Can you pass the O-ISM3 Test?

The O-ISM3 Test presents you with a Use Case scenario. The Use Case is a fictional travel agency in Madrid, Spain. Your role is to act as information security consultant who is preparing a meeting where you have to determine what are the information security needs of the Travel Agency.

The current state of affairs is that most information security professionals use the concepts of Confidentiality, Integrity and Availability for audits, consulting projects, risk assessment and management, and development of new standards. These concepts present a series of problems that have yet to be solved. The use of ambiguous, incomplete, not operational concepts without units of measurement has created a number of problems for information security management. Communication with between specialists and non-specialists in information security is difficult. Demonstrating the value of information security is difficult. Generally speaking, the use of these proxy concepts that don't add value makes information security management more difficult that it needs to be. Time is wasted, security projects that need funding don't get it, and trendy projects with little return get the green light. Luckily, change is possible.

The O-ISM3 Test pits the CIA triad versus O-ISM3 security objectives. In order to pass the O-ISM3 Test you have to solve the Use Case. You have two options: using traditional concepts like Confidentiality, Integrity, Availability (CIA triad option), or new concepts like O-ISM3’s security objectives. (OISM3 option). The options are mutually exclusive.

Determining the security needs of the Use Case will enable the you (the consultant) to determine the reasonable security measures to be applied, which are likely to be different, and cheaper, than all the security measures that could be taken. In order to prove that they can successfully determine the security needs, you have to create a meeting Agenda with a list of Questions to ask the managers or employees of the client company. This should be, in principle, easy since ALL THE ANSWERS PART OF THE USE CASE ARE AVAILABLE.

You have a choice to make:

  • CIA Option: Questions can ONLY ask about Confidentiality, Integrity and Availability. NOT using at least one of these terms (or Confidential, Integer, Available) in any question results in a FAIL.
  • O-ISM3 Option : Questions can NOT ask about Confidentiality, Integrity or Availability. Using ANY of these terms in any question will result in a FAIL.

For a question to be valid it should render naturally the answers given, for someone with intimate knowledge of the Use Case.

Since 13/4/2017 when the O-ISM3 was originally published, no one has ever passed this test using the CIA Option. if you think you did, please post online your list of questions and let me know via Twitter. You think you can? Download the O-ISM3 Test here.

Please note that there is a difference between finding out what the Travel Agency needs and what the Travel Agency might do regarding information security. If we were to compare the security practices of the Travel Agency with some standard, we could find out that the Travel Agency is not doing everything that a standard says can be done. There is a difference between doing everything that is standards state is possible, and everything that meets the needs of the business.

To learn more of why the O-ISM3 Test is important, check my lecture on Measuring Security.