ISM3 1.0 ISM Maturity Model Quick Maturity Assessment

advertisement
ISM3 1.0.
Quick Maturity Assessment
This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a
copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Any copyrighted material mentioned in this document is property of their respective
owners.
WWW.ISECOM.ORG / WWW.OSSTMM.ORG / WWW.HACKERHIGHSCHOOL.ORG / WWW.ISESTORM.ORG
CREATIVE COMMONS NODERIVS LICENSE 2004, SOME RIGHTS RESERVED,
VICENTE ACEITUNO AND THE INSTITUTE FOR SECURITY AND OPEN METHODOLOGIES (ISECOM).
ISM3 1.0. - Quick Maturity Assessment
By Vicente Aceituno Canal
1 Assessment
This document is intended as a quick self-assessment of ISM system maturity. A deeper
assessment is needed for planning a ISM3 compliant implementation.
Three criteria are used for the quick assessment:

Supervised: The process has one and only one competent Process Owner.

Resourced: Adequate resources in terms of budget, staff and space are
available to carry out the process.
Every process score in every category is calculated as follows:




Yes: 1
No: 0
Incomplete: 0.5
Don’t know: -1
Add the Supervised and Resourced collumns. The final score gives a rough idea of maturity
Total Supervised Score
13
27
35
42
Total Resourced Score
13
27
35
42
ISM3 Level
1
2
3
4
2
WWW.ISECOM.ORG / WWW.OSSTMM.ORG / WWW.HACKERHIGHSCHOOL.ORG / WWW.ISESTORM.ORG
CREATIVE COMMONS NODERIVS LICENSE 2004, SOME RIGHTS RESERVED,
VICENTE ACEITUNO AND THE INSTITUTE FOR SECURITY AND OPEN METHODOLOGIES (ISECOM).
ISM3 1.0. - Quick Maturity Assessment
By Vicente Aceituno Canal
General Grading Table
Supervised
Resourced
Supervised
Resourced
Supervised
Resourced
GP-1 Document Management
SUBTOTAL
Strategic Management Grading Table
SSP-1 Report to Stakeholders
SSP-2 Coordination
SSP-3 Strategic vision
SSP-4 Define rules for the division of duties: transparency,
partitioning, supervision, rotation and separation of responsibilities
(TPSRSR).
SSP-5 Check compliance with TPSRSR rules.
SSP-6 Allocate resources for information security
SUBTOTAL
Tactical Management Grading Table
TSP-1 Report to strategic management.
TSP-2 Manage allocated resources.
TSP-3 Define Security Targets.
TSP-4 Define metrics for security processes
TSP-5 Define Properties Groups.
TSP-6 Define environments and lifecycles.
TSP-7 Background Checks
TSP-8 Security Personnel Selection
TSP-9 Security Personnel Training
TSP-10 Disciplinary Process
TSP-11 Security Awareness
TSP-12 Select Specific Processes
SUBTOTAL
3
WWW.ISECOM.ORG / WWW.OSSTMM.ORG / WWW.HACKERHIGHSCHOOL.ORG / WWW.ISESTORM.ORG
CREATIVE COMMONS NODERIVS LICENSE 2004, SOME RIGHTS RESERVED,
VICENTE ACEITUNO AND THE INSTITUTE FOR SECURITY AND OPEN METHODOLOGIES (ISECOM).
ISM3 1.0. - Quick Maturity Assessment
By Vicente Aceituno Canal
Operational Management Grading Table
Supervised
Resourced
OSP-1 Report to tactical management.
OSP-2 Select tools for implementing security measures
OSP-3 Inventory Management
OSP-4 Information Systems Environment Change Control
OSP-5 Environment Patching
OSP-6 Environment Clearing
OSP-7 Environment Hardening
OSP-8 Software Development Lifecycle Control
OSP-9 Security Measures Change Control
OSP-10 Backup & Redundancy Management
OSP-11 Access control over services, repositories channels and
interfaces
OSP-12 User Registration
OSP-13 Encryption Management
OSP-14 Physical Environment Protection Management
OSP-15 Operations Continuity Management
OSP-16 Segmentation and Filtering Management
OSP-17 Malware Protection Management
OSP-18 Insurance Management
OSP-19 Attacks, Errors and Accidents Emulation
OSP-20 Incident Emulation
OSP-21 Information Quality Probing
OSP-22 Alerts Monitoring
OSP-23 Events Detection and Analysis
OSP-24 Handling of incidents and near-incidents
OSP-25 Forensics
SUBTOTAL
4
WWW.ISECOM.ORG / WWW.OSSTMM.ORG / WWW.HACKERHIGHSCHOOL.ORG / WWW.ISESTORM.ORG
CREATIVE COMMONS NODERIVS LICENSE 2004, SOME RIGHTS RESERVED,
VICENTE ACEITUNO AND THE INSTITUTE FOR SECURITY AND OPEN METHODOLOGIES (ISECOM).
Download