Raising The Bar: Security Comes of Age With O-ISM3

The Open Group's new information security management standard, Information Security Management Maturity Model (O-ISM3), has been crafted to enable the creation of information security management (ISM) systems that are fully aligned with any organization's business mission and compliance needs, regardless of size, context and resources. Compatible with other ISM industry standards--such as the ISO2700x series, Information Technology Infrastructure Library (ITIL) and COBIT--O-ISM3 is a comprehensive set of guidelines and best practices that will allow organizations to prioritize and optimize investments in information security, as well as enable continuous improvement of ISM systems using defined metrics.

This standard is not about security per se, says Paul Proctor, VP, distinguished analyst and the role service director for risk management, Gartner Research. "There is no connection between the shifting threat landscape and maturing models. Are you doing the basic blocking and tackling? Rather than a framework of control, it's a measurement regime."

Maturity models are becoming a big thing that ultimately measures how well you do something, he says. "Where you are not doing something well, you have more risk, and where you are doing it well, you have less risk."

He gives security incident responses as an example. Measuring the number of incidents doesn't really help. If you're good, the number doesn't matter, and if you're not good, the number also doesn't matter. The risk is attached to the ability to handle the issue, not the numbers involved.

"The reality is organizations don't have the ability to determine how good or bad they are in security ... and a maturity model is a good way to do that. This is transparency so you can make some good decisions so you can get better."Originally brought to the 350-member Open Group a couple of years ago, O-ISM3 is the result of more than six years of work and collaboration by the ISM3 Consortium and The Open Group's Security Forum. It focuses on common information security processes so operational metrics can be applied to security management processes and protection techniques.

Jim Hietala, Open Group VP of security, says there was a real void in terms of guidance of how you do continuous improvement. Existing standards like ISO 27002 give you a great set of process controls, he says, but they don't tell you how to manage those processes.

The O-ISM3 standard is the first formal deliverable in the information security management work program of The Open Group Security Forum. The forum is also currently building maturity models for O-ISM3 and expects to extend the program by developing certification programs for the standard

O-ISM3 is a very comprehensive, complex and "rigorous" framework, says Proctor, and not for small or midsize businesses. "This is for large enterprises [and service providers] with complex, complicated programs."

See more on this topic by subscribing to Network Computing Pro Reports Security: Wicked Innovation (subscription required).