There are a number of schemes for rating security products, from reviews in specialist security publications to formal Common Criteria evaluation. But how do you benchmark your security management?
But while the standard is an important benchmark, it is not in itself sufficient. As a number of organisations have found (just think of HM Revenue and Customs), implementing ISO 27001 does not mean that you manage security effectively.
This is where project management maturity models come in. One of the most widely recognised models is the Capability Maturity Model Integration (CMMI) developed by the Carnegie Mellon University Software Engineering Institute. CMMI is a framework that assesses the maturity of security management processes and provides a basis for their improvement -- the assumption being that the more mature the process, the more effective it is.
HM Government has adopted this approach to assess the maturity of information security management in government departments. The whole implementation of information security ("Information Assurance" in government-speak) has been rethought and restructured in light of the Data Handling Review, brought about by the loss of personal information by HMRC
All government departments must measure the effectiveness of their information security practices against the IA Maturity Model. The IA Maturity Model identifies three main goals and six overall processes as follows:
Each of these areas can then be assessed on a scale from Level 1: Initial, to Level 5: Optimised.
Management Review
The above list gives you eleven main processes that you can define and measure using the CMMI model. Once you have decided on your target maturity level, you can then identify where you need to improve, and by how much.
For example, let's consider the "risk assessment" process. It does not matter which risk assessment method you use, but you should have a risk assessment process by which risks are identified, their potential impact on the organisation assessed, and then ranked according to that impact.
Your risk assessment process can be assessed against the CMMI model. The model considers five process characteristics: process formality, process effectiveness, management reporting, process documentation and process reputation. The maturity of your risk assessment process can be assessed against each of these five areas on the CMMI 1 to 5 scale, 1 being "initial," perhaps ad hoc and inadequate, and 5 being "optimised," continuously improving and mature
Assuming that you have a target CMMI level of 2, or "managed," any of the process characteristics scoring less than two is an area for improvement. In the case of risk management, a level-2 maturity demonstrates that processes are in place in potential disaster scenarios, and responsibilities are clearly established among the proper players. A level-3 maturity, known as "defined," calls for a narrower scope, perhaps for a specific project where needs have to be more clearly spelled out. Level-4, or "quantitatively managed," among other criteria, demonstrates proper assessment of process performance through statistical analysis.
Applying program management maturity models is not painless. You need to understand your security management processes sufficiently to be able to identify them and assess their maturity. However, if you are compliant with a recognised security standard such as ISO 27001 or PCI, these processes should be well defined.
Maturity models can also be applied to other management systems. I have successfully developed them to assess the maturity of business continuity management systems implementing BS 25999.
Finally, maturity models are a good way of assessing where you are in your management of security. They provide a means of gauging where you are in implementing effective security management processes for your organisation. In organisations where we have applied maturity models, we have found that they are an excellent tool for identifying areas for improvement and both articulating and justifying why improvement is beneficial.
About the author:
Neil O'Connor is principal consultant with Activity Information Management
