U.S. patent application number 11/858832 was filed with the patent office on 2008-02-21 for security maturity assessment method.
Invention is credited to Claude R. Baudoin, Colin R. Elliott.
Application Number | 20080047018 11/858832 |
Document ID | / |
Family ID | 29399206 |
Filed Date | 2008-02-21 |
United States Patent
Application |
20080047018 |
Kind Code |
A1 |
Baudoin; Claude R. ; et
al. |
February 21, 2008 |
SECURITY MATURITY ASSESSMENT METHOD
Abstract
In general, the invention relates to a method for assessing an
information security policy and practice of an organization. The
method includes collecting information about the information
security policy and practice of the organization, generating a
rating for each of a plurality of information security items using
a security maturity assessment matrix and the collected
information, and generating a graphical assessment of the ratings.
The security maturity assessment matrix includes a first dimension
and a second dimension, where the first dimension corresponds to
the information security items and the second dimension corresponds
to maturity levels. Further, each rating is derived using the first
dimension and the second dimension.
Inventors: |
Baudoin; Claude R.;
(Houston, TX) ; Elliott; Colin R.; (London,
GB) |
Correspondence
Address: |
OSHA . LIANG L.L.P. / SLB
1221 MCKINNEY STREET
SUITE 2800
HOUSTON
TX
77010
US
|
Family ID: |
29399206 |
Appl. No.: |
11/858832 |
Filed: |
September 20, 2007 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
10134815 |
Apr 29, 2002 |
7290275 |
|
|
11858832 |
Sep 20, 2007 |
|
|
|
Current U.S.
Class: |
726/25 ;
711/E12.001 |
Current CPC
Class: |
G06Q 40/08 20130101 |
Class at
Publication: |
726/025 ;
711/E12.001 |
International
Class: |
G06F 12/14 20060101
G06F012/14 |
Claims
1.-19. (canceled)
20. A method for assessing an information security policy and
practice of an organization, comprising: collecting information
about the information security policy and practice of the
organization; generating a rating for each of a plurality of
information security items using a security maturity assessment
matrix and the collected information, wherein the security maturity
assessment matrix comprises a first dimension and a second
dimension, wherein the first dimension corresponds to the plurality
of information security items, wherein the second dimension
corresponds to a plurality of maturity levels, and wherein each
rating is derived using the first dimension and the second
dimension; generating a graphical assessment of the ratings; and
displaying the graphical assessment of the ratings.
21. The method of claim 20, further comprising: generating a new
rating for each of a plurality of information security items using
the security maturity assessment matrix when there is a change in
an information security environment of the organization.
22. The method of claim 20, wherein the graphical assessment of the
ratings is generated by a security maturity assessment reporting
tool.
23. The method of claim 22, wherein the security maturity
assessment reporting tool comprises functionality to track the
ratings of each of the plurality of information security items over
time.
24. The method of claim 22, wherein the security maturity
assessment reporting tool comprises functionality to graphically
compare the ratings associated with each of the plurality of
information security items with a corresponding rating goal
associated with each of the plurality of information security
items.
25. The method of claim 20, further comprising: determining how to
modify the information security policy and practice of the
organization using the rating for the at least one of the plurality
of security items.
26. The method of claim 25, wherein determining how to modify the
information security policy and practice of the organization,
comprises: generating a corrective action using the rating for at
least one of the plurality of information security items and the
security maturity assessment matrix.
27. The method of claim 26, wherein generating the corrective
action comprises: obtaining a first description from the security
maturity assessment matrix corresponding to the rating of the at
least one of the plurality of information security items; obtaining
a second description from the security maturity assessment matrix
corresponding to a goal rating of the at least one of the plurality
of information security items; and comparing the first description
with the second description to obtain the corrective action for the
at least one of the plurality of information security items.
28. The method of claim 27, further comprising: executing the
corrective action to create a new security information policy and
practice.
29. The method of claim 28, further comprising: monitoring the new
security information policy and practice.
30. The method of claim 20, wherein at least one of the plurality
of security items corresponds to an information security item
associated with at least one selected from the group consisting of
BS7799 and ISO17799.
