Professional Documents
Culture Documents
IS-IM Maturity Aujas IS-IM Framework Maturity MeasurementModel - Aujas
IS-IM Maturity Aujas IS-IM Framework Maturity MeasurementModel - Aujas
A quantifiable measurement that can be used to track the progress in achieving the desired level of maturity of an information s
with CoBIT, ISO 27035 and NIST 800-83 standard as a base for guidance. The measurement is done in line with CoBIT framew
Metrics are something observed or calculated that is used to show the presence or state of a condition or trend; this model will
People, Process and Technology for Monitoring, Prevention against malicious Code and Networking.
Maturity and Metrics Measurement Model is defined from baseline information and domains of CoBIT, ISO 27035 and CMM. Th
How
Whatare Maturity
is the Metrics
defintion andinMeasurement
defined Maturity? of Maturity defined?
The table below depicts the maturity model for incident management. It is divided into 4 broad areas -
1. Information Security Incident Management Governance - Define Roles and Responsibilities, Cross Functional Teams, In
measuring or reporting incident metrics including Trending.
2. Incident Management Process - Process definition, detailed procedures for managing incident across its lifecycle.
3. Incident Management Technology - Measuring threat preparedness via point tools, early indicators, monitoring and maturit
4. Incident Management People Readiness- Skills, Role Definition, Policy Awareness and Mock Preparedness via Testing.
Description
Rating
Governance - There exist no defined teams for information security incident response, roles and res
need for managing information security incidents, and no measurable actions taken to address the
0 - Non-Existent People - No competency defined, training not provided and R&R is not made aware about, right set
Process- Does not exist and is addresed ad-hoc with existing capabilities
Technology - Basic technology for protection but no proactive monitoring of events and alerts
The organization has recognized that there is a need to respond and evaluate incidents. An Inciden
1 - Initial
solutions exist like Perimeter Security and Log Monitoring but no proactive monitoring, correlation a
Incident Plan is documented, but response is inconsistent, eradication is the focus, but no postmort
2 - Repeatable process has evolved to a point where a few key individuals are responsible for managing the inform
however, the process remains unstructured, informal and mostly reactive. technology controls for w
Incident Response Plan is documented, repeatable, and postmortem learning is documented, but s
3 - Defined Technology solutions are matured and addresses all the areas of threats mitigation. SIEM is implem
mitigation, Zero day vulnerability, security analytics and rapid response arrangements to address se
A comprehensive Incident Response Program is in place, tested routinely, and postmortem is cond
integration with proper law enforcement has been established.
The process is well linked with other governance function.
4 - Managed
Technology solutions monitor advanced indicator of compromise, all critical assets and threats to th
correlated in SIEM. Security threats are subscribed and incident response process is automated. M
governance bodies
A dedicated team of knowledgeable and trained incident response professionals are part of the form
active incident and they execute a methodical strategy to identify the source, root causes, and they
5 - Optimized protocols.
Most systems have been equipped with automatic detection and warning mechanism, which are co
All point tools are working in an integrated manner and leveraged to identify security attacks in adva
rk Maturity Measurement
vel of maturity of an information security incident management. The maturity model is build inline
is done in line with CoBIT framework of measurement.
ondition or trend; this model will mesure the maturity of IS-IM across five domains - Governance,
orking.
CoBIT, ISO 27035 and CMM. The maturity model is based on CoBIT.
areas -
ties, Cross Functional Teams, Interaction Model, Coordination, Policy, approval and Training and
Description
y incident response, roles and responsibilities are not defined and there is basic awareness of the
ble actions taken to address the requirements.
not made aware about, right set of people to respond to incidents not identified
bilities
itoring of events and alerts
nd evaluate incidents. An Incident Plan may partially exist, but not repeatable. Point technology
roactive monitoring, correlation and threat mitigation and response exist.
tion is the focus, but no postmortem analysis is done and no training is provided. The resolution
ponsible for managing the information security incidents. Information is shared among staff;
eactive. technology controls for web, email and host protection exists.
