proposal of information security maturity...
TRANSCRIPT
ISO27000.COM.BR Information Security Group
Proposal of Information Security Maturity Model
Luciano Johnson, CISM, CRISC [email protected]
ISO27000.COM.BR Information Security Group
Agenda
2
Objectives, approach and limits
Roadmap
Processes Definition
Maturity Definition
Self-Assessment Application
Validation into Parana State Market
Final Comments
ISO27000.COM.BR Information Security Group
Objectives, approach and limits
• Search for competitive differential
• New technologies and challenges.
• Needs for public and private organizations.
• Brazilian government research (TCU 2007/2010).
• Use of ISO standards.
• Use of COBIT model.
• Methodological approach.
3
ISO27000.COM.BR Information Security Group 4
Objectives, approach and limits
• Problem to solve: – How to assess information security inside organizations through
structured approach and based on standard ISO/IEC 27002:2005?
• Paradigm to be broken:
Network Security
Firewall
Proxy
IDS/IPS Tools
Antispam
Antivirus
Information security
Infrastructure
Human resources
Logic security
Communications
Access control
Business continuity
Compliance
ISO27000.COM.BR Information Security Group 5
Objectives, approach and limits
• Expected results:
– Understand where are the gaps in information security.
– Self-assessment tool for information security.
– Actions based / adherence to ISO/IEC 27002 standard.
– First step for a future ISO/IEC 27001 certification.
A direction (north) for information security
ISO27000.COM.BR Information Security Group
Processes definition based on ISO 27002
Maturity model definition
Development of the maturity survey
Development of computational tool
Market assessment and results
6
Roadmap
ISO27000.COM.BR Information Security Group 7
Processes Definition
• 39 Control Objectives
• 133 Controls
ISO/IEC 27002 (from)
• 39 Processes
• 133 Activities
Process Framework (to)
ISO27000.COM.BR Information Security Group 8
Processes Definition
• 39 processes distributed in 5 categories
• Planning, Organization and Alignment POA
• Organizational Security ORG
• Physical Security FIS
• Technical Security TEC
• Security Management GES
ISO27000.COM.BR Information Security Group 9
Processes Definition
• 39 processes distributed in 5 categories
ISO27000.COM.BR Information Security Group 10
Processes Definition
• How processes were created.
ISO27000.COM.BR Information Security Group 11
Processes Definition
• How processes were detailed (Portuguese version).
Process description Control objectives details
ISO27000.COM.BR Information Security Group 12
Maturity Definition
• It was used the same generic model used by COBIT 4.1!
ISO27000.COM.BR Information Security Group 13
Maturity Definition
• For each process was created an specific maturity model.
• The maturity model is a merge between the generic model of CMMi with the control objectives of each process.
ISO27000.COM.BR Information Security Group 14
Maturity Definition
Maturity levels description
ISO27000.COM.BR Information Security Group 15
Maturity Definition
• The maturity questionnaire. – The information security standard looks at all organization.
– There were created answers that represent the cover level of information security inside the organization:
– There were developed 591 questions to cover all 39 processes and its 5 levels of maturity.
•only in some situations; A)
• in IT area inside the organization; B)
• in various departments of the organization, including IT; C)
• throughout all the organization. D)
ISO27000.COM.BR Information Security Group 16
Maturity Definition
• The maturity questionnaire.
ISO27000.COM.BR Information Security Group 17
Maturity Definition
• The maturity questionnaire fulfillment. – To reach certain maturity, all responses must meet the minimum
criteria set for each question.
ISO27000.COM.BR Information Security Group 18
Maturity Definition
• Questionnaire fulfillment (other rules).
– When the response for one process level had not reached the minimum required, the respondent was directed to next process.
– The result was showed online
ISO27000.COM.BR Information Security Group 19
Self-Assessment Application
• http://www.iso27000.com.br/mestrado
Login screen
Application main screen
ISO27000.COM.BR Information Security Group 20
Self-Assessment Application
• http://www.iso27000.com.br/mestrado
Results displayed as graphics
Survey screen
ISO27000.COM.BR Information Security Group 21
Validation into Parana State Market
• Location: Curitiba (capital of Parana State - South Brazil)
• Size: 10 companies (1000+ internal users of IT).
ISO27000.COM.BR Information Security Group 22
Validation into Parana State Market
• Average maturity by process.
ISO27000.COM.BR Information Security Group 23
Validation into Parana State Market
• Processes with the highest and lowest maturity.
ISO27000.COM.BR Information Security Group 24
Validation into Parana State Market
• Categories that had the highest and lowest average maturity.
planning is not a strong practice (focus) of the IT area.
oldest and most obvious concern (instinctive), therefore the most developed (infrastructure).
ISO27000.COM.BR Information Security Group
highlight the processes better developed;
Information security is still a subject solely of IT areas;
Respondents feedback: clear, precise and useful.
Assessment tool: quick results, leading to quick wins.
CMMi generic maturity model confirmed its use.
25
Final Comments Problem to solve: How to assess information security inside organizations through structured approach and based on
standard ISO/IEC 27002:2005?
ISO27000.COM.BR Information Security Group
Thank you !
Luciano Johnson, CISM, CRISC [email protected]