There are a number of schemes for rating security products, from reviews in specialist security publications to formal Common Criteria evaluation. But how do you benchmark your security management?
One obvious answer is to comply with the International Standard for Information Security Management,
But while the standard is an important benchmark, it is not in itself sufficient. As a number of organisations have found (just think of HM Revenue and Customs), implementing ISO 27001 does not mean that you manage security effectively.
HM Government has adopted this approach to assess the maturity of information security management in government departments. The whole implementation of information security ("Information Assurance" in government-speak) has been rethought and restructured in light of the Data Handling Review, brought about by the loss of personal information by HMRC
All government departments must measure the effectiveness of their information security practices against the IA Maturity Model. The IA Maturity Model identifies three main goals and six overall processes as follows:
- Leadership and Governance
- Training, Education and Awareness
- Information Risk Management
- Through-Life IA Measures
- Assured Information Sharing
Each of these areas can then be assessed on a scale from Level 1: Initial, to Level 5: Optimised.
Using CMMI to assess security management processes
To assess your information security management system, you first need to identify your main management processes. Following the main ISO 27001 management system requirements, you might come up with something like the following as your main areas of concern:
The above list gives you eleven main processes that you can define and measure using the CMMI model. Once you have decided on your target maturity level, you can then identify where you need to improve, and by how much.
For example, let's consider the "risk assessment" process. It does not matter which risk assessment method you use, but you should have a risk assessment process by which risks are identified, their potential impact on the organisation assessed, and then ranked according to that impact.
Your risk assessment process can be assessed against the CMMI model. The model considers five process characteristics: process formality, process effectiveness, management reporting, process documentation and process reputation. The maturity of your risk assessment process can be assessed against each of these five areas on the CMMI 1 to 5 scale, 1 being "initial," perhaps ad hoc and inadequate, and 5 being "optimised," continuously improving and mature
Assuming that you have a target CMMI level of 2, or "managed," any of the process characteristics scoring less than two is an area for improvement. In the case of risk management, a level-2 maturity demonstrates that processes are in place in potential disaster scenarios, and responsibilities are clearly established among the proper players. A level-3 maturity, known as "defined," calls for a narrower scope, perhaps for a specific project where needs have to be more clearly spelled out. Level-4, or "quantitatively managed," among other criteria, demonstrates proper assessment of process performance through statistical analysis.
Applying program management maturity models is not painless. You need to understand your security management processes sufficiently to be able to identify them and assess their maturity. However, if you are compliant with a recognised security standard such as ISO 27001 or PCI, these processes should be well defined.
Maturity models can also be applied to other management systems. I have successfully developed them to assess the maturity of business continuity management systems implementing BS 25999.
Finally, maturity models are a good way of assessing where you are in your management of security. They provide a means of gauging where you are in implementing effective security management processes for your organisation. In organisations where we have applied maturity models, we have found that they are an excellent tool for identifying areas for improvement and both articulating and justifying why improvement is beneficial.
About the author:
Neil O'Connor is principal consultant with Activity Information Management
This was first published in August 2009