Friday, August 25, 2006

More On Security Governance

Here is something interesting for you process-oriented types ... I recently learned of this new security "best practices" framework (some call them governance frameworks), called "Information Security Management Maturity Model" or IS(M)3.

"ISM3 aims to:

  1. Enable the creation of ISM systems that are fully aligned with the business mission.
  2. Be applicable to any organization regardless of size, context and resources.
  3. Enable organisations to prioritize and optimize their investment in information security.
  4. Enable continuous improvement of ISM systems.
  5. Support the outsourcing of security processes."

It is also claimed to work - whatever "works" means in case of something as generic - well with other existing frameworks, such as various ISOs, CMU's CMM and other IT management and security management frameworks.

There is also a neat summary presentation, if you are curious. You can get the full framework document.

It does mention logging and audit logs, but IMHO, nowhere near enough to be a credible governance framework. Specifically, it has a single reference to logging that goes like this: "Access Control includes Authentication of users or services, Authorization of users or services and Logging of access and use of services, repositories, channels and interfaces."

tags: , , ,

Dr Anton Chuvakin