Control over the IT process of Ensure Systems Security that satisfies the business requirement for IT of
- maintaining the integrity of information and processing infrastructure and minimising the impact of security vulnerabilities and incidents
- defining IT security policies, plans and procedures, and monitoring, detecting, reporting and resolving security vulnerabilities and incidents
- Understanding security requirements, vulnerabilities and threats
- Managing user identities and authorizations in a standardized manner
- Testing security regularly
- Number of incidents damaging the organization’s reputation with the public
- Number of systems where security requirements are not met
- Number of violations in segregation of duties
1 Non-existent
2 Initial/Ad Hoc
3 Repeatable but Intuitive
4 Defined
5 Managed and Measurable
6 Optimized
Benchmarks/Guidelines for Scoring
1 Non-existent when
The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned for ensuring security. Measures supporting the management of IT security are not implemented. There is no IT security reporting and no response process for IT security breaches. There is a complete lack of a recognizable system security administration process.
2 Initial/Ad Hoc when
The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, because responsibilities are unclear. Responses to IT security breaches are unpredictable.
3 Repeatable but Intuitive when
Responsibilities and accountabilities for IT security are assigned to an IT security coordinator, although the management authority of the coordinator is limited. Awareness of the need for security is fragmented and limited. Although security-relevant information is produced by systems, it is not analyzed. Services from third parties may not address the specific security needs of the organization. Security policies are being developed, but skills and tools are inadequate. IT security reporting is incomplete, misleading or not pertinent. Security training is available but is undertaken primarily at the initiative of the individual. IT security is seen primarily as the responsibility and domain of IT and the business does not see IT security as within its domain.
4 Defined when
Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy. Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as driven by risk analysis. Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed. Security training is available for IT and the business, but is only informally scheduled and managed.
5 Managed and Measurable when
Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and procedures are completed with specific security baselines. Exposure to methods for promoting security awareness is mandatory. User identification, authentication and authorization are standardized. Security certification is pursued for staff members who are responsible for the audit and management of security. Security testing is completed using standard and formalised processes, leading to improvements of security levels. IT security processes are coordinated with an overall organization security function. IT security reporting is linked to business objectives. IT security training is conducted in both the business and IT. IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for security management have been defined but are not yet measured.
6 Optimized when
IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimised and included in an approved security plan. Users and customers are increasingly accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are conducted to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and analyzed. Adequate controls to mitigate risks are promptly communicated and implemented. Security testing, root cause analysis of security incidents and proactive identification of risk are used for continuous process improvements. Security processes and technologies are integrated organization-wide. Metrics for security management are measured, collected and communicated. Management uses these measures to adjust the security plan in a continuous improvement process.