How project management maturity models can reveal security strength

How mature are your security management processes? Neil O'Connor reviews a model that can help you find out.

Information security is not just about technology -- it is also about proper management, including risk assessment, education and awareness, implementation of security controls, incident management, monitoring and reporting.

There are a number of schemes for rating security products, from reviews in specialist security publications to...

formal Common Criteria evaluation. But how do you benchmark your security management?

One obvious answer is to comply with the International Standard for Information Security Management, ISO 27001 -- or even better to be independently certified as meeting the standard. I am an enthusiastic advocate of 27001.

But while the standard is an important benchmark, it is not in itself sufficient. As a number of organisations have found (just think of HM Revenue and Customs), implementing ISO 27001 does not mean that you manage security effectively.

CISSP Essentials training

In this videocast, expert Shon Harris reviews Domain 4, Security Models and Architecture
Software Engineering Institute

HM Government has adopted this approach to assess the maturity of information security management in government departments. The whole implementation of information security ("Information Assurance" in government-speak) has been rethought and restructured in light of the Data Handling Review, brought about by the loss of personal information by HMRC

All government departments must measure the effectiveness of their information security practices against the IA Maturity Model. The IA Maturity Model identifies three main goals and six overall processes as follows:

  • Embedding Information Risk Management Culture within the Organisation

    • Leadership and Governance
    • Training, Education and Awareness
    • Information Risk Management
  • Implementing Best Practice IA Measures
    • Through-Life IA Measures
    • Assured Information Sharing
  • Effective Compliance
    • Compliance

    Each of these areas can then be assessed on a scale from Level 1: Initial, to Level 5: Optimised.

    Using CMMI to assess security management processes
    To assess your information security management system, you first need to identify your main management processes. Following the main ISO 27001 management system requirements, you might come up with something like the following as your main areas of concern:

  • Policy Definition
  • Risk Assessment
  • Management Approval and Acceptance
  • Control Selection
  • Risk Treatment
  • Training and Awareness
  • Measuring Effectiveness
  • Audit
  • Corrective and Preventative Action
  • Document Control and Control of Records
  • Management Review

    The above list gives you eleven main processes that you can define and measure using the CMMI model. Once you have decided on your target maturity level, you can then identify where you need to improve, and by how much.

    For example, let's consider the "risk assessment" process. It does not matter which risk assessment method you use, but you should have a risk assessment process by which risks are identified, their potential impact on the organisation assessed, and then ranked according to that impact.

    Your risk assessment process can be assessed against the CMMI model. The model considers five process characteristics: process formality, process effectiveness, management reporting, process documentation and process reputation. The maturity of your risk assessment process can be assessed against each of these five areas on the CMMI 1 to 5 scale, 1 being "initial," perhaps ad hoc and inadequate, and 5 being "optimised," continuously improving and mature

    Assuming that you have a target CMMI level of 2, or "managed," any of the process characteristics scoring less than two is an area for improvement. In the case of risk management, a level-2 maturity demonstrates that processes are in place in potential disaster scenarios, and responsibilities are clearly established among the proper players. A level-3 maturity, known as "defined," calls for a narrower scope, perhaps for a specific project where needs have to be more clearly spelled out. Level-4, or "quantitatively managed," among other criteria, demonstrates proper assessment of process performance through statistical analysis.

    Applying program management maturity models is not painless. You need to understand your security management processes sufficiently to be able to identify them and assess their maturity. However, if you are compliant with a recognised security standard such as ISO 27001 or PCI, these processes should be well defined.

    Maturity models can also be applied to other management systems. I have successfully developed them to assess the maturity of business continuity management systems implementing BS 25999.

    Finally, maturity models are a good way of assessing where you are in your management of security. They provide a means of gauging where you are in implementing effective security management processes for your organisation. In organisations where we have applied maturity models, we have found that they are an excellent tool for identifying areas for improvement and both articulating and justifying why improvement is beneficial.

    About the author:
    Neil O'Connor is principal consultant with Activity Information Management

  • This is where project management maturity models come in. One of the most widely recognised models is the Capability Maturity Model Integration (CMMI) developed by the Carnegie Mellon University . CMMI is a framework that assesses the maturity of security management processes and provides a basis for their improvement -- the assumption being that the more mature the process, the more effective it is.

    Read more on IT risk management