Security Maturity Model
0 likes•1,540 views
The document introduces the Security Maturity Model (SMM) which describes an organization's security maturity based on factors such as security responsibilities, organization, practices, policies, access control, audits, and security investment management. It outlines 5 levels of security maturity for organizations from initial/ad hoc (Level 1) to optimum/embedded (Level 5). Levels 3-5 involve defined, managed, and quantitative security practices and responsibilities. The SMM also describes a Security Norms Framework for developing flexible and domain-specific security policies, norms, standards and procedures.
Security Maturity Model
- 1. First Improvised Security Testing Conference Madrid 18/7/2003 Security Maturity Model © Vicente Aceituno
- 2. “You are only as strong as your weakest link” 2 © Vicente Aceituno, [email protected]
- 3. In 1995, Nick Leeson traded derivatives bringing Barings Bank bankrupt. Information systems were not at fault. 3 © Vicente Aceituno, [email protected]
- 4. …an Organization is much more than information systems… Information Infrastructure Systems People Trademark & Know-How Prestige Financial Assets 4 © Vicente Aceituno, [email protected]
- 5. Are we sure auditing an information system will make an Organization safer in the long run? How about… Organization issues. Security Targets (Policy) issues. Security Investment Performance issues. A perfectly configured and patched system won’t stay that way for long in an Insecure Organization! 5 © Vicente Aceituno, [email protected]
- 6. OK. How can we know how secure an Organization is and how to make it safer? 6 © Vicente Aceituno, [email protected]
- 7. Introducing the Security Maturity Model SMM describes the maturity of an organization depending on: Assignment and supervision of responsibilities. Security organization. Security practices. Policies: Expectation-driven targets. Distributed Policy Enforcement Responsibility. Access Control management. Independent audits. Quantitative data gathering. Etc… Security investment management. 7 © Vicente Aceituno, [email protected]
- 8. SMM Level 1 - Initial Security is not acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or individual efforts. The presence of incidents invariably leads to the maximum impact that could be expected. 8 © Vicente Aceituno, [email protected]
- 9. SMM Level 2 - Acknowledged Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or some organizational efforts. The presence of incidents doesn’t always lead to the maximum impact that could be expected. Expectations, incidents, and assets are sometimes evaluated. Security measures are taken until the budget is exhausted. The results of the organizational efforts fades with time. From here on “Evaluation” means: Identify, Classify, Prioritize, Value 9 © Vicente Aceituno, [email protected]
- 10. SMM Level 3 - Defined Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of luck or continuous organizational efforts. The presence of incidents normally doesn’t lead to the maximum impact that could be expected. Expectations, incidents and assets are sometimes evaluated. Security measures are taken until the budget is exhausted. Organizational security responsibilities are defined. A Security Policy exists. Assets are accessed using sessions. Security measures are audited. The results of the organizational efforts are permanent. 10 © Vicente Aceituno, [email protected]
- 11. SMM Level 4 - Managed Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents virtually never leads to the maximum impact that could be expected. Expectations, incidents and assets are evaluated. The best security measures are taken considering the budget. Organizational security responsibilities are defined. A Security Norms Framework exist and is applied. Assets are accessed using sessions only. Security measures are audited. Responsibilities are partitioned and supervised. A “Continuity of Operations Plan” exists. This plan considers the organization’s current status, and is properly implemented. The results of the organizational efforts are permanent. 11 © Vicente Aceituno, [email protected]
- 12. SMM Level 5 - Optimum Security is acknowledged as a desirable property of the organization. The absence of incidents is the result of continuous organizational efforts. The presence of incidents doesn’t lead to the maximum impact that could be expected. Expectations, incidents and assets are evaluated quantitatively. The best security measures are taken considering the budget. It can be determined if the budget is consistent with the targets defined by the Security Norms Framework. Organizational security responsibilities are defined. A Security Norms Framework exist and is applied. Assets are accessed using sessions only. Security measures are audited. Responsibilities are partitioned and supervised. A “Continuity of Operations Plan” exists. This plan considers the organization’s evolution and is properly implemented. Quantitative information is collected about incidents or close calls. Security measures are selected using objective criteria. The results of the organizational efforts are permanent. 12 © Vicente Aceituno, [email protected]
- 13. SMM SMM – Security Norms Framework Security Policies as a single document are not flexible enough in a big organization and quickly become worthless. An effective Security Policy describes the high-level principles that describe the targets (why) and the strategies (what) to reach them. The Security Norms develop the strategies describing the scope (where and when) of the security practices. The Security Standards develop the norms with specifications per domain, than can be checked. Security Procedures develop standards and norms and give a step-by-step description of the who and how of the practice. The Operations Continuity Plan is a procedure that specifies how to act when a catastrophe happens. The Fair Use norm informs users about their obligations when using the organization’s systems. The Third Party Agreements define mutual security commitments at the organization’s borders with others. 13 © Vicente Aceituno, [email protected]
- 14. SMM SMM –Sublevels. Depending on the degree of integration of the existing practices, such as: Theorized: The practice is identified as compulsory in the Security Norms Framework, but the scope norms, standards and procedures don’t exist. Procedured: There are norms, standards & procedures for this practice. Implemented: The norms of the practice are actually used. Verified: The results of the procedures used are audited periodically. Integrated: Circumvention of the norms of the practice is insignificant. …an organization may occupy any sublevel within a given level. 14 © Vicente Aceituno, [email protected]
- 15. SMM SMM – Summary. Using SMM you can: Determine what is your organization’s maturity. Set a maturity target. Plan for maturity enhancement. Benefits: Every partial result of achieving the higher SMM Levels won’t depend any longer on external contractors. Ever. Improve customer and stockholder's trust on the organization. Maximize turnover of Security Investment. Avoid non-technical security risks, setting an environment where there are no weak links. 15 © Vicente Aceituno, [email protected]
- 16. This presentation is just an overview. The SMM is being further developed at the smmodel Group [email protected] groups.yahoo.com/group/smmodel © Vicente Aceituno 18 de Julio de 2003 Open Content Licenced www.opencontent.org/opl.shtml SMM