ISO27000.COM.BR Information Security Group

Proposal of Information Security Maturity Model

Luciano Johnson, CISM, CRISC luciano@iso27000.com.br

ISO27000.COM.BR Information Security Group

Agenda

2

Objectives, approach and limits

Roadmap

Processes Definition

Maturity Definition

Self-Assessment Application

Validation into Parana State Market

Final Comments

ISO27000.COM.BR Information Security Group

Objectives, approach and limits

• Search for competitive differential

• New technologies and challenges.

• Needs for public and private organizations.

• Brazilian government research (TCU 2007/2010).

• Use of ISO standards.

• Use of COBIT model.

• Methodological approach.

3

ISO27000.COM.BR Information Security Group 4

Objectives, approach and limits

• Problem to solve: – How to assess information security inside organizations through

structured approach and based on standard ISO/IEC 27002:2005?

• Paradigm to be broken:

Network Security

Firewall

Proxy

IDS/IPS Tools

Antispam

Antivirus

Information security

Infrastructure

Human resources

Logic security

Communications

Access control

Business continuity

Compliance

ISO27000.COM.BR Information Security Group 5

Objectives, approach and limits

• Expected results:

– Understand where are the gaps in information security.

– Self-assessment tool for information security.

– Actions based / adherence to ISO/IEC 27002 standard.

– First step for a future ISO/IEC 27001 certification.

A direction (north) for information security

ISO27000.COM.BR Information Security Group

Processes definition based on ISO 27002

Maturity model definition

Development of the maturity survey

Development of computational tool

Market assessment and results

6

Roadmap

ISO27000.COM.BR Information Security Group 7

Processes Definition

• 39 Control Objectives

• 133 Controls

ISO/IEC 27002 (from)

• 39 Processes

• 133 Activities

Process Framework (to)

ISO27000.COM.BR Information Security Group 8

Processes Definition

• 39 processes distributed in 5 categories

• Planning, Organization and Alignment POA

• Organizational Security ORG

• Physical Security FIS

• Technical Security TEC

• Security Management GES

ISO27000.COM.BR Information Security Group 9

Processes Definition

• 39 processes distributed in 5 categories

ISO27000.COM.BR Information Security Group 10

Processes Definition

• How processes were created.

ISO27000.COM.BR Information Security Group 11

Processes Definition

• How processes were detailed (Portuguese version).

Process description Control objectives details

ISO27000.COM.BR Information Security Group 12

Maturity Definition

• It was used the same generic model used by COBIT 4.1!

ISO27000.COM.BR Information Security Group 13

Maturity Definition

• For each process was created an specific maturity model.

• The maturity model is a merge between the generic model of CMMi with the control objectives of each process.

ISO27000.COM.BR Information Security Group 14

Maturity Definition

Maturity levels description

ISO27000.COM.BR Information Security Group 15

Maturity Definition

• The maturity questionnaire. – The information security standard looks at all organization.

– There were created answers that represent the cover level of information security inside the organization:

– There were developed 591 questions to cover all 39 processes and its 5 levels of maturity.

•only in some situations; A)

• in IT area inside the organization; B)

• in various departments of the organization, including IT; C)

• throughout all the organization. D)

ISO27000.COM.BR Information Security Group 16

Maturity Definition

• The maturity questionnaire.

ISO27000.COM.BR Information Security Group 17

Maturity Definition

• The maturity questionnaire fulfillment. – To reach certain maturity, all responses must meet the minimum

criteria set for each question.

ISO27000.COM.BR Information Security Group 18

Maturity Definition

• Questionnaire fulfillment (other rules).

– When the response for one process level had not reached the minimum required, the respondent was directed to next process.

– The result was showed online

ISO27000.COM.BR Information Security Group 19

Self-Assessment Application

• http://www.iso27000.com.br/mestrado

Login screen

Application main screen

ISO27000.COM.BR Information Security Group 20

Self-Assessment Application

• http://www.iso27000.com.br/mestrado

Results displayed as graphics

Survey screen

ISO27000.COM.BR Information Security Group 21

Validation into Parana State Market

• Location: Curitiba (capital of Parana State - South Brazil)

• Size: 10 companies (1000+ internal users of IT).

ISO27000.COM.BR Information Security Group 22

Validation into Parana State Market

• Average maturity by process.

ISO27000.COM.BR Information Security Group 23

Validation into Parana State Market

• Processes with the highest and lowest maturity.

ISO27000.COM.BR Information Security Group 24

Validation into Parana State Market

• Categories that had the highest and lowest average maturity.

planning is not a strong practice (focus) of the IT area.

oldest and most obvious concern (instinctive), therefore the most developed (infrastructure).

ISO27000.COM.BR Information Security Group

highlight the processes better developed;

Information security is still a subject solely of IT areas;

Respondents feedback: clear, precise and useful.

Assessment tool: quick results, leading to quick wins.

CMMi generic maturity model confirmed its use.

25

Final Comments Problem to solve: How to assess information security inside organizations through structured approach and based on

standard ISO/IEC 27002:2005?

ISO27000.COM.BR Information Security Group

Thank you !

Luciano Johnson, CISM, CRISC luciano@iso27000.com.br