Post on 22-Nov-2014
description
Session ID:
Session Classification:
Vicente Aceituno @vaceitunoInovement Spain
GRC-T08B
Intermediate
Case Study: Bankia Reaching the Highest Maturity Levels
Presenter Logo#RSAC
Maturity
A measure of the ability to improve often over time
Presenter Logo#RSAC
Bankia► 4th Biggest bank in Spain with 12 million
customers► Took the decision to implement O-ISM3 for
application security testing in late 2008► The Application Security team achieved an
Optimized maturity level in 6 months
Presenter Logo#RSAC
Return Of Investment and MaturityROI
Maturity
PenetrationTesting
White BoxP.T.
LifecycleIntegration
SecureDesign
ContinuousImprovement
Presenter Logo#RSAC
Improvement
►Achieving higher value with the same resources
►Achieving the same value with fewer resources
Presenter Logo#RSAC
Improvement
► Producing Better Results
► Contribute to Business Needs
► Tuning Priorities
► Better Use of Resources
Resources
Value
Presenter Logo#RSAC
Continuous Improvement ToolBoxMetrics Security
Objectives Analysis
Processes
Knowledge Managemen
t
Presenter Logo#RSAC
Continuous Improvement Benefits
► Effortless definition of SLA’s.
► Feedback.
► Application Classification according to Business Criteria.
► Better Communication.
► Efficient allocation of resources.
► Better distribution of responsibilities.
► Uniform results regardless of who performs a task.
► No vendor lock-in.
Presenter Logo#RSAC
Higher Maturity Results
0
50
100
150
200
250
2008 2009 2010 2011 2012
WeaknessesFixed
Euros / WeaknessFixed
Weaknesses /ApplicationSecurity Test
Note: Qualitative changes in comparison with 2008 are represented
Presenter Logo#RSAC
Higher Maturity Results
0
50
100
150
200
250
300
350
400
2008 2009 2010 2011 2012
Application SecurityTestsEuros / ApplicationSecurity TestApplication SecurityTest Workload
Note: Qualitative changes in comparison with 2008 are represented
Presenter Logo#RSAC
Last Messages
► Maturity is a measure of the ability for continuous improvement.
► Achieving high levels of maturity can be hard if you don’t know how.
► High maturity is about working smart, not hard.
► Bankia saved time and money, improved the security of their applications, the communication between teams, and avoided vendor lock-in.
Thank you!
#RSAC
Vicente Aceituno
Inovement Spain
@vaceituno
vaceituno@inovement.es
www.inovement.es