31. The method of claim 20, wherein at least one of the plurality
of maturity levels corresponds to a maturity level associated with
a Capability Maturity Model
32. The method of claim 31, wherein the maturity level is at least
one selected from the group consisting of: initial, repeatable,
defined, managed, and optimized.
33. The method of claim 20, wherein at least one of the plurality
of information security items in the first dimension is associated
with a scope requirement.
34. The method of claim 33, wherein the scope requirement defines
what portions of the organization to which the at least one of the
plurality of information security items applies.
35. The method of claim 30, wherein the first dimension is
displayed using at least one row and the second dimension is
displayed using at least one column.
36. A computer system for assessing an information security policy
and practice of an organization, comprising. a processor; a memory;
an input means; and software instructions stored in the memory for
enabling the computer system under control of the processor, to:
collect information about the information security policy and
practice of the organization; generate a rating for each of a
plurality of information security items using a security maturity
assessment matrix and the collected information, wherein the
security maturity assessment matrix comprises a first dimension and
a second dimension, wherein the first dimension corresponds to the
plurality of information security items, wherein the second
dimension corresponds to a plurality of maturity levels, and
wherein each rating is derived using the first dimension and the
second dimension; generate a graphical assessment of the ratings;
display the graphical assessment of the ratings.
37. The computer system of claim 36, further comprising software
instructions stored in the memory for enabling the computer system
under control of the processor, to: generate a new rating for each
of a plurality of information security items using the security
maturity assessment matrix when there is a change in an information
security environment of the organization.
38. The computer system of claim 36, wherein the graphical
assessment of the ratings is generated by a security maturity
assessment reporting tool.
39. The computer system of claim 38, wherein the security maturity
assessment reporting tool comprises functionality to track the
ratings of each of the plurality of information security items over
time.
40. The computer system of claim 38, wherein the security maturity
assessment reporting tool comprises functionality to graphically
compare the ratings associated with each of the plurality of
information security items with a corresponding rating goal
associated with each of the plurality of information security
items.
41. The computer system of claim 36, further comprising software
instructions stored in the memory for enabling the computer system
under control of the processor, to: determine how to modify the
information security policy and practice of the organization using
the rating for the at least one of the plurality of security
items.
42. The computer system of claim 41, wherein software instructions
stored in the memory for enabling the computer system under control
of the processor, to determine how to modify the information
security policy and practice of the organization, comprise software
instructions for: generating a corrective action using the rating
for at least one of the plurality of information security items and
the security maturity assessment matrix.
43. The computer system of claim 42, wherein software instructions
stored in the memory for enabling the computer system under control
of the processor, to generate the corrective action comprise
software instructions for: obtaining a first description from the
security maturity assessment matrix corresponding to the rating of
the at least one of the plurality of information security items;
obtaining a second description from the security maturity
assessment matrix corresponding to a goal rating of the at least
one of the plurality of information security items; and comparing
the first description with the second description to obtain the
corrective action for the at least one of the plurality of
information security items.
44. The computer system of claim 42, further comprising software
instructions stored in the memory for enabling the computer system
under control of the processor, to: execute the corrective action
to create a new security information policy and practice.
45. The computer system of claim 44, further comprising software
instructions stored in the memory for enabling the computer system
under control of the processor, to: monitor the new security
information policy and practice.
46. The computer system of claim 36, wherein at least one of the
plurality of security items corresponds to an information security
item associated with at least one selected from the group
consisting of BS7799 and ISO17799.
47. The computer system of claim 36, wherein at least one of the
plurality of maturity levels corresponds to a maturity level
associated with a Capability Maturity Model
48. The computer system of claim 47, wherein the maturity level is
at least one selected from the group consisting of: initial,
repeatable, defined, managed, and optimized.
49. The computer system of claim 36, wherein at least one of the
plurality of information security items in the first dimension is
associated with a scope requirement.
50. The computer system of claim 49, wherein the scope requirement
defines what portions of the organization to which the at least one
of the plurality of information security items applies.
51. The computer system of claim 36, wherein the first dimension is
displayed using at least one row and the second dimension is
displayed using at least one column.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application is a continuation, pursuant to 35 U.S.C.
