Sunday, February 11, 2007
ISM3 - Information Security Management Maturity Model
ISM3 - Information Security Management Maturity Model
Information and data security will be one of the most critical areas in future as the world increasingly relies on the computer and Internet to keep everything ticking. It perhaps is hence time for a framework to measure and manage information security - enter ISM 3 (pronounced ISM cubed), the Information Security Management Maturity Model.
The brainchild of Vicente Aceituno Canal who is based in Spain. ISM3 differs from the other models of information security management in that it puts in a lot of focus on measurement of security before trying to manage it.
This framework follows a process oriented approach (somewhat similar to the capability maturity model - CMM - used in software development) where each process would be measured using metrics to determine efficiency
ISM3 uses a maturity-based model that divides information security management into five levels of maturity. It also divides information security management responsibilities into strategic, tactical and operational levels. And in each of these levels, metrics are applied to determine the maturity.
The principal aim of ISM 3 is "achievable security" - which implies a level of security commensurate with business needs. Thus, one is talking about a different level of security applicable for a financial sector company, say a bank, where security standards requirement standards will be much as against a advertising / creative company in which security requirements will be relatively less.
More info on ISM3 from the web site
Information and data security will be one of the most critical areas in future as the world increasingly relies on the computer and Internet to keep everything ticking. It perhaps is hence time for a framework to measure and manage information security - enter ISM 3 (pronounced ISM cubed), the Information Security Management Maturity Model.
The brainchild of Vicente Aceituno Canal who is based in Spain. ISM3 differs from the other models of information security management in that it puts in a lot of focus on measurement of security before trying to manage it.
This framework follows a process oriented approach (somewhat similar to the capability maturity model - CMM - used in software development) where each process would be measured using metrics to determine efficiency
ISM3 uses a maturity-based model that divides information security management into five levels of maturity. It also divides information security management responsibilities into strategic, tactical and operational levels. And in each of these levels, metrics are applied to determine the maturity.
The principal aim of ISM 3 is "achievable security" - which implies a level of security commensurate with business needs. Thus, one is talking about a different level of security applicable for a financial sector company, say a bank, where security standards requirement standards will be much as against a advertising / creative company in which security requirements will be relatively less.
More info on ISM3 from the web site
Labels: information-security
