Networking

08:00 AM
Connect Directly
RSS
E-Mail
50%
50%

Raising The Bar: Security Comes of Age With O-ISM3

The Open Group's new information security management standard, Information Security Management Maturity Model (O-ISM3), has been crafted to enable the creation of information security management (ISM) systems that are fully aligned with any organization's business mission and compliance needs, regardless of size, context and resources. Compatible with other ISM industry standards--such as the ISO2700x series, Information Technology Infrastructure Library (ITIL) and COBIT--O-ISM3 is a comprehensi

The Open Group's new information security management standard, Information Security Management Maturity Model (O-ISM3), has been crafted to enable the creation of information security management (ISM) systems that are fully aligned with any organization's business mission and compliance needs, regardless of size, context and resources. Compatible with other ISM industry standards--such as the ISO2700x series, Information Technology Infrastructure Library (ITIL) and COBIT--O-ISM3 is a comprehensive set of guidelines and best practices that will allow organizations to prioritize and optimize investments in information security, as well as enable continuous improvement of ISM systems using defined metrics.

This standard is not about security per se, says Paul Proctor, VP, distinguished analyst and the role service director for risk management, Gartner Research. "There is no connection between the shifting threat landscape and maturing models. Are you doing the basic blocking and tackling? Rather than a framework of control, it's a measurement regime."

Maturity models are becoming a big thing that ultimately measures how well you do something, he says. "Where you are not doing something well, you have more risk, and where you are doing it well, you have less risk."

He gives security incident responses as an example. Measuring the number of incidents doesn't really help. If you're good, the number doesn't matter, and if you're not good, the number also doesn't matter. The risk is attached to the ability to handle the issue, not the numbers involved.

"The reality is organizations don't have the ability to determine how good or bad they are in security ... and a maturity model is a good way to do that. This is transparency so you can make some good decisions so you can get better."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Twitter Feed