.sctn. 120, of U.S. patent application Ser. No. 10/134,815 filed on
Apr. 29, 2002.
BACKGROUND OF INVENTION
[0002] Information Security encompasses the protection of
information against unauthorized disclosure, transfer,
modification, or destruction, whether accidental or intentional.
Information security has become a prevalent concern of
organizations as a result of the trends towards c-commerce,
e-business, universal email and web access, and well-publicized
security exploits. As a result, organizations are attempting to
apply information security principles in a pragmatic framework.
[0003] To enable organizations to apply information security
principles in a pragmatic framework, a number of information
standards and tools have been developed. One widely recognized
standard, BS7799/ISO17799, was developed by the British Standards
Institution (BSI) and adopted by the International Organization for
Standardization (ISO). The BS7799/ISO17799 standard is a
comprehensive set of controls that outline best mode practices in
information security. The aim of BS7799/ISO17799 is to serve as a
single reference point to determine the appropriate information
security policy for a variety of systems and organizations. The
BS7799/ISO17799 standard includes 10 sections, each addressing a
specific area of information security. See, "ISO17799 Security
Standard: ISO 17799 Compliance & Positioning."
[0004] The process of managing compliance with the BS7799/ISO17799
is a non-trivial task. As a result, a number of risk analysis and
risk management products have been developed to help organizations
comply with the BS7799/ISO17799 standard. One such product is
COBRA, which was developed by C & A Systems, Inc. COBRA is used
to semi-automate the assessment process. COBRA utilizes a series of
online questionnaires to obtain information about the current
security policy. Using the answers from the questionnaires, COBRA
creates reports that provide information about the organization's
current compliance position, on a pass/fail basis, with respect to
each section of the BS7799/ISO17799 standard.
[0005] Another tool that has been developed to enable organizations
to apply information security principles in a pragmatic framework
is the Systems Security Engineering Capability Maturity Model
(SSE-CMM). The SSE-CMM is derived from concepts of the Software
Engineering Institute (SEI) Capability Maturity Model initially
created for software development. The SSE-CMM describes the
essential characteristics of an organization's security engineering
process that must exist to ensure good security engineering. The
SSE-CMM does not prescribe a process or standard such as
BS7799/ISO17799, but rather uses a model that captures practices
generally observed in the industry. Additionally, the SSE-CMM is
based on a maturity model that defines specific goals and practices
for the entire life cycle of an organization. Further, the SSE-CMM
defines an overall assessment process and roles for security
engineering within an organization. See, "System Security
Engineering Capability Maturity Model-Model & Appraisal Method
Summary April 1999." The resulting assessment obtained from
applying the SSE-CCM is typically not associated with a reporting
tool to report the maturity level.
SUMMARY OF INVENTION
[0006] In general, in one aspect, the invention relates to a method
for assessing an information security policy and practice of an
organization, comprising determining a risk associated with the
information security policy and practice, collecting information
about the information security policy and practice, generating a
rating using a security maturity assessment matrix, the collected
information, and the risk associated with the information security
policy and practice, generating a list of corrective actions using
the rating, executing the list of corrective actions to create a
new security information policy and practice, and monitoring the
new security information policy and practice.
[0007] In general, in one aspect, the invention relates to an
apparatus for assessing an information security policy and practice
of an organization, comprising means for determining a risk
associated with the information security policy and practice, means
for collecting information about the information security policy
and practice, means for generating a rating using a security
maturity assessment matrix, the collected information, and the risk
associated with the information security policy and practice, means
for generating a list of corrective actions using the rating, means
for executing the list of corrective actions to create a new
security information policy, and means for monitoring the new
security information policy.
[0008] In general, in one aspect, the invention relates to a
computer system for assessing an information security policy and
practice of an organization, comprising a processor, a memory, an
input means, and software instructions stored in the memory for
enabling the computer system under control of the processor, to
perform determining a risk associated with the information security
policy and practice, collecting information about the information
security policy and practice using the input means, generating a
rating using a security maturity assessment matrix, the collected
information, and the risk associated with the information security
policy and practice, generating a list of corrective actions using
the rating, executing the list of corrective actions to create a
new security information policy and practice, and monitoring the
new security information policy and practice.
