How mature is security in your organization? Thanks to the ISM3 Consortium, we have a framework for measuring the security maturity of any organization. ISM3 looks at security as a set of defined processes. Each level of maturity has its own processes. Organizations can decide how much security is enough for their type of business and ensure that the processes at that level are defined and implemented.
This article provides a high level view of the operational processes of ISM3. Learn more about ISM3 and its strategic and tactical processes at http://www.ism3.com.
The operational processes for level one are:
Level two provides additional protection against technical security threats. It requires more security investment, but not significantly higher. The processes in level two build on the level one processes. To achieve this level, you will need to define and manage all of the level one and level two tasks.
The level one processes may be able to be accomplished by IT technical staff, but level two requires a combination of dedicated security professionals and facilitation with IT departments responsible for server and application administration.
The operational security processes for level two are:
The jump from level two to level three does not add many processes, but the processes require more people and time commitment. In addition, these processes require more participation from business function owners, IT operations, project management, and software development. To achieve this level, your security staff will need skills to create a collaborative, participative environment.
The level three operational security processes are:
The operational security processes for level 4 are:
ISM3's level five is about taking all of the processes of levels one through four and using them to communicate the coverage and effectiveness of security.
ISM3 defines seven types of metrics that work well within this maturity model:
Process Metrics
The most important reason for measuring your security processes is to identify how well you are operating and work on continuous improvement. At this level, managing the process of continuous improvement is important. By measuring, automating, improving, and communicating your security metrics, you will create a sustainable, continuously improving security operation.
Learn more about measurable security processes at Red Light Security (http://www.redlightsecurity.com).
This article provides a high level view of the operational processes of ISM3. Learn more about ISM3 and its strategic and tactical processes at http://www.ism3.com.
Level One Security
Level one security is suitable for organizations that have very low risk of security threats. These companies have few or no servers and operate primarily using personal computers. At this level, the operational security processes require little investment yet reduce the risk of security threats.The operational processes for level one are:
- Patch management
- Segmentation and filtering
- Malware protection
- Backup management
- Reporting to tactical management
Level Two Security
For most businesses, level one will not provide enough security to protect their information assets. If a company needs to demonstrate due care to its business partners, has many users of server-based applications, and sensitive information, it needs to move up to the security processes listed in ISM3's second level.Level two provides additional protection against technical security threats. It requires more security investment, but not significantly higher. The processes in level two build on the level one processes. To achieve this level, you will need to define and manage all of the level one and level two tasks.
The level one processes may be able to be accomplished by IT technical staff, but level two requires a combination of dedicated security professionals and facilitation with IT departments responsible for server and application administration.
The operational security processes for level two are:
- Select security tools
- Environment change control
- Data clearing
- System hardening
- Security measures change control
- Access control
- User registration
- Physical security
- Internal technical audit
- Alerts monitoring
Level Three Security
The third level of ISM3 requires significant investment, but it provides a high level of protection against technical security threats. This level is important for organizations that have high security risks and many critical assets, especially externally facing applications.The jump from level two to level three does not add many processes, but the processes require more people and time commitment. In addition, these processes require more participation from business function owners, IT operations, project management, and software development. To achieve this level, your security staff will need skills to create a collaborative, participative environment.
The level three operational security processes are:
- Asset classification and management
- SDLC control
- Operations continuity management
- Incident response
- Incident emulation
Level Four Security
Level four of ISM3 adds the remaining security processes in the model. This level requires the highest investment, but provides the highest level of protection against technical and internal threats. The security processes in this level are necessary if your organization operates in a highly regulated environments with information assets that are targets for attackers. Examples include stock exchanges, financial institutions, and utilities.The operational security processes for level 4 are:
- Enhanced reliability and availability management
- Information archiving
- Information quality and compliance probing
- Events detection and analysis
- Forensics
Level Five Security
Security managers are often plagued by the question, “How do I make security measurable?” Since security does not produce a product or have a positive impact on the cash flow of a company, creating meaningful measurements that justify an organizations expenditure on security is challenging. This is where ISM3 provides a great tool for measuring security.ISM3's level five is about taking all of the processes of levels one through four and using them to communicate the coverage and effectiveness of security.
ISM3 defines seven types of metrics that work well within this maturity model:
Process Metrics
- Number of times a security process was performed in a period
- Scope of protection as a percentage of assets protected by the process
- Time since the last update of process outputs
- The time since a security process has produced the expected output
- Return on Security Investment (ROSI) as the percentage of losses avoided compared to the cost of the process
- Comparison of the process output to a baseline or benchmark
- Ratio of available resources in actual use
The most important reason for measuring your security processes is to identify how well you are operating and work on continuous improvement. At this level, managing the process of continuous improvement is important. By measuring, automating, improving, and communicating your security metrics, you will create a sustainable, continuously improving security operation.
Conclusion
Applying the right amount of security requires that you balance security with business goals and risks. Using ISM3 allows you to pick the level of security that makes sense for your organization. It then allows you to work your way in measurable steps to the level that's right for you.Learn more about measurable security processes at Red Light Security (http://www.redlightsecurity.com).
Comments
Write New Comment ▼
Write New Comment
Sorry! This knol's owner(s) have blocked you from editing, making suggestions, or commenting here.