Security Maturity Models.
-
Upload
priyanka-aash -
Category
Technology
-
view
1.220 -
download
1
Transcript of Security Maturity Models.
![Page 1: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/1.jpg)
SecurityMaturityModelsOVERVIEWOFSECURITYMATURITYMODELS
![Page 2: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/2.jpg)
Agenda1. What’saMaturityModel?2. TypesofMaturityModels3. OverviewofSSECMM&CISOPlatformSecurityBenchmarking
![Page 3: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/3.jpg)
What’saMaturityModel?“A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability andprogression in a particular discipline. Model content typically exemplifies best practices and may incorporatestandards or other codes of practice of the discipline. A maturity model thus provides a benchmark against whichan organization can evaluate the current level of capability of its practices, processes, and methods and set goalsand priorities for improvement.” – C2M2, DOE, US Govt.
How’sitUseful?
ü HelpsDefineaFrameworkforOrganizationstoBaselineCurrentCapabilities/Architecture
ü ConductStandardized,ConsistentEvaluation(s)- IdentifyGaps,BuildRoadmaps;MeasureProgress
ü AllowsOrganizationstoBenchmarktheirCapabilitiesagainstPeers
ü EnablesDecisionMaking- HowtoImprove,PrioritizeinvestmentsinTech,People,Servicesetc.
![Page 4: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/4.jpg)
TypesofMaturityModels1. Progress-basedMaturityModels
1. MeasuresSimpleProgress/AdvanceThroughAscendingLevels(asdefinedbyOrg/Industry)2. E.g.:SimplePassword->StrongPassword->TFA3. Pros:Simple;Cons:MayNOTtranslatetoMaturity
2. CapabilityMaturityModels(CMM)1. PrimarilyMeasurestheDegreetoWhichProcessesareInstitutionalized;StrengthofOrgCulture2. E.g.:SSE-CMM3. Pros:RigorousMeasureofCapabilities;Cons:FalseSenseofAchievement– Maturitydoesnot
equalsecurity
3. Hybrid–1. CombinestheAboveTwo.2. E.g.:CybersecurityCapabilityMaturityModel(ES- C2M2)3. Pro:EasyProgressMeasurement&ApproximationofCapability;Cons:NotasRigorousasCMM
AdaptedfromContentProvidedbyCERTandSoftwareEngineeringInstitute(SSE),CMU.
![Page 5: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/5.jpg)
SomeMaturityModels1. CERTCCResilienceMaturityModel
2. COBIT
3. USDept ofEnergy(DoE)ElectricitySubsectorCybersecurityCapabilityMaturityModel(ES-C2M2)
4. InformationSecurityManagementMaturityModel(ISM3)
5. NISTCSEATITSMM
6. Gartner’sSecurityModel
7. SystemsSecurityEngineeringCapabilityMaturityModel(SSE-CMM)
8. ComputerEmergencyResponseTeam/ChiefSecurityOfficerSecurityCapabilityAssessment(CERT/CSO)
9. CommunityCyberSecurityMaturityModel(CSMM)
10. FFIEC– CybersecurityMaturity
11. OpenSAMM - AppSec
12. BSIMM– AppSec
13. andManyMore…
![Page 6: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/6.jpg)
ISO/IEC21827SystemsSecurityEngineeringCapabilityMaturityModel(SSE-CMM)
Themodelisastandardmetricforsecurityengineeringpracticescoveringthefollowing:
1. Projectlifecycles,includingdevelopment,operation,maintenance,anddecommissioningactivities
2. Entireorganizations,includingmanagement,organizational,andengineeringactivities
3. Concurrentinteractionswithotherdisciplines,suchassystemsoftwareandhardware,humanfactors,testengineering;systemmanagement,operation,andmaintenance
