Businesses will be able to tailor their IT security investments more closely to their business priorities, following the creation of an industry-backed information management security standard.
The Information Security Management Maturity Model (O-ISM3), the first of its type, aims to help security professionals focus their resources on systems that are most critical to the business.
Early adopters of the standard have reported significant reductions in the number of security vulnerabilities affecting their IT systems.
Open Information Security Management Maturity Model. Click to download PDF (requires registration)
The model, created by the Open Group, an independent industry consortium, will help businesses to make continuous improvements to the way they manage security, according to Jim Hietala, VP of security for the group.
"There was not sufficient guidance on how you manage a process that makes up an information systems programme. A continuous improvement approach was lacking in IS security," he said. "It really fills a gap in how you manage your information security programme."
The Spanish financial group, Caja Madrid, one of the first organisations to take up the model, says the standard has helped its ethical hacking team to increase the number of vulnerabilities it fixes by a factor of five.
"With O-ISM3, the security team's productivity doubled during the first year of usage," said CISO Miguel Angel Navarrete.
Caja Madrid began the project in early 2008 with a team of four people. It set security targets to match the company's business objectives and created a simple knowledge management system to monitor the security team's progress.
Vicente Aceituno, director of the ISM3 consortium, which developed O-ISM3, was a consultant on the project.
"The key lessons were, first, you have to have priorities and understand what systems are worth more attention. Second, you need to understand you are there to help others fix vulnerabilities. You can't stay in your castle and complain to others that there are problems," he said.
The Open Group plans to develop the model by creating an accreditation programme for individuals and organisations. It also plans a range of industry-specific maturity models, covering, for example, e-commerce and small and medium-sized companies.
Sign up to Computer Weekly to download in-depth publications and reports from the Open Group>>>