Towards evaluating security implementations using the Information Security Maturity Model (ISMM)

Alaboodi, Saad Saleh

January 2007

Information security is a common and ever-present concern for both private and public sector organizations. Information security protects information from a wide range of threats, risks, and vulnerabilities in order to ensure information availability, integrity and confidentiality, and hence business continuity. This research seeks to use a heuristic-based investigation of the Information Security Maturity Model (ISMM), developed by the author, combined with a thorough review of existing models, to suggest considerable extensions. This shall merit various applications leading to establish a connective body of knowledge and bridge a gap in existing literature and industry regarding the information security implementation in light of use of international standards and models. The ISMM model is neither based on a specific technology/protocol (e.g. PKI, IPSec, SSL) nor a certain system/product (e.g. Firewall, Antivirus, IDS), but rather an engineering approach towards a structured and efficient implementation of those technologies. The ISMM is a security-centric model that consists of five distinctive and ordered security layers, each of which has its own definition, scope, and characteristics. The model reflects the three key security processes (prevention, detection and recovery) and captures effects of people (visibility and sophistication) on every layer. It aims essentially to assess the maturity of any security implementation of any size and type (i.e. device, system, or environment). New extensions of the ISMM work are put forward. Literature review is augmented by introducing a new classification of information security models. Additionally, new abstractions are introduced, first: the abstraction of security conceptual boundaries, which signifies rational priorities and captures the unavoidable interferences between information and physical security in any security context, second: the abstraction of ratios of resources utilization (i.e. computational power, energy, memory, and other costs). Further extensions include a new attack model that classifies attacks in terms of their impact. This leads to a new approach for analyzing attacks and study adversary’s capabilities at different layers of both the ISMM and network models in the whole system, as one integrated entity against both single and hybrid attacks. As an example of one possible mapping and compatibility of the ISMM with other security-related models, the ISMM layers are mapped to their pertinent peers in network models (i.e. ISO/OSI and TCP/IP), which offers more information about security controls at each layer and its contribution to the actual overall security posture. The ISMM offers a prompt and structured approach to identify the current security state of small communication devices, computing platforms, and large computing environments in a consistent manner. A cost-effective realization is achieved through the optimization of IT and security expenditure. Therefore, the model assists to minimize deficiencies in security implementation. Also, the identification of needs and goals of the following level in the ISMM hierarchy allows a strategic approach proportional to allowable resources to take place, as a result, both goals are reached and cost is reduced much faster. This work is believed to facilitate grounds for future research endeavors such as applying these propositions on simulated examples, real life case studies, and developing a formula for the optimized distribution of security resources in a consistent manner with the best possible security level.

maturity model

information security

IT security

security processes

attack model

optimal security

cost of information security

Electrical and Computer Engineering

Towards evaluating security implementations using the Information Security Maturity Model (ISMM)

Alaboodi, Saad Saleh

January 2007

Information security is a common and ever-present concern for both private and public sector organizations. Information security protects information from a wide range of threats, risks, and vulnerabilities in order to ensure information availability, integrity and confidentiality, and hence business continuity. This research seeks to use a heuristic-based investigation of the Information Security Maturity Model (ISMM), developed by the author, combined with a thorough review of existing models, to suggest considerable extensions. This shall merit various applications leading to establish a connective body of knowledge and bridge a gap in existing literature and industry regarding the information security implementation in light of use of international standards and models. The ISMM model is neither based on a specific technology/protocol (e.g. PKI, IPSec, SSL) nor a certain system/product (e.g. Firewall, Antivirus, IDS), but rather an engineering approach towards a structured and efficient implementation of those technologies. The ISMM is a security-centric model that consists of five distinctive and ordered security layers, each of which has its own definition, scope, and characteristics. The model reflects the three key security processes (prevention, detection and recovery) and captures effects of people (visibility and sophistication) on every layer. It aims essentially to assess the maturity of any security implementation of any size and type (i.e. device, system, or environment). New extensions of the ISMM work are put forward. Literature review is augmented by introducing a new classification of information security models. Additionally, new abstractions are introduced, first: the abstraction of security conceptual boundaries, which signifies rational priorities and captures the unavoidable interferences between information and physical security in any security context, second: the abstraction of ratios of resources utilization (i.e. computational power, energy, memory, and other costs). Further extensions include a new attack model that classifies attacks in terms of their impact. This leads to a new approach for analyzing attacks and study adversary’s capabilities at different layers of both the ISMM and network models in the whole system, as one integrated entity against both single and hybrid attacks. As an example of one possible mapping and compatibility of the ISMM with other security-related models, the ISMM layers are mapped to their pertinent peers in network models (i.e. ISO/OSI and TCP/IP), which offers more information about security controls at each layer and its contribution to the actual overall security posture. The ISMM offers a prompt and structured approach to identify the current security state of small communication devices, computing platforms, and large computing environments in a consistent manner. A cost-effective realization is achieved through the optimization of IT and security expenditure. Therefore, the model assists to minimize deficiencies in security implementation. Also, the identification of needs and goals of the following level in the ISMM hierarchy allows a strategic approach proportional to allowable resources to take place, as a result, both goals are reached and cost is reduced much faster. This work is believed to facilitate grounds for future research endeavors such as applying these propositions on simulated examples, real life case studies, and developing a formula for the optimized distribution of security resources in a consistent manner with the best possible security level.

maturity model

information security

IT security

security processes

attack model

optimal security

cost of information security

Electrical and Computer Engineering