Security Maturity Models.
16
Security Maturity Models OVERVIEW OF SECURITY MATURITY MODELS
-
Upload
priyanka-aash -
Category
Technology
-
view
1.220 -
download
1
Transcript of Security Maturity Models.
SecurityMaturityModelsOVERVIEWOFSECURITYMATURITYMODELS
Agenda1. What’saMaturityModel?2. TypesofMaturityModels3. OverviewofSSECMM&CISOPlatformSecurityBenchmarking
What’saMaturityModel?“A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability andprogression in a particular discipline. Model content typically exemplifies best practices and may incorporatestandards or other codes of practice of the discipline. A maturity model thus provides a benchmark against whichan organization can evaluate the current level of capability of its practices, processes, and methods and set goalsand priorities for improvement.” – C2M2, DOE, US Govt.
How’sitUseful?
ü HelpsDefineaFrameworkforOrganizationstoBaselineCurrentCapabilities/Architecture
ü ConductStandardized,ConsistentEvaluation(s)- IdentifyGaps,BuildRoadmaps;MeasureProgress
ü AllowsOrganizationstoBenchmarktheirCapabilitiesagainstPeers
ü EnablesDecisionMaking- HowtoImprove,PrioritizeinvestmentsinTech,People,Servicesetc.
TypesofMaturityModels1. Progress-basedMaturityModels
1. MeasuresSimpleProgress/AdvanceThroughAscendingLevels(asdefinedbyOrg/Industry)2. E.g.:SimplePassword->StrongPassword->TFA3. Pros:Simple;Cons:MayNOTtranslatetoMaturity
2. CapabilityMaturityModels(CMM)1. PrimarilyMeasurestheDegreetoWhichProcessesareInstitutionalized;StrengthofOrgCulture2. E.g.:SSE-CMM3. Pros:RigorousMeasureofCapabilities;Cons:FalseSenseofAchievement– Maturitydoesnot
equalsecurity
3. Hybrid–1. CombinestheAboveTwo.2. E.g.:CybersecurityCapabilityMaturityModel(ES- C2M2)3. Pro:EasyProgressMeasurement&ApproximationofCapability;Cons:NotasRigorousasCMM
AdaptedfromContentProvidedbyCERTandSoftwareEngineeringInstitute(SSE),CMU.
SomeMaturityModels1. CERTCCResilienceMaturityModel
2. COBIT
3. USDept ofEnergy(DoE)ElectricitySubsectorCybersecurityCapabilityMaturityModel(ES-C2M2)
4. InformationSecurityManagementMaturityModel(ISM3)
5. NISTCSEATITSMM
6. Gartner’sSecurityModel
7. SystemsSecurityEngineeringCapabilityMaturityModel(SSE-CMM)
8. ComputerEmergencyResponseTeam/ChiefSecurityOfficerSecurityCapabilityAssessment(CERT/CSO)
9. CommunityCyberSecurityMaturityModel(CSMM)
10. FFIEC– CybersecurityMaturity
11. OpenSAMM - AppSec
12. BSIMM– AppSec
13. andManyMore…
ISO/IEC21827SystemsSecurityEngineeringCapabilityMaturityModel(SSE-CMM)
Themodelisastandardmetricforsecurityengineeringpracticescoveringthefollowing:
1. Projectlifecycles,includingdevelopment,operation,maintenance,anddecommissioningactivities
2. Entireorganizations,includingmanagement,organizational,andengineeringactivities
3. Concurrentinteractionswithotherdisciplines,suchassystemsoftwareandhardware,humanfactors,testengineering;systemmanagement,operation,andmaintenance
4. Interactionswithotherorganizations,includingacquisition,systemmanagement,certification,accreditation,andevaluation.
Source:SSE-CMM
SSE-CMMDimensionsLevel1- PerformedInformally
Level2– Planned&Tracked
Level3– WellDefined
Level4– QuantitativelyControlled
Level5– ContinuouslyImproving
Source:SSECMM
Sample
Source:SSECMM
CISOPlatformSecurityBenchmarking
◦ Aninsightaboutcompanycurrentcybersecuritypositioningamongthepeers
◦ Aninsightaboutcompanycurrentpositioningintheoverallmarket.◦ HelpstoanalysethegapinCybersecuritystructure◦ Helpsyoutofindoutthestrategicfocusareas◦ NOTaCapabilityMaturityModel
IndiavsWorld• Indiais75to80%atparwithUSAforPrevention/Detectiontechnologies.• Indiaislessthan10%atparwithUSAinResponse• Indiaislessthan10%atparwithUSAforPredictionofbreachesbeforehand.• Indiaislessthan10%atparinadoptionofemergingsecuritytechnologieslike• threatIntelligenceandBigdatasecurityanalytics,RASP,IAST,Containerization/Isolation,AttackDeceptionetc.whencomparedtoUSA.
Industrywisematurity
0 10 20 30 40 50 60 70 80
MinorBFSI
Retail/Online
Manufacturing
Healthcare&Hospitality
FinancialServices
MinorIT/ITES
MajorBFSI
MajorIT/ITES
LargeScaleTelecom
44.95
51.52
52.43
53.13
56.06
59.25
70.16
74.66
76.62
SecurityMaturityIndex
Verticals
SecurityMaturityIndex%
CISOPlatformSecurityBenchmarkingCommunity-basedinitiativewhichhelpsorganizationsbenchmarktheirexistingsecuritypostureagainstthatoftheirpeers/industry(e.g.:BFSI,IT/ITES)anddevelopanactionable,prioritizedroadmapforachievingthedesiredmaturitylevel.
Thetechnologiesarecategorizedinto:◦ Securitycontroltype(Prevent,Detect,response,Predict)◦ Technologyadoptiontype(Basic,Moderate,Advance)
Benchmarking – capabilities inplace
*TheGraphpresentedaboveisonlyindicativeandforsamplepurposesonly
SECURITYAWARENESSANDTRAININGWIRELESSSECURITY
POLICYMANAGEMENTMOBILEDEVICEMANAGEMENT
IAM/PIMAPPLICATION/DATABASESECURITY
SIEMENDPOINTSECURITY
DIGITALRIGHTSMANAGEMENTDLP/DATASECURITY
IDS/IPSPATCHMANAGEMENT
SECUREEMAIL/WEBGATEWAY,CONTENT…STRONGAUTHENTICATION
UNIFIEDTHREATMANAGEMENTANTIMALWARE/ANTISPYWARE
BCP/DRWEBAPPLICATIONFIREWALL
VULNERABILITYMANAGEMENTTHREATINTELLIGENCE
81.82%68.18%
77.27%45.45%45.45%
59.09%59.09%
90.91%31.82%
72.73%86.36%86.36%
100.00%63.64%
59.09%95.45%
61.00%61.00%62.00%
53.00%
CapabilityinPlaceStatistics
VerticalAdoption(%)
Benchmarking - Capabilities notinplace
*TheGraphpresentedaboveisonlyindicativeandforsamplepurposesonly
0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00%
VerticalAdoption(%)
CapabilityNotinPlaceStatistics
DDOS ITGRCmanagement BioMetric EncryptionforServers/Storage/Database AntiAPT
SomeResourcestoGetYouStarted1. CPSB
2. VendorSpecific,someexamples–1. nCircle2. Veracode3. KPMG - CyberKARE
3. BSIMM- https://www.bsimm.com/
4. OpenSAMM- http://www.opensamm.org/
5. https://buildsecurityin.us-cert.gov
6. C2M2- http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program/cybersecurity
ThankYou!
