Presented by

Yashwanth Bendi – 18S760

Sai Tej Madugula – 18S740
Ramasamy R – 18S738
Information Security Rajul Khare – 18S737
Management Maturity Model Sahil Chawla – 17F834

(ISM3/ISMMM)
ISM3 and its objectives
• ISM3 is technology-neutral. It defines a sufficient number of information security processes that
are needed by the most of organizations.
• Its objective is to offer a new approach for specifying, implementing, operating and evaluating
ISMS.
• ISM3 is applicable for all kinds of organizations, especially businesses, NGOs, firms that are
growing/outsourcing may find it attractive.
• The goals of ISM3 are to prevent and mitigate incidents as defined using security in context and to
optimize business resources
• ISM3 is composed of three specific practices – strategic management, tactical management, and
operational management
• The main aim of this framework is:
• Provide tools for creating ISMSs that are fully aligned with business mission and compliance
needs.
• Applies to any organization irrespective of size, context and resources.
• Enables organizations to prioritize and optimize their investment in information security.
• Enables continuous improvement of ISMSs using metrics.
• Enables metric-driven, verifiable outsourcing of security processes.
Key Characteristics
• It demands the linking of security objectives and targets to
business objectives.
• Relevant security controls are identified within each process as
a subset of that process.
• ISM3 will give the organisations the flexibility to tailor make any
combination of information security processes based on their
required criteria.
• For example ISM3 doesn’t not demand a risk assessment based
approach unlike many Information security management
approaches.
• Under ISM3 controls can be chosen based on
• Common sense
• Best practices (passwords)
• Learning from incident (a better firewalls)
• Specifically focussed vulnerabilities or threats.
• Client requirements ( I don’t want users from project A
accessing data of project B)
Key Characteristics
• ISM3 uses Capability Maturity Model
(CMM).
• Initial: Undocumented/low
communication
• Repeatable: Functional processes.
• Defined: Documented and
integrated
• Managed: Measurement and
metrics
• Optimized: constant improvement
through feedback and monitoring of
processes
 With ISO/IEC 27001

• ISO/IEC 27001 focusses on security management as a single process

for what controls are needed and in place to build an ISMS.
• In contrast, ISM3 approach not only covers this but also provides a
comprehensive framework for selecting, implementing and
managing a set of security processes to meet tangible business
goals, breaking security management into a number of related
activities in which each security activity is defined as separate
process, with its own related security controls, documentation,
inputs, outputs, metrics and linkages to other defined processes.
Compatibility With COBIT

• ISM3 use management responsibilities framework that is consistent

with ISACA COBIT framework model.
• ISM3 breaks down the standards set by COBIT pertaining to security
provisions by process, environment and responsibility.

With ITIL

• ITIL provides process-related tools in the fields of IT service delivery

and IT service management.
• ITIL can use ISM3 process orientation to strengthen their security
processes.
Key terms involved
• Process
• Smallest atomic unit of the standard. Processes have capability and are managed using management practices.
• ISM3 centers around the concept of process.
• Capability:
• Metric of a process, in other words it is a property of how a process is managed.
Capability level:
• From a management perspective, higher the capability more the management practices, robustness,
transparency, and self-correcting processes that are applicable.
• From an auditor’s perspective, capability is achieved by a process depends on the documentation and metrics to
manage it.
• Maturity:
• Desired ISM3 processes collected together and operated at a sufficient capability will determine an
organization’s Information Security and Management Maturity or simply Maturity.
• Maturity and capability can be used to as a basis which will create special value of certification from authorities
(auditors)
Maturity level:
• ISM3 maturity levels are specific sets of ISM3 processes processed at specified capacity levels..
• More the processes, higher the capability and the maturity of the ISMS.
• Maturity levels fulfills the needs of the organizations with different:
• Threats
• Impact (economic and non-financial)
• Risk appetite
• Economic sector
ISM3 Philosophy
• ISM Process Model: Identifies key
ISM processes at various level of
maturity
• Responsibilities Model: Provides a
responsibilities-based view of an
organisation
• Security in context Model: Allows an ISM3
organisation to tailor its security
objectives to its business needs
• IS Model: Provides a terminology for
describing the main components and
properties of IS
Security in context model

