the individual update levels, divided by the number of information systems.
The lower this metric, the better. This metric allows checking of the progress of the patching process, and comparison of the update level of different environments.
Availability Percentage of time the patching systems are available
ISM3 Guidance on Patching of Systems
Process OSP-5 Environment Patching
Description This process covers the on-going update of services to prevent incidents related to known weaknesses.
Rationale Patching prevents incidents arising from the exploitation of known weaknesses in services.
Documentation OSP-051-Services Update Level Report Template, OSP-052-Services Patching Management Procedure
Inputs Inventory of Assets, Alerts and Fixes Report
Work Products Up to date services in every environment, Services Update Level Report.
Activity Number of Work Products submitted, Number of patching updates in information systems
Scope Percentage of information systems covered by the process
Update Time since last Work Products submission
Mean time between Work Products submissions
Update level, calculated as follows:
1. Every information system update level is equal to the sum of the number of days old that are all the security patches pending to apply. 2. The environment update level is equal to the sum of the individual update levels, divided by the number of information systems.
The lower this metric, the better. This metric allows checking of the progress of the patching process, and comparison of the update level of different environments.
Availability Percentage of time the patching systems are available
WHAT
WHY
METRICS
METRICS
METRICS
METRICS
RESULTS
INPUTS
DOCUMENTS
ID
ISM3 Guidance (Explained)
ISM3 compared to ISO27001
Criteria ISM3 ISO27001Maturity Levels Five No
Organizational Model
Process ownerCustomerRolesResponsibilitiesTPSRSRProcesses
Management /Not Management
Link between Business Goals and Information Security
Information qualities:- Access Control- Durability- Quality- Priority- Compliance- Technical
Security Objectives- Attacks- Errors- Accidents
Security TargetsIncident: Breach of a security objective
Information qualities- Confidentiality- Availability- Integrity
- Attacks
Incident: Breach of CIA.
ISM3 compared to ISO27001
Criteria ISM3 ISO27001
Security Processes Selection
Suited to Security Objectives and Targets
Types of assessment:-Threat Assessment;- Vulnerability Assessment;- Business Impact Analysis;- Risk Assessment;- ROSI Analysis.
Controls not adopted have to be justified for successful accreditation.
- Risk Assessment
Success criteria Yes NoParadigm Process based Controls basedUse of PDCA Pre process basis Whole ISMS basis
Improvement Cycle Continuous using metricsDiscrete, with long Audit - Risk Assessment cycles.
OutsourcingMetrics can be used to create SLAs, KGIs, KPIs
No support
Approach Top-Down Botton-up
ISM3 compared to ISO27001
Criteria ISM3 ISO27001
GoalAchievable Security / Maximize ROSIRationale specified per process
Absolute Security / InvulnerabilityRationale not specified
Inputs Yes NoOutputs Yes No
Metrics
Security TargetsScopeAvailabilityActivityUpdate
No
AccreditableYes, ISO9001 and ISO27001 (level 4&5) compatible
Yes
Distribution of responsibilities
StrategicTacticalOperationalProcess owner example
No
References Rich in references to best practices None
ISM3 compared to ISO27001
1. Incidents Happen, ISO27001 or no ISO27001.
2. Security is a negative result (No Incidents equals Security).
3. But if just One Incident happening meant the ISMS has Failed, then all ISO27001 would be Failures.
4. How can you tell a successful ISO27001 from a failed one? Can that depend on a single Incident? How many Incidents are too many?
5. How can you improve cost-effectively an ISMS if you don’t know when good is good enough?
ISM3 Flexibility
ISM3 is adaptable to organizations with different missions and contexts.
ISM3 is adaptable to organizations with different resources. Security investment is driven by business need. Some organizations may not have a huge budget for
Information Security ( 20 / 80 Rule). Maturity levels describe different levels of
sophistication of ISM systems. Organizations can identify appropriate processes,
choose a level suitable for them, and show implementation progress.
ISM3 Maturity Levels
Security Investment & Risk
Level 0 Level 1 Level 2 Level 3 Level 4 Level 5
Security Investment
Risk
Risk Reduction/Extra Security Investment
(Qualitative Graphic. Risk Reduction / Extra Security Investment, scaled x40 for readability)
ISM3 Maturity Levels (examples)
ISM3 Level 1 - Significant risk reduction from technical threats, for a minimum investment in essential ISM processes. For organizations with low Information Security Targets in low risk
environments.
ISM3 Level 3 - Highest risk reduction from technical threats, for a significant investment in Information Security processes. For organizations with high Information Security Targets in normal or
high-risk environments.
ISM3 Level 5 - Highest risk reduction from technical and internal threats, for a high and optimized investment in Information Security processes. For organizations affected by specific requirements (such as utilities,
and financial institutions) with high Information Security Targets in normal or high-risk environments.
Reporting
Strategic Managers
Tactical Managers
Operational Managers
Stakeholders
Report
Report
Report
Responsibilities Distribution
Deal with broad goals, coordination and provision of resources;
Deals with the design and implementation of the ISM system, specific goals and management of resources;
Deals with achieving defined goals by means of technical processes.
Strategic Practices
Tactical Practices
Operational Practices
Responsibilities Distribution
Strategic Practices
Tactical Practices
Operational Practices
Generic Practices
Specific Goals
Specific Goals
Specific Goals
Generic Goals
Direct and Provide
Implement and Optimize
Support
Responsibilities Distribution
Advantages of ISM3
Maturity Levels make easier to prioritize and optimize investment in information security.
ISO9001 compatible certifications; Some companies can't make big investments. It is well known that 20% of investment can give 80% of the results, but there is no way to show this. ISM3 levels 1 to 3 can help here.
It scales to small and big organizations. The use of separate process in every environment prevents using procedures for restrictive environments all over the organization.
Advantages of ISM3
It supports explicitly the outsourcing of security management and operations processes. The results for each process are defined and the responsibilities to perform each process are defined too.
It provides metrics, that help to manage the processes, measure the success and improve the ISM system.
It is possible to achieve capability levels beyond Managed.
It provides Information Security Governance guidance.
Summary
Business Focused Manageable (with Metrics) Compatible (ITIL, ISO27001, ISO9001, CobIT) Adaptable Flexible Open Standard, readily available Rich in implementation guidance
Learn to implement High PerformanceSecurity Management Processeshttp://cli.gs/ism3
Web www.inovement.esVideo Blog youtube.com/user/vaceitunoBlog ism3.comTwitter twitter.com/vaceitunoPresentationsslideshare.net/vaceituno/presentationsArticles slideshare.net/vaceituno/documents
ISMS Certification
You can check the information security management methodology ISM3 at: www.ISM3.com
THANKS