4. Interactionswithotherorganizations,includingacquisition,systemmanagement,certification,accreditation,andevaluation.
Source:SSE-CMM
![Page 7: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/7.jpg)
SSE-CMMDimensionsLevel1- PerformedInformally
Level2– Planned&Tracked
Level3– WellDefined
Level4– QuantitativelyControlled
Level5– ContinuouslyImproving
Source:SSECMM
![Page 8: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/8.jpg)
Sample
Source:SSECMM
![Page 9: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/9.jpg)
CISOPlatformSecurityBenchmarking
◦ Aninsightaboutcompanycurrentcybersecuritypositioningamongthepeers
◦ Aninsightaboutcompanycurrentpositioningintheoverallmarket.◦ HelpstoanalysethegapinCybersecuritystructure◦ Helpsyoutofindoutthestrategicfocusareas◦ NOTaCapabilityMaturityModel
![Page 10: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/10.jpg)
IndiavsWorld• Indiais75to80%atparwithUSAforPrevention/Detectiontechnologies.• Indiaislessthan10%atparwithUSAinResponse• Indiaislessthan10%atparwithUSAforPredictionofbreachesbeforehand.• Indiaislessthan10%atparinadoptionofemergingsecuritytechnologieslike• threatIntelligenceandBigdatasecurityanalytics,RASP,IAST,Containerization/Isolation,AttackDeceptionetc.whencomparedtoUSA.
![Page 11: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/11.jpg)
Industrywisematurity
0 10 20 30 40 50 60 70 80
MinorBFSI
Retail/Online
Manufacturing
Healthcare&Hospitality
FinancialServices
MinorIT/ITES
MajorBFSI
MajorIT/ITES
LargeScaleTelecom
44.95
51.52
52.43
53.13
56.06
59.25
70.16
74.66
76.62
SecurityMaturityIndex
Verticals
SecurityMaturityIndex%
![Page 12: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/12.jpg)
CISOPlatformSecurityBenchmarkingCommunity-basedinitiativewhichhelpsorganizationsbenchmarktheirexistingsecuritypostureagainstthatoftheirpeers/industry(e.g.:BFSI,IT/ITES)anddevelopanactionable,prioritizedroadmapforachievingthedesiredmaturitylevel.
Thetechnologiesarecategorizedinto:◦ Securitycontroltype(Prevent,Detect,response,Predict)◦ Technologyadoptiontype(Basic,Moderate,Advance)
![Page 13: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/13.jpg)
Benchmarking – capabilities inplace
*TheGraphpresentedaboveisonlyindicativeandforsamplepurposesonly
SECURITYAWARENESSANDTRAININGWIRELESSSECURITY
POLICYMANAGEMENTMOBILEDEVICEMANAGEMENT
IAM/PIMAPPLICATION/DATABASESECURITY
SIEMENDPOINTSECURITY
DIGITALRIGHTSMANAGEMENTDLP/DATASECURITY
IDS/IPSPATCHMANAGEMENT
SECUREEMAIL/WEBGATEWAY,CONTENT…STRONGAUTHENTICATION
UNIFIEDTHREATMANAGEMENTANTIMALWARE/ANTISPYWARE
BCP/DRWEBAPPLICATIONFIREWALL
VULNERABILITYMANAGEMENTTHREATINTELLIGENCE
81.82%68.18%
77.27%45.45%45.45%
59.09%59.09%
90.91%31.82%
72.73%86.36%86.36%
100.00%63.64%
59.09%95.45%
61.00%61.00%62.00%
53.00%
CapabilityinPlaceStatistics
VerticalAdoption(%)
![Page 14: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/14.jpg)
Benchmarking - Capabilities notinplace
*TheGraphpresentedaboveisonlyindicativeandforsamplepurposesonly
0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00%
VerticalAdoption(%)
CapabilityNotinPlaceStatistics
DDOS ITGRCmanagement BioMetric EncryptionforServers/Storage/Database AntiAPT
![Page 15: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/15.jpg)
SomeResourcestoGetYouStarted1. CPSB
2. VendorSpecific,someexamples–1. nCircle2. Veracode3. KPMG - CyberKARE
3. BSIMM- https://www.bsimm.com/
4. OpenSAMM- http://www.opensamm.org/
5. https://buildsecurityin.us-cert.gov
6. C2M2- http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program/cybersecurity
![Page 16: Security Maturity Models.](https://reader030.fdocuments.us/reader030/viewer/2022021500/587b44f71a28ab9c0e8b67e3/html5/thumbnails/16.jpg)
ThankYou!