• Security is defined as the result of the continuous meeting or surpassing of a set of objectives.
The security in context approach aims to guarantee that business objectives are met. The ISM3
definition of security is therefore context dependent
• Traditionally, to be secure means to be invulnerable (resilient to any possible attack). Using
security in context, to be secure means to be reliable, in spite of attacks, accidents and errors
• Traditionally, an incident is any loss of confidentiality, availability or integrity. Under security in
context, an incident is a failure to meet the organization’s business objectives. There should be a
balance between Business, compliance and technical needs and limitations, like cost,
functionality, privacy, liability and risk
Information security Management process model
ISM3 is composed of four practices
• 1 generic (Documentation):
• 3 specific (strategic management, tactical management and operational management):
• Generic :
• It is applicable to all 3 specific practices and emphasizes on the requirements for document
management.
• Generic goals of an ISM system are to:
• Prevent and reduce incidents that could threaten the organization’s property and the
outcome of various products and services that depend on information systems.
• Efficient use of information, money, people, time and infrastructure.
• Outputs of an ISM system are:
• Incident prevention
• Incident mitigation
• Risk reduction and
• Trust
Information security Management process model

• Better processes would lead to better security and thus would result in repeated meeting of the
business and security objectives
Generic practices:
• Generic practice ( GP-1 Documentation management)
• Description: defines quality standards of the documents and records that are associated
with the processes and makes sure to keep them up-to-date through the requirement of
window of document expiry and review
• Rationale: to make ensure that security processes are implemented in a robust and
repeatable
• Generic practice ( GP-2 ISM system and Business audit )
• Description: this practice validates
• Compliance of business processes with applicable regulations
• If the existing scheme of delegation follows TPSRSR rules
• If the implementation of ISM system as defined
Information security Management process model
• Rationale :
• Incidents that originate from the glitches in the ISM system can be prevented by checking the
system and taking necessary actions by focussing on the areas of improvement, for example:
• Compliance of business processes with applicable regulations
• Scheme of delegation following TPSRSR rules
• Implementation of ISM system as defined
• Generic practice: GP-3 ISM design and evaluation
• Description: it focusses on the most appropriate operational processes to achieve security
targets. Some of the design techniques are as follows:
• ISM3 Maturity Level choice
• ROSI Evaluation
• Threat Evaluation
• Vulnerability Evaluation
• Business Impact Evaluation
• Risk Evaluation (Threat, Vulnerability and Impact Evaluation)
Information security Management process model

• Evaluation models used are as follows:

