- O-ISM3
-
Articles
- Ten ways ISMS fail
- How can you Measure how Secret a Secret is?
- What is the Maturity of your ISMS?
- Risk, Investment and Maturity
- Compliance vs Continuous Improvement
- A primer in Metrics driven Process Management
- Process Management with Security Metrics
- Measuring Security
- Beyond Authentication, Authorization and Accounting
- Return On Security Investment
- Standards, standards, standards, Are they any good?
-
by Vicente Aceituno Canal
- Slideshare
- Youtube
- Youtube (Spanish)
- Contact
-
Foundations
- Ask Smart Questions to Set Security Service Levels
- Can you pass the O-ISM3 Test?
- The CIA triad is not helping you as much as you think
- Advanced Classification of Information
- Security Foundations Series: Secrecy
- Security Foundations Series: Privacy
- Security Foundations Series: Availability
- Security Foundations Series: Expiration
- Security Foundations Series: Retention
- Security Foundations Series: Quality
- Security Foundations Series: Compliance
- Security Foundations Series: Technical Objectives
- Security Foundations Series: Intellectual Property you Own
- Security Foundations Series: Intellectual Property you Use
- What is an Operational, Positive Definition of Security
- Operational Definitions for Security
- Information Assurance Markup Language
- Security Quarks help communicate with non IT people
- Security Quarks and the Cookie Monster
- Information Security Paradigms
Bankia’s experience with O-ISM3
CajaMadrid (now Bankia) started using O-ISM3 in the security process of ethical hacking of systems and applications. Several enhancements were made in order to measure the metrics of this process, and a Service Level Agreement was established based on those metrics. Using O-ISM3 criteria, the classification of information systems, which determines how frequently the systems are tested, was improved.
As a result of O-ISM3 implementation, the team’s productivity doubled during the first year. The follow-up reports with metrics made collaboration between developers, system administrators and security personnel easier and more productive. The information available is so detailed that CajaMadrid now uses objective criteria to give an award to the manager whose applications or systems present the fewest vulnerabilities, and vulnerabilities that are found are fixed faster.
The methodology’s orientation on deliverables makes the entire evidence-generating activity possible, which means that it is auditable, measurable and manageable. As the management system is metrics based, daily operations do not require audits for improvement, speeding up the improvement cycle significantly. When metrics correlate well with pursued goals, process improvement leads directly to the achievement of goals with greater effectiveness, efficiency and quality. Metrics make the status and progress of activities clearly visible, making it easier to reach agreements with our internal client and partners, and communicate our achievements to upper management. Ultimately, this methodology allows information security to be managed using best practices that apply to business in general. Based on the success of the methodology, we are extending the use of the method to other processes.
This is what the CISO had to say: "We are very interested in the method, and once it has been set up, it is simple to use.”
Bankia is ISO27001 and ISO20000 certified, and uses CMMI-3 and standards like ITIL, OSSTMM and many others. O-ISM3 integrates seamlessly with all of them and we have even received a positive note about our ISMS certification thanks to ISM3.