Open Information Security Management Maturity Model O-ISM3
Published on 5. May 2011
153 pages
978-90-8753-911-5 (ISBN)
Description
The O-ISM3 standard focuses on the common processes of information security. It is technology-neutral, very practical and considers the business aspect in depth. This means that practitioners can use O-ISM3 with a wide variety of protection techniques used in the marketplace. In addition it supports common frameworks such as ISO 9000, ISO 27000, COBIT and ITIL. Covers: risk management, security controls, security management and how to translate business drivers into security objectives and targets
More details
Other editions
Additional editions
The Open Group | Van Haren Publishing
Open Information Security Management Maturity Model (O-ISM3)
Book
05/2011
Van Haren Publishing BV
€60.89
No shipping information available
Content
- Intro
- Preface
- Trademarks
- Acknowledgements
- Referenced documents
- Chapter 1 Introduction
- 1.1 Positioning security management
- 1.2 Key characteristics of ISM3
- 1.3 Potential for certification
- 1.4 Summary
- Chapter 2 Concepts - processes, capability, and maturity
- 2.1 Defining the key terms
- 2.1.1 Tying these key terms together
- 2.2 Capability levels
- 2.3 Maturity levels
- 2.3.1 Maturity levels and RoI
- 2.4 Processes
- 2.4.1 Levels
- 2.4.1.1 Generic Processes
- 2.4.1.2 Strategic-Specific Processes
- 2.4.1.3 Tactical-Specific Processes
- 2.4.1.4 Operational-Specific Processes
- 2.4.2 Selecting your set of processes
- 2.4.3 Process definition
- 2.4.4 Process roles and responsibilities
- 2.4.5 Process metrics definition
- 2.4.6 Process metrics specification
- 2.4.7 Process metrics operational use
- Chapter 3 ISM3 in a business context
- 3.1 Business context
- 3.2 Security-in-context model
- 3.3 Operational approach
- 3.4 Operational definitions
- 3.5 ISM3 definition - security-in-context
- 3.6 Business objectives, security objectives, and securitytargets
- 3.6.1 Business objectives
- 3.6.2 Security objectives
- 3.6.3 Security targets
- 3.6.4 Examples
- 3.7 ISM3 interpretation of incidents, success, and failure
- Chapter 4 ISM3 process model
- 4.1 Security management - ISM3 basics
- 4.2 Generic Processes
- 4.2.1 GP-1: Knowledge Management
- 4.2.2 GP-2: ISMS and Business Audit
- 4.2.3 Implementing ISM3
- 4.2.3.1 GP3 - ISM Design and Evolution
- 4.3 Specific processes - strategic management
- 4.3.1 SSP-1: Report to Stakeholders
- 4.3.2 SSP-2: Coordination
- 4.3.3 SSP-4: Define Division of Duties Rules
- 4.3.4 SSP-6: Allocate Resources for Information Security
- 4.4 Specific processes - tactical management
- 4.4.1 TSP-1: Report to Strategic Management
- 4.4.2 TSP-2: Manage Allocated Resources
- 4.4.3 TSP-3: Define Security Targets and Security Objective
- 4.4.4 TSP-4: Service Level Management
- 4.4.5 TSP-6: Security Architecture
- 4.4.6 TSP-13: Insurance Management
- 4.4.7 Personnel Security
- 4.4.7.1 TSP-7: Background Checks
- 4.4.7.2 TSP-8: Personnel Security
- 4.4.7.3 TSP-9: Security Personnel Training
- 4.4.7.4 TSP-10: Disciplinary Process
- 4.4.7.5 TSP-11: Security Awareness
- 4.4.8 TSP-14: Information Operations
- 4.5 Specific processes - operational management
- 4.5.1 OSP-1: Report to Tactical Management
- 4.5.2 OSP-2: Security Procurement
- 4.5.3 Lifecycle Control
- 4.5.3.1 OSP-3: Inventory Management
- 4.5.3.2 OSP-4: Information Systems IT Managed Domain Change Control
- 4.5.3.3 OSP-5: IT Managed Domain Patching
- 4.5.3.4 OSP-6: IT Managed Domain Clearing
- 4.5.3.5 OSP-7: IT Managed Domain Hardening
- 4.5.3.6 OSP-8: Software Development Lifecycle Control
- 4.5.3.7 OSP-9: Security Measures Change Control
- 4.5.3.8 OSP-16: Segmentation and Filtering Management
- 4.5.3.9 OSP-17: Malware Protection Management
- 4.5.2 Access and Environmental Control
- 4.5.4.1 OSP-11: Access Control
- 4.5.4.2 OSP-12: User Registration
- 4.5.4.3 OSP-14: Physical Environment Protection Management
- 4.5.5 Availability Control
- 4.5.5.1 OSP-10: Backup Management
- 4.5.5.2 OSP-15: Operations Continuity Management
- 4.5.5.3 OSP-26: Enhanced Reliability and Availability Management
- 4.5.5.4 OSP-27: Archiving Management
- 4.5.6 Testing and Auditing
- 4.5.6.1 OSP-19: Internal Technical Audit
- 4.5.6.2 OSP-20: Incident Emulation
- 4.5.6.3 OSP-21: Information Quality and Compliance Assessment
- 4.5.7 Monitoring
- 4.5.7.1 OSP-22: Alerts Monitoring
- 4.5.7.2 OSP-23: Internal Events Detection and Analysis
- 4.5.7.3 OSP-28: External Events Detection and Analysis
- 4.5.8 Incident Handling
- 4.5.8.1 OSP-24: Handing of Incidents and Near-incidents
- 4.5.8.2 OSP-25: Forensics
- Chapter 5 Outsourcing
- 5.1 Introduction
- 5.2 Service Level Agreements
- 5.3 Guidelines
- Chapter 6 Implementing ISM3
- 6.1 Top-down or bottom-up
- 6.2 No one solution fits all
- 6.3 Selecting the processes to implement
- 6.4 Processes fundamental to any ISM3 implementation
- 6.5 Guidance on the role of key groups of ISM3 processes
- 6.6 Top-down implementation
- 6.7 Bottom-up implementation
- 6.8 Examples of ISM3 maturity levels
- 6.8.1 General
- 6.8.2 Strategic Management
- 6.8.3 Tactical Management
- 6.8.4 Operational Management
- Appendix A Index of processes
- Appendix B Terms and definitions
- Appendix C ISM3 and ISO/IEC 27000
- Glossary
- Index