[0009] Other aspects and advantages of the invention will be
apparent from the following description and the appended
claims.
BRIEF DESCRIPTION OF DRAWINGS
[0010] FIG. 1 illustrates a typical computer system.
[0011] FIG. 2 illustrates a flowchart detailing the Security
Maturity Assessment method in accordance with one embodiment of the
invention.
[0012] FIG. 3 illustrates a portion of a Security Maturity
Assessment Reporting Tool report in accordance with one or more
embodiments of the invention.
[0013] FIG. 4 illustrates a flowchart detailing the Security
Maturity Assessment method in accordance with another embodiment of
the invention.
DETAILED DESCRIPTION
[0014] Exemplary embodiments of the invention will be described
with reference to the accompanying drawings. Like items are denoted
by like reference numerals throughout the drawings for
consistency.
[0015] In the following detailed description of the invention,
numerous specific details are set forth in order to provide a more
thorough understanding of the invention. However, it will be
apparent to one of ordinary skill in the art that the invention may
be practiced without these specific details. In other instances,
well-known features have not been described in detail to avoid
obscuring the invention.
[0016] The invention relates to a method for assessing a security
maturity of an organization. Further, the invention relates to
assessing the security maturity of an organization using a security
assessment matrix. Further, the invention relates to basing the
security assessment matrix on the BS7799/ISO17799 standard and the
Capability Maturity Model (CMM). Further, the invention relates to
a method for providing quantitative, action-oriented results using
the security assessment matrix. Further, the invention relates to a
method to compare the security maturity of an organization to a
pre-determined goal, or to the security maturity of the same
organization at another point in time, or to the security maturity
level mandated by another organization or authority.
[0017] The invention may be implemented on virtually any type
computer regardless of the platform being used. For example, as
shown in FIG. 1, a typical computer (28) includes a processor (30),
associated memory (32), a storage device (34), and numerous other
elements and functionalities typical of today's computers (not
shown). The computer (28) may also include input means, such as a
keyboard (36) and a mouse (38), and output means, such as a monitor
(40). Those skilled in the art will appreciate that these input and
output means may take other forms in an accessible environment.
[0018] The Security Maturity Assessment (SMA) method involves five
distinct stages: (1) management awareness and commitment, (2)
security maturity assessment, (3) corrective action plan (CAP), (4)
corrective action plan execution (CAPE), and (5) ongoing
monitoring. Each of the aforementioned stages is explained below in
greater detail. Those skilled in the art will appreciate that the
names used to denote the stages may vary without detracting from
the invention.
[0019] FIG. 2 illustrates a flowchart detailing the SMA method in
accordance with one embodiment of the invention. The SMA method is
initiated by ensuring that an organization's management is aware
and committed to improving the organization's information security
practices and policies (Step 100). An assessment entity (e.g.,
individual/company conducting assessment) then assesses the
organization's information security practices and policies (Step
102). Using the information gained in Step 102, the assessment
entity develops a corrective action plan (Step 104). The corrective
action plan is subsequently executed (Step 106). If the
organization desires continuous monitoring after the execution of
the corrective action plan (Step 108), then the assessment entity
may continuously monitor revised information security policies and
practices of the organization (Step 110). Following the continuous
monitoring, the method may return to Step 100 to ensure that the
organization's management is still aware and committed, or
potentially proceed directly to Step 102 if the organization's
management continues to be aware and committed. If the organization
desires not to have continuous monitoring after the execution of
the corrective action plan (Step 108), then the method ends.
[0020] The management awareness and commitment stage is the first
stage of the SMA method and is used to raise awareness within the
management of the organization being assessed and to initiate
gathering of information. Specifically, in the management awareness
and commitment stage, an assessment entity gathers information to
understand the organization's business goals. Further, the
assessment entity gathers information to understand the associated
risks in terms of information security. For example, if the
organization is using a wireless Local Area Network (LAN), there
are different information security risks to consider than if the
organization is using a conventional LAN where all computers are
connected via Ethernet cable. Additionally, the assessment entity
creates awareness in the organization by presenting the security
maturity assessment methodology and method. In one or more
embodiments of the invention, the assessment entity may also
provide additional information about the underlying standards,
e.g., the ISO standard. In one or more embodiments of the
invention, the assessment entity may also provide an explanation of
the concept of a maturity model as it applies to the security
assessment.
