Sch

lum

berg

er P

ub

lic

Assessing the Security Maturity

of an Organization

Claude R. Baudoin

Colin R. Elliott

Sch

lum

berg

er P

ub

lic

Overview

Organizations need to measure their level of readiness w.r.t. security risks

You cannot improve what you do not measure

This is an irrational exercise absent a standard or methodology that provides

objective and comparable measurements

A standard like ISO 17799 does not automatically allow an organization to:

establish its level of compliance

measures progress over time

decide on required actions

prioritize them in view of finite budgets and resources

We have developed a new assessment tool, the Security Maturity Assessment

based on the SEI Capability Maturity Model (CMM) approach

includes practical advice on how to conduct an assessment

fits within an overall security improvement plan

patent pending

Sch

lum

berg

er P

ub

lic

The Challenge

The CIO or CSO needs to know:

How secure am I?

Am I better off now than I was at this time last year?

Am I spending the right amount of money?

How do I compare with my peers?

Conflicting inputs and constraints:

Clients and regulators demand provable assurances

Vendors propose products

Budget constraints

Sch

lum

berg

er P

ub

lic

A Source for Best Practices – ISO 17799

Originally “British Standard 7799”

Adopted internationally as ISO 17799 in 2000

Divides security into 10 areas:

Information Security Policy

Organizational Security

Asset Classification and Control

Personnel Security

Physical and Environmental Security

Communication and Operations

Management

Access Control

System Development and Maintenance

Business Continuity Management

Compliance

Sch

lum

berg

er P

ub

lic

“Capability Maturity Model” Concept

Created in 1995 by the

Software Engineering

Institute (SEI) at

Carnegie-Mellon

University to improve

software processes

5 levels

“Key Process Areas”

must be in place to

qualify for each level

Widely adopted by the

software industry

• Requirements Management

• Project Planning

• Project Tracking / Oversight

• Subcontract Management

• Configuration Management

• Organization Process Focus

• Organization Process Definition

• Training Program

• Integrated Software Management

• Software Product Engineering

• Intergroup Coordination

• Peer Reviews

• Software and Quality Management

• Quantitative Process Management

• Process Change Management

• Defect Prevention

• Technology Change Management

Level 1: Initial

Ad hoc, unpredictable, chaotic.

Level 2: Repeatable

Management oversight and

tracking of projects; stable

planning and product baselines.

Level 3: Defined

Software process defined and

institutionalized to provide

product quality control.

Level 4: Managed

Product quality planning; tracking

of measured software progress.

Level 5: Optimizing

Continuous process capability

improvement

Sch

lum

berg

er P

ub

lic

Mapping ISO 17799 to Maturity Levels

3.1.1 Information Security Policy Document

“A policy document should be approved by management, published and communicated, as appropriate, to all employees. It should state management commitment and set out the organization’s approach to managing information security.”

3.1.2 Review and Evaluation

“The policy should have an owner”

There should be a “defined review process” ensuring that “a review takes place in response to any changes affecting the basis of the original risk assessment…”

4.1.7 Independent review of information security

The implementation of the Information Security Policy should be “reviewed independently to provide assurance that organizational practices properly reflect the policy.”

Defined

Managed

Optimized

Regroup these three concerns into Levels 3, 4 and 5 of the same row of the assessment matrix

Sch

lum

berg

er P

ub

lic

The Assessment Matrix (sample row)ISO 17799

Categories

Level 1

(Initial)

Level 2

(Repeatable)

Level 3

(Defined)

Level 4 (Managed) Level 5

(Optimizing)

Level

Definitions

• Informal, ad

hoc

• Not written

down, may be

communicated

through

coaching

• Formal &

documented

(in writing)

• Enforced &

measured

• Responsibilities

are defined

explicitly

• Dynamic

• Process exists

for catching

deviations and

making

constant

improvements

III.1 Information

Security

Policy

Coverage of

Security Policy

Review of

effective

implementation

of information

security policy

Review of

Information

Security Policy

No

security

policy in

place

Security policy exists,

but as a general

statement.

Inferring what is

specifically mandated

or prohibited requires

consulting specialized

personnel.

No regular reviews.

Specific policy

exists supporting

business goals,

clearly stating in

detail what is

mandated or

prohibited.

A "normal" person

can easily

understand it.

Reviews carried

out at intervals,

but no clear

management

responsibility to

trigger reviews or

exploit results

Security policy covers

all areas of business.

Security policy is

owned by appropriate

functions including IT

but also Finance, HR,

Legal, etc.

Organization policies

define the roles and

responsibilities in

following procedures.

Reviews carried out --

intervals and

responsibility for the

reviews are defined

explicitly in the policy.

A report on non-

compliance is created

and distributed to the

business units for their

review and action.

Clear responsibilities

and mechanisms in

place to upgrade

policy if required after

every breach of policy,

and if business

changes occur such

as acquisition,

divestiture, or major

changes in business

processes.

Sch

lum

berg

er P

ub

lic

SMA – Part of an Overall Security

Improvement Process

1. Management

Awareness and

Commitment

5. Ongoing

Monitoring

4. Action Plan

Execution

3. Corrective

Action Plan

2. Security

Maturity

Assessment

Sch

lum

berg

er P

ub

lic

Conducting the Assessment

Communicate the purpose and process of the assessment

Determine who will be interviewed

Conduct the interviews and collect documentation

Ask follow-up questions

Tabulate the results

Evaluate the results and form an initial conclusion

Present the draft of the assessment results to the client

Obtain any information to correct factual errors or omissions

Deliver the final report

Sch

lum

berg

er P

ub

lic

Pragmatic Aspects of an Assessment

Interviewee Selection and Psychology

Include non-IT and non-manager personnel

Each type of person in the organization has hopes and fear

They have agendas, which often conflict

Objective Questions

Bad question: “Do you think you have a good security policy?”

Good question: “Were you asked to read and sign a security

policy when you joined the company?”

A good question allows independent verification

Judging SMA Levels

CMM levels are much easier to apply than 0—10 scales

Sch

lum

berg

er P

ub

lic

Presenting the Results Graphically

cbaudoin@cebe-itkm.com