Measuring IT and Security for Maturity

In an effort to address the changing landscape of information assurance and the desire for companies to understand the effectiveness of their security and IT governance processes, the use of a comprehensive security and risk measurement solution based on the ISO27001/2 standard and the Carnegie Mellon Capability Maturity Model (CMM) is recommended.

A risk assessment should combine a standards-based evaluation tool, specific skills, and certified methodologies proven through use. By reviewing security documentation, processes, and evidence, and performing structured interviews, security and IT program evaluations take place that provide a perspective of maturity and capability.

First and foremost you assume that industry best practices are employed and, thus, are evaluating the governance of those best practices. If a control simply does not exist, a level of zero (0) is assigned, representing a fundamental gap. Secondly, you take into consideration when a component of the best practice is simply not applicable to the organization and removes the control from the calculation.

The risk assessment presents the ISO27001/2 assessment questionnaire answers in form of a 0-5 score and provides an overall representation of the score. The overall score is presented with the scores for each domain and company recommended baseline determined by previous evaluations or ISO27001 industry recommended guidelines.

In short, the SSE-CMM defines expectations of processes and capabilities for each level within the area of evaluation. At each higher level, SSE-CMM becomes less about a specific security attribute and more about the role of security within the organization.

The SSE-CMM presents five levels (beyond Level 0) of capability (Carnegie Mellon University, 2003):

·         Level 0 – Not Performed or Applicable

·         Level 1 – Performed Informally

·         Level 2 – Planned and Tracked

·         Level 3 – Well Defined

·         Level 4 – Quantitatively Controlled

·         Level 5 – Continuously Improving

The more mature security and IT governance processes are, the more applicable security practices and technology are to the business. As the effectiveness increases or reaches a point that mirrors the organization’s desired security posture and risk profile, the greater the return on investment because the controls will last longer, have greater flexibility, and change can be implemented quickly to address a business dynamic due to increased operational visibility.

To gain as much value as possible from the process, it is critical to understand what level of maturity is acceptable for their needs and the needs of your company overall. To achieve the next level in a capability maturity model it typically requires significant increases in investment in the development and establishment of advanced processes. This may simply be too great of an investment in the light of risk and the desired security posture. Therefore, a low score may be acceptable when balanced with the demands, desires and constraints of the business. It is this point where the ISO27001 module, used within the survey assessment process, provides your company with a perspective on what level is acceptable by gaining visibility into the overall maturity of the organization.