Success Case: How Using O-ISM3 Increased the Maturity of the National Bank of Panamá

Printer-friendly version
Sub Heading: 
Hubert Demercado Lewis, Executive Consultant, Centauri

Success Case: How Using O-ISM3 Increased the Maturity of the National Bank of Panamá

The National Bank of Panama wants to stays ahead in information security

After talking with the National Bank of Panama, we suggested an approach based on the Management Maturity Model of Information Security (ISM3). The initial scope of the management system was online banking platform, and given the excellent results schema will be extended to other systems of the Bank. From the point of view of maturity, the system will extend the maturity level 2 to 3.  In fact, the O-ISM3 management system has given such positive results, that some managers are using it for services that are not related to the security information field.

When deciding how to implement the management environment, the Bank assessed the use of standards such as ISO 2700x and CobIT. The Bank got a management system in which it was possible to measure the results, model business, and given the relative delay that led to the launch of the strategic plan, a system to get started with a modest level of maturity, and continually evolve from that point. It was also considered important that the management system be integrated easily with ITIL and CMMI. A major influence on the selection process was an observation of the Cloud Security Alliance to clearly define the key management scheme is to improve safety and to present evidence audit.

Quick wins that we have achieved using O-ISM3 was the capacity to show results to the Bank managers, identify how results benefit the organization, and check what changes in the process make the process improve and by how much. It also facilitates accountability.  One main example was to show the firewall compliance with the goal defined by the Bank considering the number of times the firewall rules was updated, the availability of the firewall as well as systems protected by the firewall, the number of packets passed and dropped) and what percentage of network boundaries are protected with firewalls.

We have developed a central balanced scoreboard that show the alignment between security objectives and business goals. By our own experience working with iso 27001 this task is hard to achieve. It seems that ISM3 builds a direct link between what the organization does (outputs) and what the organization wants to achieve (goals). Also the standard was so straight forward that we have been able to integrate it with the ISO 22301 and Panamá local regulations; the separation of roles between processes (General process, Strategic process, Tactical process, and operational process) helps a lot assigning duties to the people working on the National Bank online banking platform.

The final goal was to strengthen its information security management and achieve the most rigorous possible within the appropriate levels of risk and investment protection. Hence the idea of a gap analysis comparing the current management against best industry practices arises. This will reuse the existing infrastructure and strengthen methodically to levels of highly reliable certifiable maturity.

A team of eight people from Centauri Technologies and Service Provider Cable Onda, coordinating with project managers from the Bank have implemented a system that fully outsourced the online banking platform security management in three months. The design was done in a month, and the transition to operating it was completed two months after this. The biggest challenge of the implementation was to enlist the entire chain of responsibility, but once they could see the value of the system, using the appropriate level of detail, it was the centerpiece of performance.

Both the Bank and “Cable Onda with Centauri” develop a robust information security governance, we think that ISM3 works regardless of the service or deployment model. Also we have learn that the information security governance should be a collaboration between customers and providers to achieve agreed upon goals which support the business mission and information security program. The service model may adjust the defined roles and responsibilities in collaborative information security governance and risk management (based on the respective scope of control for user and provider), while the deployment model may define accountability and expectations (based on risk assessment).

We have introduce important concepts to our final client (National bank of Panama) such as risks in context, controls and reliability (assurance).  ISM3 facilitates improve organizational security. It is compatible with ISO 27001 and ISO 9000; but, unlike these, using a model of progressive maturity instead of the certification scheme / non-certification. It is also compatible with COBIT, but much more specific security.

Open Information Security Management Maturity Model (O-ISM3)

The Open Information Security Management Maturity Model (O-ISM3) is The Open Group framework for managing information security. It aims to ensure that security   processes operate at a level consistent with business requirements. ISM3 is technology-neutral and focuses on the common processes of information security which most organizations share. As well as complementing the TOGAF® model for enterprise architecture, ISM3 defines operational metrics and their allowable variances.

Intended audience:  Managers, Security Specialists, CISO

Key takeaways:

  • Build an effective information Security management system based on metrics.
  • Risk analysis based on business goals instead of a security controls approach


Hubert Demercado Lewis, Executive Consultant, Centauri has experience in information security and technology fields for the past 10 years. He possess extensive experience in penetration testing, architecture design, network security, and security consulting.  Hubert has the international security certification Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker certification (ECC925283), GIAC Certified Firewall Analyst, among others.

Hubert has been responsible for dozens of projects in network security field, disaster recovery and contingency planning, developing security policies, risk analysis and safety awareness.  He was in charge of the Project Design and Implementation of the infrastructure of digital certificates (PKI) at the national level in the Republic of Panama for the Government Innovation Authority. Hubert was responsible for the design and implementation of the O-ISM3 at the National Bank of Panamá

Hubert is a graduate of the immersion program information security executive at the University of California Berkeley; and trained in Korea in the management of Certification Authorities. He has been a college instructor in information security.

Hubert holds a Masters in Information Security at the Interamerican University of Panama and BS in computer systems engineering from the Technological University of Panama.



Home | Sitemap | Privacy | Legal