Topic(s): Leadership
In an effort to address the changing landscape of information assurance and the desire for companies to understand the effectiveness of their security and IT governance processes, the use of a comprehensive security and risk measurement solution based on the ISO27001/2 standard and the Carnegie Mellon Capability Maturity Model (CMM) is recommended.
A risk assessment should combine a standards-based evaluation tool, specific skills, and certified methodologies proven through use. By reviewing security documentation, processes, and evidence, and performing structured interviews, security and IT program evaluations take place that provide a perspective of maturity and capability.
First and foremost you assume that industry best practices are employed and, thus, are evaluating the governance of those best practices. If a control simply does not exist, a level of zero (0) is assigned, representing a fundamental gap. Secondly, you take into consideration when a component of the best practice is simply not applicable to the organization and removes the control from the calculation.
The risk assessment presents the ISO27001/2 assessment questionnaire answers in form of a 0-5 score and provides an overall representation of the score. The overall score is presented with the scores for each domain and company recommended baseline determined by previous evaluations or ISO27001 industry recommended guidelines.
In short, the SSE-CMM defines expectations of processes and capabilities for each level within the area of evaluation. At each higher level, SSE-CMM becomes less about a specific security attribute and more about the role of security within the organization.
The SSE-CMM presents five levels (beyond Level 0) of capability (Carnegie Mellon University, 2003):
· Level 0 – Not Performed or Applicable
· Level 1 - Performed Informally
· Level 2 – Planned and Tracked
· Level 3 – Well Defined
· Level 4 - Quantitatively Controlled
· Level 5 – Continuously Improving
The more mature security and IT governance processes are, the more applicable security practices and technology are to the business. As the effectiveness increases or reaches a point that mirrors the organization’s desired security posture and risk profile, the greater the return on investment because the controls will last longer, have greater flexibility, and change can be implemented quickly to address a business dynamic due to increased operational visibility.
To gain as much value as possible from the process, it is critical to understand what level of maturity is acceptable for their needs and the needs of your company overall. To achieve the next level in a capability maturity model it typically requires significant increases in investment in the development and establishment of advanced processes. This may simply be too great of an investment in the light of risk and the desired security posture. Therefore, a low score may be acceptable when balanced with the demands, desires and constraints of the business. It is this point where the ISO27001 module, used within the survey assessment process, provides your company with a perspective on what level is acceptable by gaining visibility into the overall maturity of the organization.
Jeff, Great idea. I've actually been doing this since 1993, although at the time it was BS 7799. Here are a few extensions to your idea to consider. ISO 27001/2 are focused on security from the security management perspective. The SSE-CMM is an secure software engineering extension of the original software CMM (now CMMI) concept and as such focuses on the software development perspective of security. In my opinion it could use updating to include aspects unique to web centric programming. It's fundamentals are still relevant. The SSE-CMM doesn't cover security operations. If you add the Open Source Security Testing Methodology Manual (OSSTM) you get up-to-date testing concepts. ITIL (written in the late 80's) covers IT operations in general but doesn't do a great job in the area of security and also could use a facelift for the modern web centric environment. CobIT addresses security from the perspective of audit and does a great job. In the mid-90's, Tim Stacey developed a method of collecting and trending the security attitudes of individuals or groups in a organization. This was based on the use of a method called an Oregon matrix from TQM. Using these various perspectives and creating an assessment process against each perspective would give you a comprehensive view of security. I've heard that Fishnet Security, a California company is working on a commercial product that combines many of these. (No I am not affliated with them in any way).
The method you suggest is very similar to a Risk Management approach I call Baseline Risk Management which leverages existing security baselines like ISO 27001/2 and gap analysis instead of quantative or qualitative risk management methods to prioritize security remediation efforts. Baseline Risk Management is an attempt to reconcile risk management methodologies with complaints raised over the years by Donn Parker.
Post new comment