Cambridge, Mass.-based Forrester Research Inc. has launched a new model to help businesses find and fix gaps in their security programs to enable better overall enterprise security.
Announced this week, the new Information Security Maturity Model, according to Forrester analyst Chris McClean, is similar to the COBIT model in terms of design. "If you're familiar with COBIT, then you'll recognize our new model. …We took [Forrester's] existing framework and other models like COBIT and COSO to see what's out there and made sure our framework was as comprehensive as possible," McClean said.
The idea for a new maturity model came about when Forrester surveyed security risk customers, and an overwhelming number of those surveyed wanted a more comprehensive model. To that end, the Forrester model offers guidance on 25 functions or focus areas, while the COBIT model fully covers only 10, and COSO only seven.
The maturity model specifically rates how well a company prioritizes and manages security functions, the importance of skills in a security team, and the use of tools to secure the IT infrastructure. It has four overarching domains -- oversight, people, process and technology -- that are meant to give a balanced view of a company's security programs and IT environment.
One unique part of this model is the fourth domain, oversight, which offers guidance in areas like governance, risk management, compliance and audit, and is not included in other models such as COBIT. It complements the other more tactical domains to help organizations measure their information security strategy and decision making.
McClean said the point of the Forrester model is to assess how an organization approaches security risk management, and has less to do with saying whether or not the program is mature. It will evaluate the maturity of an organization's processes, and then determine if there is a low or a high maturity. The maturity feature is more like a bonus, letting companies know what they could improve on.
For example, an organization with a low-level maturity could mean there is good technology and smart people, but the process is not well organized, McClean said. "It means the organization is doing some things well, but it's not sustainable and not able to carry it out over a long period of time."
On the other hand, a higher level of maturity would be a business that has an ongoing evaluation of the program with good policies and documentation. The model rates each of the 123 components in the four domains on a scale from zero to five -- zero being nonexistent and five being optimized.
"The goal is meeting the business objective," McClean said. The maturity model must be customized to an organization. Since it is made to cover all security functions, there might be some components that don't fit a specific organization so the company itself will have to create a plan to use the model.
This security model is free for Forrester customers, and costs about $500 for others. The product includes a risk-free trial, offering a full refund if the user is not completely satisfied.