Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, IT audit, Security, Security Metrics
I know it’s a leading question, but I think we’ve got to start asking ourselves where we are when it comes to information security and managing risks to our organizations.
Continuing my quest for how to measure good security, I ran across an excellent article on the Information Systems Audit and Control Association website. (Yes, I admit it, I visit there and read lots of stuff) The authors grabbed me with a reasonable title: How Can Security be Measured? and one of the ways to examine the organization’s security posture as a whole is to use a capability maturity model. (CMM). Here’s the good point:
Management needs some measure of how secure the organization is. Organizations need to ask themselves:
* How many resources does it take to be “safe”?
* How can the cost of new security measures be justified?
* Is the organization getting its money’s worth?
* When does the organization know it is “safe”?
* How does the organization compare its posture with others in the industry and with best practice standards?
As you can imagine, there are a number of CMMs out there that relate to information security. The article lists several, and goes on to propose its own. Looking at the different varieties, I scanned over the organizations I have audited over the years, and considered where those organizations were in terms of the size of the business, the number of employees in the IT Department, and the complexity of the IT infrastructure.
The COBIT CMM has a structure I like:
Five levels of progressive maturity:
1. Initial/ad hoc
2. Repeatable but intuitive
3. Defined process
4. Managed and measurable
Depending on the size of the organization, we can consider it like so:
1. Initial/ad-hoc – Policies are informal, everybody in IT knows all the systems, all the employees
2. Repeatable but intuitive – Policies are informal, everybody in IT knows what to do
3. Defined process – Procedures have to start getting written down, because the department is too big for everyone to know everything on the systems
4. Managed and measurable – Policies are put in place so that change is managed and communicated due to the size and structure of IT and the business
5. Optimized – Policies and procedures are developed to optimize change and manage risk – including compliance with regulations
If you think about your organization today, where are you in this model?