How secure is secure? A silly question but one that is not often asked. You can never be totally secure but there must be a point at which the level of security processes, tools and technologies is sufficient to mitigate the main business risks, as well as taking into account the ability of the organisation to manage the technologies, maintain process adherence and respond to security incidents. The capability of the organisation to monitor, manage and enhance security methods is a factor based upon many things. This ‘maturity’ is fundamental to the effectiveness of the organisation’s ability to respond and adapt.
Guardian Technologies has identified this need to match the risk mitigation activities with the ability to use layers of technology and process complexity through many client projects. Clients need a straightforward methods to assess the security processes and technology and match them against the maturity of the organisation. There is no point implementing complex technologies if there are insufficient skills to operate and interpret them. For example perhaps using a cloud service may be a solution to a problem, but these can be expensive, compromise security through the use of third parties and may not provide the protection promised. In addition it may not be clear which technology or service is needed next based upon risk to the organisation.
Guardian Technologies has introduced a Security Maturity Model to help. There are many security maturity models but many of these are either focused on only one area of security or are so complex that they prevent the visualisation of the next steps.
The Security Maturity Model (SMM) details the different security stages through which most organisations will pass as they move from rather unstructured environments to policy driven environments with in-built continuous improvement. It is loosely based upon the Gartner Infrastructure Maturity Model that takes a more general approach to the components. Guardian has updated and adapted the Gartner model to specifically address the security infrastructure only. As there are many different facets to security from policies, technologies, situation monitoring to policies and procedures, this model is high level and will be updated over time. The SMM is organised into 5 levels, based on the Carnegie-Mellon Software Engineering Institute’s Capability Maturity Model for Software CMMI. Each level represents an increased ability to control and manage the organisational security based upon the maturity to manage complex threats, technologies and situational variety.
- Level 1 – Initial
- Blissful ignorance
- Little or no security awareness or need.
- Information may be being lost but unknown
- Incidents often have a major impact on the organisation
- Level 2 – Developing
- Security is IT responsibility largely.
- Few tools that are not integrated
- Reliance on vendor security within the tools for protection
- Rudimentary asset management and change control
- Few dedicated security staff
- Security is a by-product of IT
- Level 3 – Defined
- Implement operational standards
- Dedicated security team
- Risk management in place but still immature
- Implemented policies and procedures but not yet compliant.
- Introduction of management tools
- Organisational resilience improving
- Metrics being collected
- Processes being documented
- Level 4 – Managed
- Rationalise assets to service levels
- Mature availability and DR
- Mature management tools for logging, monitoring and configuration
- Mature process definition and documentation
- Interface with the business for cost allocation
- Level 5 – Optimised
- Functions are automated and inherent in the infrastructure
- Efficient workflow and business intelligence are key
- Processes are autonomic
- A policy is set and the effects ripple throughout the organisation.
Benefits and Features
Guardian Technologies has developed a security assessment to take clients through the process of understanding what are the key areas of security protection that are required for a structured security stance, where the organisation is actually positioned on the model and where the organisation would like to move to for increased maturity of security capability. So a review of the security systems and processes are taken based upon the maturity model. The model is non-threatening and simple to use. Benefits include:
- Client quickly understands the difference between technology vendors and Guardian security consulting
- Demonstrable process of steps
- Complete security components are covered
- Define a roadmap including next steps and projects
Read more here.