[0021] The security maturity assessment stage is initiated by the
assessment entity identifying participants required to perform the
SMA. Additionally, the assessment entity, in conjunction with the
organization, determines the effect and cost to be used to perform
the SMA. A time line is also set to allow the assessment entity and
the organization to have a means to track the progress of the SMA.
At this point, in one or more embodiments of the invention, the
assessment entity may request that the organization sign an
assessment contract to ensure commitment by the organization to
follow through with the SMA. Once the aforementioned steps have
been completed, the assessment entity proceeds to perform the
SMA.
[0022] The assessment entity initiates the SMA by collecting
documents detailing the organization's existing information
security policies and practices. After review of the collected
documents, additional information is typically obtained via
interviews with participants identified at the beginning of this
stage. Using the information obtained from the collected documents
and the interviews, a preliminary rating is generated. The
preliminary rating details the maturity of individual sections and
the overall maturity level of the organization's information
security practices and policies.
[0023] In one or more embodiments of the invention, the preliminary
rating is generated using a security assessment matrix (SAM). The
SAM defines each level of maturity for each information security
item, The SAM includes 61 rows corresponding to the groups of the
BS7799/ISO17799 standard information security items, and 5 columns
defining the maturity level. The five maturity levels, arranged
from least mature to most mature, are Initial (Level 1), Repeatable
(Level 2), Defined (Level 3), Managed (Level 4), and Optimizing
(Level 5). For each intersection of row and column, there is a
paragraph that defines a specific "capability maturity" level. The
paragraphs contained in a given row of the SAM represent successive
capability maturity levels for the same information security item.
Further, some rows of the SAM represent successive capability
maturity levels associated with a single information security item,
as described in one paragraph of the BS7799/ISO17799 standard.
Other rows of the SAM may represent successive capability maturity
levels of information security items that the BS7799/ISO17799
standard describes in separate paragraphs or sections.
[0024] In one or more embodiments of the invention, an item
definition for each information security item is included in the
SAM. The item definition acts as a legend for the level definitions
for a particular information security item. Further, in one or more
embodiments of the invention, the SAM includes level definitions as
follows: Level 1--Initial; Level 2--Not written down, but
communicated via coaching; Level 3--Written down; Level
4--Responsibility is defined; Level 5--Process exists for catching
deviations and improving the information security to prevent them.
Further, in one or more embodiments of the invention, the SAM
includes scope requirements. The scope requirements indicate to
which various aspect of an organization's operations the criteria
set forth in a particular row of the SAM must be applied.
[0025] The combination of a certain level definition (e.g., Level
1) with one information security item (i.e., a specific row of the
SAM) yields a specific criterion that one skilled in the art can
apply to establish if the organization being assessed meets, fails
or exceeds this level of maturity for this information security
item. Furthermore, those skilled in the art can apply the general
definition of the maturity level (Level 1 through 5) to a specific
information security item in such a way that they can readily
determine whether the organization being assessed meets, fails or
exceeds this level of maturity for this security item, even if the
specific criterion set forth at the intersection of this row and
column of the SAM is, for any reason, not directly applicable in
the case of this organization.
[0026] Table 1 illustrates the SAM in accordance with one or more
embodiments of the invention: TABLE-US-00001 TABLE 1 Security
Assessment Matrix Level 1 Level 2 Level 3 Level 4 Level 5 Scope
(Initial) (Repeatable) (Defined) (Managed) (Optimizing)
Requirements Level Definitions Process exists for catching Not
written deviations and down, but making ISO 17799 Item communicated
Responsibility is constant Categories Definitions via coaching
Written down defined improvements III.1 Information Security Policy
Coverage of No security Security policy Specific Security policy
Clear Goal and Security Policy policy in exists, but as a policy
exists, covers all areas of responsibilities principle of Review of
effective place general clearly stating business. Security and
every implementation of statement. in detail what policy is owned
by mechanisms in information information security Inferring what is
mandated appropriate functions place to security policy is
specifically or prohibited. including IT but also upgrade policy
Information Review of mandated or A "normal" Finance, HR, Legal, if
required sharing Information prohibited person can etc.
