[SAMM] SAMM and ISM3

Colin Watson colin.watson at owasp.org
Fri Dec 11 10:23:51 EST 2009 

Dear all

I have created an initial spreadsheet as per Pravir's suggestion,
including the separate activities - attached.

Perhaps we can divide up the ISM3 v2.3 (the current version) processes
amongst those of us with time to look at this?  Processes ordered/case
as per v2.3 document contents:

GP-1 Knowledge management
GP-2 ISM System and Business Audit
GP-3 ISM Design and Evolution
SSP-1 Report to stakeholders
SSP-3 Strategic vision
SSP-4 Define Division of Duties roles
SSP-6 Allocate resources for information security
TSP-1 Report to strategic management
TSP-2 Manage allocated resources
TSP-3 Define Security Targets and Security Objectives
TSP-6 Security Architecture
TSP-4 Service Level Management
TSP-13 Insurance Management
TSP-7 Background Checks
TSP-8 Personnel Security
TSP-9 Security Personnel Training
TSP-10 Disciplinary Process
TSP-11 Security Awareness
TSP-14 Information Operations
OSP-1 Report to tactical management
OSP-2 Security Procurement
OSP-3 Inventory Management
OSP-4 Information Systems Environmental Change Control
OSP-5 Environment Patching
OSP-6 Environment Clearing
OSP-7 Environment Hardening
OSP-8 Software Development Lifecycle Control
OSP-9 Security Measures Change Control
OSP-16 Segmentation and Filtering Management
OSP-17 Malware Protection Management
OSP-11 Access control
OSP-12 User Registration
OSP-14 Physical Environment Protection Management
OSP-26 Enhanced Reliability and Availability Management
OSP-10 Backup Management
OSP-15 Operations Continuity Management
OSP-27 Archiving Management
OSP-19 Internal Technical Audit
OSP-20 Incident Emulation
OSP-21 Information Quality and Compliance Probing
OSP-22 Alerts Monitoring
OSP-28 External Events Detection and Analysis
OSP-23 Internal Events Detection and Analysis
OSP-24 Handling of incidents and near incidents
OSP-25 Forensics

We should also decide on the approach.  Are we trying to find all ISM3
processes that might include something relevant to each SAMM objective
or activity, or something else?  A process like "OSP-8 Software
Development Lifecycle Control" might be mapped to every SAMM activity
perhaps, and "OSP-24 Handling of incidents and near incidents" might
only be mapped to VM1, VM2 and VM3 activities?

Do we need to consider the Maturity Levels (Basic, SME, eCommerce, etc)?

While going through ISM3, would it be worth mapping to ASVS at the same time?

Colin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: owasp-samm-mappings-ism3.xls
Type: application/vnd.ms-excel
Size: 36352 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/samm/attachments/20091211/79601ff8/attachment-0001.xls

More information about the SAMM mailing list