outinely, and postmortem is conducted. Forensic evidence is properly collected for analysis and
all critical assets and threats to them are identified, Logs of all critical assets are monitored and
sponse process is automated. Metrics are defined and moniotred periodically and reported to
professionals are part of the formal Incident Response Program. The team is able to monitor an
he source, root causes, and they pursue eradication and containment based on established risk
2.46 3.07
2.13 3.00
2.24 2.76
2.70 2.93
2.97 3.12
S. No. Tool
The IS-IM policy and process documents are communicated with all the
1.03 stakeholders and awareness conducted to various stakeholders for NIST 80-061
handling information security incident
1.09 There exists an roadmap for maturing the incident response capability NIST 80-061
2.02 Management has ensured that necessary criterion has been identified NIST 80-061
for personnel to fill a defined role
3.03 Management has ensured that formal training conducted for all
employees, contractors ISO 27001
Metrics
4.01 Information security incident management KPIs and metrics are defined ISO 27001
0 to 5 0 to 5
ISIRT team has been mentioned ISIRT team is leveraged and improved
2 2
and members identified further by R&R definitions
Model defined but not detailed Detailed R&R and interaction model and
2 3
with R&R and notification their respective role has been defined
1.06 The "Initial Diagnosis/ Validation" process activity is specified NIST 80-083
1.08 The "Investigation and Forensic" process activity is specified NIST 80-083
1.11 Timescales are defined for all incident handling stages NIST 80-083
Incident Models are defined (for Various types of systems such as Corporate
1.13 NIST 80-083
Information Systems, ICS, SCADA)
2.01 The Service Desk function is defined for logging information security incidents ISO 27035
The Service Desk is aware of their role at Tier 1/Level 1 Information Security
2.02 ISO 27035
Incident Management logging and updating status
3.03 Integration with Change Management (post implementation reviews) ISO 27035
Contact Details
4.05 Does each incident record contain a field or fields to record the contact ISO 27035
information and call back method such as telephone or email?
Incident Symptoms
4.06 Does each Incident record contain a field or fields to describe the symptoms ISO 27035
of the fault? This can include event parameters and user reported symptoms.
Incident Status
4.07 Does the Incident record contain a field or fields to record the status of the ISO 27035
incident (such as active, waiting, closed)?
Incident Categorization and Prioritization
4.08 Does the Incident record contain category and priority fields to record the type ISO 27035
and impact of Incident ?
Incident Assignment
4.09 Does the Incident record contain a field or field(s) to assign the incident to a ISO 27035
support department, group or individual?
Incident Resolution and Closure
4.1 Do the Incident records have a field or fields to record Resolution Information ISO 27035
including resolution date and time?
Management Reports
4.11 ISO 27035
Does the tool produce reports from record detail captured?
Record Sharing
Does the process details the sharing of incident record and report with internal
4.12 and external parties like Management, other governance bodies, CERT and NIST 80-083
Rapid Response teams
2.46 3.07
t
1 2
KB does not exist
Known workarounds are documented for
IT incident, some overlapping with
1 security incidents like virus cleaning / 2
update failure etc / there is no separate
DB for KB
2 Source is identified 3
2 Reporting is ad-hoc 3
No change suggested
No change suggested
No change suggested
Proposed
Proposed is to build a detailed solution and
implementation of lessons learned for information
security incidents
No change suggested
Does Security Monitoring covers all critical assets logs for incidents?
1.01 NIST 80-083
Are events and alerts and correlation rules derived from Business
1.03 ISO 27001
requirements, risk assessment and threat profiles
Scope
How many correlations rules are configured in the SIEM and are all rules
2.01 created are built-in or Customized based on threat profile ISO 27001
Which are the standards to which this implementation adheres to? E.g. ADSIC
2.03 compliance etc, Is the reporting automated ISO 27001
Is the SIEM integrated with incident management ? Are workflows implemented
2.04 for various level of escalations based on criticality and priority ? ISO 27001
Operations
Please describe the incident classification categories and its handling by
separate qualified professional like L1, L2, L3 ?
3.01 ITIL V3
Does the sources of logs have all detailed logged like logins, client IP, server IP
3.03 and source program information. ITIL V3
Are time frames defined for escalating alerts?
3.04 ITIL V3
Different priority of events generated and confirmed for incidents
3.05 ITIL V3
Defined KPIs for performance measurement of the SIEM ? ISO 27001 / CoBIT
5.03 5.0 / ITIL V3
Performance/ Risk/ Escalation and other reporting provided for monitoring ISO 27001 / CoBIT
5.04 5.0 / ITIL V3
Outsourcing contract include arrangements for reporting, notification and ISO 27001 / CoBIT
5.05 investigation of security incidents and security breaches? 5.0 / ITIL V3
2 No 3
Are incoming email attachments scanned to check for ISO 27001 & 27002,
2.04 3
malware before opening? NIST SP-800-83 Rev 1
Are all removable, replacement and media from external ISO 27001 & 27002,
2.05 3
entities scanned to check for malware before use? NIST SP-800-83 Rev 1
Is sending or receipt of certain types of files (e.g., .exe ISO 27001 & 27002,
2.06 3
files) via email prohibited? NIST SP-800-83 Rev 1
Are unneeded services (particularly network services) ISO 27001 & 27002,
3.01 2
identified and disabled/ removed? NIST SP-800-83 Rev 1
Are default usernames and passwords for OSs and ISO 27001 & 27002,
3.02 2
applications removed/ changed or monitored in SIEM NIST SP-800-83 Rev 1
Is automatic execution of binaries and scripts, including ISO 27001 & 27002,
3.03 3
Auto Run on Windows hosts disabled? NIST SP-800-83 Rev 1
Are the default file associations for file types that are
most frequently used by malware but not by users
3.04 NIST SP-800-83 Rev 1 3
(e.g., .pif, .vbs) changed so that such files are not run
automatically if users attempt to open them.
