In mid 2019 I receive a call from the commercial manager of a company dedicated to the sale of FMCG products, the call was motivated by a security incident, they had a data breach that triggered alerts regarding their security posture. The intention of this executive was to hire the Ethical Hacking services offered by Gudix Security Consulting.
Hands on, we began preliminary discussions, but after talking with members of the management team we identified that the company had additional concerns, among which were:
How can we promote a culture where everyone in the company is responsible for information security, and how can we show customers that we are protecting their data? At the moment we do not have funds available to make large investments.
Based on this background, performing Ethical Hacking would not be able to answer the questions and your financial scenario. So I suggested them to adopt a maturity model, which would allow them to improve their security posture gradually and then think about an Ethical Hacking type security test.
What is ISM3?
ISM3 is a
maturity model for security
with
five levels
that facilitates improvement and alignment between business and security management needs for organizations of all types and sizes.
It was created by a consortium created in March 2007 and formed by the companies ESTEC Systems (Canada), First Legion Consulting and Valiant Technologies (India), Seltika (Colombia), Global 4 Ingeniería (Spain) and M3 Security (United States), with the aim of bringing the principles of security management to a new level. quality ISO9001 or Six Sigma to the management systems of information security.
We know that reaching a level of cybersecurity maturity takes a long time for some organizations. For this reason, ISM3 adapts perfectly to this scenario, providing the organization with the opportunity to develop short, medium and long term plans that are measurable, adaptable and 100% integrated to the business, allowing it to gradually reach the expected optimal level of security.
Features
- Linking security to business objectives. There is a deep understanding of the business goals and its dependence on technological elements.
- Include metrics, evolutionary adoption and continuous improvement. Based on the premise that what cannot be measured cannot be improved.
- Flexibility, by adapting to different investment capacities. (OpenSource is perfect). The idea is to be able to make programmed investments. There are many OpenSource Security solutions that require very little investment (OSSIM, Graylog, Wazuh, PfSense, Cortex, among others), which in Gudix Security Consulting we are willing to support you throughout the process.
- Create an ecosystem around ISM3 (COBIT, ISO2700 etc.). It allows us to establish the basis to later aspire to ISO2700 certification or to align with COBIT.
It is made up of 4 types of processes: general, strategic, operational and tactical.
- General: Provides the infrastructure for the implementation, evaluation and improvement of information security management processes.
- Strategic: Directs and provides
- Defines general objectives, coordination and provision of resources.
- Tactical: Implement and Optimize
- It establishes the design and implementation of specific objectives, and the management of resources.
- Operational: Executes and Reports
- Establishes the fulfillment of the defined objectives, through technical processes.
Well, the client agreed to go through the ISM3 adoption process, in the next installments I will talk more about ISM3 and I will tell you how we did with Ethical Hacking, which due to an ethics and conflict of interest issue I left in the hands of another consultant.
For more information about ISM3, please visit their website. ISM3
Do you have any advice? If so, feel free to let us know below in the comments.