Organization after every management Security Policy requires easily
policies define the breach of and consulting understand it. roles
and policy, also if responsibilities specialized Reviews
responsibilities in business personnel. No carried out at following
changes regular reviews. intervals, but procedures. Reviews
(acquisition, no clear carried out - intervals divestiture, or
management and responsibility for major changes responsibility the
reviews are in process such to trigger defined explicitly in as
reviews or the policy. outsourcing) exploit results occur.
Availability of No security Security policy There is a Security
policy Each security Staff Security Policy to policy is discussed
Security communication is incident is awareness and Employees
communication with employees Policy part of written IT and subject
to a education Security Education to and contract or manual,
Personnel post mortem Responsibilities and Technical employees
temporary mentioned on procedures. Training procedure that and
Training (non- personnel upon public notice and/or includes a
emergency existent, or hiring. board and/or communication on review
of arrangements limited to on web page. security policy occur
whether Well defined IT at least once a year. applicable policy
personnel). policies were Security correctly training communicated.
integrated into Users are personnel taught the development incident
program reporting Management procedures. responsibility to provide
security training, including the specification of a clear desk and
clear screen policy for all employees. Review of Security Issued
once, Occasionally Reviewed at A clearly There is a defined General
Process never reviewed if intervals, but designated person
mechanism to management reviewed senior no clear or body has review
and responsibility management, management responsibility for
upgrade the auditors, etc., responsibility the process, and policy
after every ask to trigger reviews it security incident reviews of
regularly. (is anything exploit results missing from the policy
that could have prevented the problem?) IV.1 Information
Responsibility for No Specific A matrix for A specific party is
Security Individual Security the protection of responsibility
individuals are the responsible for responsibility is a assets
refer to Infrastructure individual assets is assigned. aware of
their responsibility defining and required field in the
responsibility of protection maintaining the the asset
organization's to protect some of assets responsibility management
physical assets. The list exists and is matrix for the process, so
rows assets (e.g., of assigned published. protection of in the
matrix are computers, responsibilities individual assets. created
when new printers, is not Successive assets are media, etc.)
documented. versions of the acquired. Assets matrix are without a
archived to help in responsible party future is immediately
investigations. flagged for corrective action. Security in job No
formally Specific Responsibility A specific party is Job
descriptions Interpretation definition and defined individuals are
for security responsible for and personnel is based on resourcing
process. aware of their decision developing job screening SSO/IRT
responsibility. making has responsibilities, arrangements are type
position. been assigned personnel periodically and screening and
reviewed to documented. confidentiality conform to the agreements.
changing security needs of the business. Also personnel are
required to sign and agree to confidentiality agreements.
Information security No formally Key members Training for A
specific party is Security education and defined of personnel
personnel is responsible for curriculum is training training plan
are trained on defined and defining the periodically an ad-hoc
performed training plan reviewed to basis. periodically. developing
conform to the training schedules changing needs for all personnel
of the business. Training records are reviewed against policy and
exceptions lead to training program updates. Approval process No
approval Informal, A clear A specific party is The approval for the
acquisition process undocumented approval responsible for process
is and installation of exists. knowledge of process is defining and
periodically IT facilities. steps to be defined for maintaining the
reviewed to followed when the approval process conform to the
acquiring or acquisition for IT facility changing needs installing
IT and acquisition and of the business. facilities exists.
installation of installation. The approval IT facilities process
for each and published acquisition and across the installation of
IT enterprise. facilities is reviewed for accuracy and corrective
action is taken where appropriate. IV.2 Security of Security
Control of No control Physical access The access Third-party access
The access logs Third Party Third Party Access mechanism control
allows control rules is linked to the rest and the list of Access
to Information ad hoc are of the authorized third Processing
Facilities decisions by IT documented. organization's parties is
staff, who have There is a security system regularly audited been
told formal through the and changes to informally contract with
issuance of access procedures is what to do. each party tokens, and
made when the that requires accesses are need arises. access.
