Proposal of Information Security Maturity Model

Transcription

1 Proposal of Information Security Maturity Model Luciano Johnson, CISM, CRISC

2 Agenda Objectives, approach and limits Roadmap Processes Definition Maturity Definition Self-Assessment Application Validation into Parana State Market Final Comments 2

3 Objectives, approach and limits Search for competitive differential New technologies and challenges. Needs for public and private organizations. Brazilian government research (TCU 2007/2010). Use of ISO standards. Use of COBIT model. Methodological approach. 3

4 Objectives, approach and limits Problem to solve: How to assess information security inside organizations through structured approach and based on standard ISO/IEC 27002:2005? Paradigm to be broken: Infrastructure Human resources Firewall Network Security Proxy IDS/IPS Tools Information security Logic security Communications Access control Antispam Business continuity Antivirus Compliance 4

5 Objectives, approach and limits Expected results: Understand where are the gaps in information security. Self-assessment tool for information security. Actions based / adherence to ISO/IEC standard. First step for a future ISO/IEC certification. A direction (north) for information security 5

6 Roadmap Maturity model definition Development of the maturity survey Development of computational tool Market assessment and results Processes definition based on ISO

7 Processes Definition ISO/IEC (from) 39 Control Objectives 133 Controls Process Framework (to) 39 Processes 133 Activities 7

8 Processes Definition 39 processes distributed in 5 categories POA ORG FIS TEC GES Planning, Organization and Alignment Organizational Security Physical Security Technical Security Security Management 8

9 Processes Definition 39 processes distributed in 5 categories 9

10 Processes Definition How processes were created. 10

11 Processes Definition How processes were detailed (Portuguese version). Process description Control objectives details 11

12 Maturity Definition It was used the same generic model used by COBIT 4.1! 12

13 Maturity Definition For each process was created an specific maturity model. The maturity model is a merge between the generic model of CMMi with the control objectives of each process. 13

14 Maturity Definition Maturity levels description 14

15 Maturity Definition The maturity questionnaire. The information security standard looks at all organization. There were created answers that represent the cover level of information security inside the organization: A) B) C) D) only in some situations; in IT area inside the organization; in various departments of the organization, including IT; throughout all the organization. There were developed 591 questions to cover all 39 processes and its 5 levels of maturity. 15

16 Maturity Definition The maturity questionnaire. 16

17 Maturity Definition The maturity questionnaire fulfillment. To reach certain maturity, all responses must meet the minimum criteria set for each question. 17

18 Maturity Definition Questionnaire fulfillment (other rules). When the response for one process level had not reached the minimum required, the respondent was directed to next process. The result was showed online 18

19 Self-Assessment Application Login screen Application main screen 19

20 Self-Assessment Application Survey screen Results displayed as graphics 20

21 Validation into Parana State Market Location: Curitiba (capital of Parana State - South Brazil) Size: 10 companies (1000+ internal users of IT). 21

22 Validation into Parana State Market Average maturity by process. 22

23 Validation into Parana State Market Processes with the highest and lowest maturity. 23

24 Validation into Parana State Market Categories that had the highest and lowest average maturity. oldest and most obvious concern (instinctive), therefore the most developed (infrastructure). planning is not a strong practice (focus) of the IT area. 24

25 Final Comments Problem to solve: How to assess information security inside organizations through structured approach and based on standard ISO/IEC 27002:2005? highlight the processes better developed; Information security is still a subject solely of IT areas; Respondents feedback: clear, precise and useful. Assessment tool: quick results, leading to quick wins. CMMi generic maturity model confirmed its use. 25

26 Thank you! Luciano Johnson, CISM, CRISC