Security Maturity Models.
13 likes10,676 views
- Maturity models provide frameworks for organizations to evaluate their security capabilities and identify areas for improvement. They allow benchmarking against peers. - There are different types of models including progress-based models that measure advancement through levels and capability maturity models (CMM) that assess process institutionalization. Hybrid models combine aspects of both. - Examples discussed include the Systems Security Engineering Capability Maturity Model (SSE-CMM) that evaluates security engineering practices across five levels and the CISO Platform Security Benchmarking that compares technologies adopted to peers.
Security Maturity Models.
- 2. Agenda 1. What’s a Maturity Model? 2. Types of Maturity Models 3. Overview of SSE CMM & CISO Platform Security Benchmarking
- 3. What’s a Maturity Model? “A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline. Model content typically exemplifies best practices and may incorporate standards or other codes of practice of the discipline. A maturity model thus provides a benchmark against which an organization can evaluate the current level of capability of its practices, processes, and methods and set goals and priorities for improvement.” – C2M2, DOE, US Govt. How’s it Useful? ü Helps Define a Framework for Organizations to Baseline Current Capabilities / Architecture ü Conduct Standardized, Consistent Evaluation(s) -Identify Gaps, Build Roadmaps; Measure Progress ü Allows Organizations to Benchmark their Capabilities against Peers ü Enables Decision Making - How to Improve, Prioritize investments in Tech, People, Services etc.
- 4. Types of Maturity Models 1. Progress-based Maturity Models 1. Measures Simple Progress /Advance Through Ascending Levels (as defined by Org/Industry) 2. E.g.: Simple Password -> Strong Password -> TFA 3. Pros: Simple; Cons: May NOT translate to Maturity 2. Capability Maturity Models (CMM) 1. Primarily Measures the Degree to Which Processes are Institutionalized; Strength of Org Culture 2. E.g.: SSE-CMM 3. Pros: Rigorous Measure of Capabilities; Cons: False Sense of Achievement – Maturity does not equal security 3. Hybrid – 1. Combines the Above Two. 2. E.g.: Cybersecurity Capability Maturity Model (ES - C2M2) 3. Pro: Easy Progress Measurement & Approximation of Capability; Cons: Not as Rigorous as CMM Adapted from Content Provided by CERT and Software Engineering Institute (SSE), CMU.
- 5. Some Maturity Models 1. CERT CC Resilience Maturity Model 2. COBIT 3. US Dept of Energy (DoE) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) 4. Information Security Management Maturity Model (ISM3) 5. NIST CSEAT IT SMM 6. Gartner’s Security Model 7. Systems Security Engineering Capability Maturity Model (SSE-CMM) 8. Computer Emergency Response Team/Chief Security Officer Security Capability Assessment (CERT/CSO) 9. Community Cyber Security Maturity Model (CSMM) 10. FFIEC – Cybersecurity Maturity 11. OpenSAMM - AppSec 12. BSIMM – AppSec 13. and Many More…
- 6. ISO/IEC 21827 Systems Security Engineering Capability Maturity Model (SSE-CMM) The model is a standard metric for security engineering practices covering the following: 1. Project lifecycles, including development, operation, maintenance, and decommissioning activities 2. Entire organizations, including management, organizational, and engineering activities 3. Concurrent interactions with other disciplines, such as system software and hardware, human factors, test engineering; system management, operation, and maintenance 4. Interactions with other organizations, including acquisition, system management, certification, accreditation, and evaluation. Source: SSE-CMM
- 7. SSE-CMM Dimensions Level 1 - Performed Informally Level 2 – Planned & Tracked Level 3 – Well Defined Level 4 – Quantitatively Controlled Level 5 – Continuously Improving Source: SSE CMM
- 9. CISO Platform Security Benchmarking ◦ An insight about company current cyber security positioning among the peers ◦ An insight about company current positioning in the overall market. ◦ Helps to analyse the gap in Cyber security structure ◦ Helps you to find out the strategic focus areas ◦ NOT a Capability Maturity Model
- 11. Industry wise maturity 0 10 20 30 40 50 60 70 80 Minor BFSI Retail/Online Manufacturing Healthcare & Hospitality Financial Services Minor IT/ITES Major BFSI Major IT/ITES Large Scale Telecom 44.95 51.52 52.43 53.13 56.06 59.25 70.16 74.66 76.62 Security Maturity Index Verticals Security Maturity Index %
- 14. Benchmarking - Capabilities not in place * The Graph presented above is only indicative and for sample purposes only 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% Vertical Adoption(%) Capability Not in Place Statistics DDOS IT GRC management Bio Metric Encryption for Servers/Storage/Database Anti APT
- 15. Some Resources to Get You Started 1. CPSB 2. Vendor Specific, some examples – 1. nCircle 2. Veracode 3. KPMG - Cyber KARE 3. BSIMM - https://www.bsimm.com/ 4. Open SAMM - http://www.opensamm.org/ 5. https://buildsecurityin.us-cert.gov 6. C2M2 - http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model- c2m2-program/cybersecurity
- 16. Thank You!