• Information system Model
• Financial model
• Logistic Model (Transport, Supplies, Waste)
• Infrastructure Model (Energy, Space, Environmental conditions)
• Personnel and Responsibilities Mode
• Aforementioned techniques add value producing reproducible results in a cost-effective manner
• Rationale: Every organization works on different Security Targets, under different environments
and has different capabilities and resources. An appropriate selection of processes will give a
good return on the security investment (ROSI)
• Efficiency and effectiveness of Processes can degrade over a period unless there is a continuous
effort towards higher levels of capability
Practices in ISM3
• 3 specific (strategic management, tactical management and
operational management):
• Each of these targets a horizontal within the business
• These assume that an organization can be divided into
functionally separate tasks ( strategic, tactical and
operational)
• A collection of responsibilities is assigned to each practice
area
 Strategic management
It is accountable to stakeholders for the efficient use of resources through compliances. The
stakeholders could be external (and possibly internal)
• Provides leadership and coordination of:
• Information security
• Physical security
• Workplace security (outside scope of ISM3)
• Interaction with organizational units
• Reviews and improves the information security management system, including the
appointment of Managers and internal and external auditors
• Defines relationships with other organisations, such partners, vendors and contractors
• Provides resources for information security
• Defines Security Objectives consistent with business goals and objectives, protecting stakeholders
interests
• Sets the organizational scheme of delegation
Tactical Management
It has the following purposes:
• Provide feedback to Strategic Management
• Define the environment for Operational Management:
• Define Security Targets
• Define metrics
• Define information Business, Personnel, Compliance, Access Control, Priority, Durability
• Information Quality and Technical related security objectives
• Define environments and lifecycles
• Select appropriate processes to achieve the Security Targets
• Manage budget, people and other resources allocated to information security
Operations management
Operational Management reports to the Chief Information Officer and the Information Security
Tactical Manager.
Operational Management has the following responsibilities:
• Provide feedback to Tactical Management, including Incident and Metrics Reports;
• Identify and protect assets;
• Protection and support of information systems throughout their lifecycle;
• Management of the security measures lifecycle;
• Apply allocated resources efficiently and effectively;
• Carry out processes for incident prevention, detection and mitigation (both real time and
following an incident).
Components of Information System
Information systems are complex and have various
tangible and intangible components
Structural features
Structural features – the various assets from which an
information system may be built:
Repositories: Any temporary or permanent storage of
information, including RAM, databases, file systems
and any kind of portable media
Interfaces: Any input/output device, such as screens, Transactional features
printers, and fax
Channels: Physical or logical pathways for the flow of
messages, including buses, LAN networks, etc. A
network is dynamic set of channels
Borders define the limits of the system
 Security Investment and risk
120

100

80

60

40

20

0
Level 0 Level 1 Level 2 Level 3 Level 4 Level 5

Risk Risk Reduction/Extra Security Investment Security Investment

ISM3
Level 1 Level 2 Level 3 Level 4 Level 5
Risk reduction
-Technical Threats Significant Further Higher Higher Higher
-Internal Threats - - - Higher Higher
Investment Minimum Moderate Significant High Higher
Low InfoSec targets in Normal risk High Infosec targets in normal
Organization low risk environment environment or higher risk environments Matured Organizations Matured Organizations
Highly Regulated Organizations -
Organization with Stock Exchange-listed
very Limited Small and Information Services and E- corporations, Govenrment Same as Level with Optimized
Examples resources Medium Business Commerce bodies, Financial institutions and continous improvement
 Maturity Levels in ISM3 Framework
The basic philosophy here is as organizations make meaningful investment in their security management
mechanisms, the risk level reduces
• ISM3 Level 1: Significant risk reduction from technical threats, for a minimum investment in the essential ISM
processes. This level is recommended for organizations with low InfoSec targets in low-risk environments that
have very limited resources.
• ISM3 Level 2: Further risk reduction from technical threats, for a moderate investment in ISM processes. It is
recommended for organizations with normal-risk environments that need to demonstrate good practice to
partners and are keen to avoid security incidents.
• ISM3 Level 3: This level should result in the higher risk reduction from technical threats, for a significant
investment in InfoSec processes. This level is recommended for organizations with high InfoSec targets in
normal or higher risk environments. For example, organizations dependent on information services and
electronic commerce (e-commerce)
• ISM3 Level 4: This level should result in the higher risk reduction from technical and internal threats, for a high
investment in InfoSec processes. This level is recommended for mature organizations affected by specific
requirements, for example, highly regulated organizations, such as stock exchange-listed corporations,
government bodies and financial institutions.
• ISM3 Level 5: The difference between this level and ISM Level 4 is compulsory use of process metrics. Mature
organizations that have some experience running an ISM Level 4 ISMS can optimize and continuously improve
their ISMS in this level
Processes Involved
Processes Involved
• https://www.slideshare.net/vaceituno/open-information-security-
management-maturity-model
• https://www.lean.org/FuseTalk/Forum/Attachments/ISM3_v2.00-
HandBook.pdf