Mapping the path toward information security program maturity

More information In our SOX Security School, study up on security standards and learn how to build a compliance framework. Know the differences between ISO/IEC 17799 and COBIT.

All of these frameworks offer not only a multi-tiered model with specific models for assessing process maturity, but also facilitate self-assessment and/or contracted external assessment. An organization should select a methodology that it is comfortable with -- potentially one that's being used in other areas of the firm -- and begin to categorize and quantify how functions within the information security program stack up.

A question to ask before selecting a framework is whether an organization is most interested in the engineering aspects of information security or if they are interested in the overall program maturity. Organizations wishing to concentrate on the engineering aspects of information security may find it beneficial to select the SSE-CMM as a benchmark, as it was created with security in mind and is already tailored for use by security organizations. Other organizations seeking to analyze their programs more generally, however, will need to supply a second piece of the puzzle, as the more general process models were not developed specifically for security organizations. To fill in the missing piece, we'll need to determine what elements of a comprehensive information security program are in-scope for evaluation and analyze them according to the maturity model selected. To do that, use a comprehensive information security-specific framework, such as International Organization for Standardization (ISO) 17799 or National Institute of Standards and Technology (NIST) special publication 800-52, to select and categorize areas of concentration (the processes) to be evaluated. As with the maturity frameworks, using a standard approach minimizes the documentation effort as each criteria in scope is already fully documented.

From map to milestones

Having a map is only the first step; after all, there's more involved in navigating to a destination than just having directions how to get there.

The next step would be to use that information to actually guide where investments are made. We'll need to look at more than just the maturity of a given process to do that, because not every area covered will be of the same level of import for our business -- some areas might be more important or more easily optimized than others).

However, starting with a basic understanding of information security program maturity gives an organization an advantage in decision-making. It gains insight about where to invest, how quickly to invest and what cost/resource impact an investment will have.

About the author
Ed Moyle is a veteran of the information security industry. As a manager with CTG, he provides practical guidance and advice to clients worldwide. Ed has held numerous key roles in information security, including VP/ISO for Merrill Lynch and lead developer for biometrics firm ICT. Ed is co-author of Cryptographic Libraries for Developers, a practical resource for developers.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Compliance recycling: Combining compliance efforts to manage PCI DSS Web 2.0 and e-discovery: Risks and countermeasures Learn from NIST: Best practices in security program management Best practices for application-level firewall selection and deployment The 'security standards dilemma': Network segmentation and PCI Compliance Penetration testing: Helping your compliance efforts Worst practices: Recognizing the biggest compliance mistakes E-discovery management: How IT should interact with the legal team E-discovery management: How IT should interact with the legal team Incident response success in five quick steps ISO 17799 How do ISO 17799 and SAS 70 differ? How to apply ISO 27002 to PCI DSS compliance How to migrate from SAS 70 to ISO 27001 Should ISO 17799 play a role in risk assessment? ISO 17799: A methodical approach to partner and service provider security management Embarking on the ISO 17799 certification trail How is ISO 17799 different from SAS 70? Developing an information security program using SABSA, ISO 17799 Regulatory Compliance and ISO 27001 Management Support COBIT COSO and COBIT: The value of compliance frameworks for SOX ISO 17799: A methodical approach to partner and service provider security management RSA Conference 2006 Introduction to COBIT for SOX compliance How BS7799 and COBIT differ, part two Standards-based compliance: A how-to guide Competing regulations clog road to compliance COBIT Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary COBIT  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.