Anti-Malware
Do you have anti-malware prevention software
ISO 27001 & 27002,
4.01 implemented on your email servers and email 3
NIST SP-800-83 Rev 1
gateways?
Do you have anti-virus/content monitoring software
4.02 implemented on your Internet gateways to screen NIST SP-800-83 Rev 1 3
incoming Internet traffic?
Do you have anti-virus software implemented on the
4.03 mobile computing devices (e.g., PDA, Handheld NIST SP-800-83 Rev 1 1
Personal Computers, Blackberry, or Smart phones)?
Do you have an centralized anti-virus management
ISO 27001 & 27002,
4.04 solution and an automated process for updating virus 3
NIST SP-800-83 Rev 1
definition files?
Do you have a monthly report to summarize the anti-
virus operations (e.g., # of virus circumvented, # of virus
4.05 NIST SP-800-83 Rev 1 3
outbreak, percentage of workstations with latest AV
software, etc.)
Is the Anti Virus is configured for -
4.06 Scanning critical host components such as start-up files NIST SP-800-83 Rev 1 2.5
and boot records.
Are users able to disable or delete antivirus software ISO 27001 & 27002,
4.09 3
from their hosts or are they able to alter critical settings. NIST SP-800-83 Rev 1
2.93
Yes, Anti Malware of SEP and Yes, Anti Malware of SEP and McAfee
McAfee EPO is implemented for 3 EPO is implemented for IT and ICS
IT and ICS respectively respectively
Yes and monitored via SIEM 3 Yes and monitored via SIEM
Yes 3 Yes
Yes 3 Yes
Improvements of events to be monitored
Yes, Ironport is implemented 3.5
is proposed
S. No. Tool
Ability to monitor for intrusion on all ingress and zones hosting critical services for
1.01 Aujas
What is the default action set for the firewalls? (allow/ Deny) and is logging
1.04
enabled for all activities
Are firewall logs monitored in real time or is any firewall log analysis is done and
1.05
at what frequency?
2 Content Filtering/ SPAM filtering
Does the organization use spam filtering software to reduce the amount of
2.01
unsolicited e-mails?
Does the organization utilize web filtering to prevent employees from visiting
2.02
risky/blacklisted/suspicious websites?
2.03 Do both email and web content filtering have use real-time blacklists?
3 Defensive Architecture
Are applications run a controlled environment that restricts what operations the
3.01 applications can perform and that isolates them from other applications running
on the same host.
Are relatively secured web browsers identified and browser options limited for
3.02
user?
Is Virtualization used to segregate applications and operating systems from each
3.03
other?
4 Wireless
Does the organization employ legacy wireless protocols such as WEP, TKIP, or
4.01 WPA?
Do access points log security relevant events and forward them to a remote audit
server in real time?
4.05
2.97 3.12
ssessment
.1 X authentication on the
ISO 27001 & 27002, users/ accessc control
3 3
NIST SP-800-83 Rev 1 system/ Authentication from
AD
Yes, Wireless controlling
ISO 27001 & 27002, system - separate moniroring
3 3
NIST SP-800-83 Rev 1 system
Logs are monitored
Response post IS-IM Program
Only IE is alowed
Yes
WPA and WPA 2 and SSID
1.06 Is appropriate traning provided to all stakeholders / ISIRT / SME ISO 27001 3
1.07 Drill conducted to verify preparedness and application of knowledge ISO 27001 1
Though there is no separate standard for staff Though there is no separate standard for staff
sufficiency, as per RSA best practices, we sufficiency, as per RSA best practices, we propose
3
propose additional ICS security expert to additional ICS security expert to handle information
handle information security incidents security incidents
Detailed qualification, experience and Detailed Description of the role with competency
3
relevant with training is not defined proposed
High level R&R were defined 3 Detailed R&R for all stakeholders
All members are identified 3 All members are identified
There was no awaeness for users to identify Proposed is awareness for all stakeholders via ISIRT
3.5
and report incidents conducted workshop
No training provided to ISIRT and SME
relevant to incident response, however
3.5 Training identified and planned
individual trainings and some relevant
technical training provided
No drill has been conducted so far for
3 Planned drill in Mid-February
measuring incident preparedness