logged. IV.3 Outsourcing Security Controls None; IT, Security, The
There is a registry Procedures are Critical for External
contractors Legal, or procedures for of contractors. reviewed on at
applications Contractors are handled Purchasing contractor They
sign the least an annual stay in house by task apply some security
are security policy, basis for possible Approval of owner regular
steps documented NODE and IP improvements. business without when a
in writing and agreements. owners. specific contract is personnel
and Audits are run at Implications policies or issued. These
managers least quarterly to for business procedures. steps are not
have access to make sure the list continuity specifically them and
are of contractors is plans. documented. aware of their current.
The Security contents. owner of the standards and process is
defined. compliance Security incident procedures. V.1
Accountability Coverage of Asset No inventory Manual Inventory
Schedule, triggers, There is a process Information for Assets
Inventory inventory, performed roles and to review what Asset
Maintenance occasional, on according to responsibly, are happened
after Inventory demand. written defined. each inventory. Software
procedures, Ownership is clear Inventories are Asset but schedule
and known incremental, not Inventory and triggering throughout the
IT from scratch Physical events are not organization and every
time. Asset Asset well defined. management. inventories are
Inventory Typically not automated. Services automated. Inventory
Ease of Alteration Information There is There is a There are
control There is a Printed of Information assets can be informal
documented mechanisms (e.g., mechanism in Reports Assets altered
knowledge that change access controls) to place to review Screen
without classified procedure that prevent alteration the
effectiveness Displays control documents applies to all without
proper of the change Magnetic cannot be classified authorization.
control process Media altered at will, information and detect the
Electronic but no assets. No need for Messages systematic
systematic improvements. File Transfers procedures. control
mechanisms in place. Coverage of No Covers some There is an
Information Information Information Information procedures in
information Information handling handling training Asset Handling
place for assets. Little Handling procedures are is part of written
Inventory Procedures handling formality. No manual, owned by IT and
Personnel Software information. regular mentioned on appropriate
procedures. Asset reviews. the public functions including Processes
in Inventory Applied by few web page, and IT but also place to
report Physical business units. covering Finance, HR, and learn
from Asset essentially all Legal, etc. cases when Inventory types
of assets Organization information has Services and all policies
define the been handled Inventory business roles and incorrectly.
Printed units. responsibilities in Reports following Screen
procedures. Displays Magnetic Media Electronic Messages File
Transfers
("Handling" = copying, storage, electronic transmission, spoken
transmission, destruction) V.2 Information Classification of No Ad
hoc Information Ownership of the Security Printed Classification
Information Assets classification classification, asset
classification is classification is Reports Labeling of at document
classification clearly defined as reviewed Engineering Information
Assets owner's is published part of company periodically. List
files (photos, initiative. and "pushed" procedures and is of
documents microfiche, Most to all potential known of with highest
etc.) documents not document management. classification is Screen
marked. If owners. It reviewed Displays marked, labels covers
periodically. Magnetic are security. Declassification Media
inconsistent. Classified procedures exist. Electronic No systematic
information is Messages awareness labeled, File Transfers campaign.
consistently. VI.1 Security in Job Screening of Incomplete
Screening of Documented and A specific party is Procedures are
Applicant Definition and new or a lack of applicants is published
responsible for reviewed regularly refers to all Resourcing
applicants. screening of performed procedures for defining and for
improvements employees Complete applicants. informally, is
applicant maintaining the and compliance. (contractor, checking of
Contractor not documented, screening exist screening procedure.
Security issues found permanent, the new hiring are and is not and
are used by Results of the to be related to or part time)
applicant's not vetted performed the organization. screening are
failings in the CV. through HR. consistently. captured in the
screening procedure Screening of applicant's HR file. mandate
immediate contractor review and update of and the procedure.
temporary staff VI.2 User Training Security Little Discussed with
Documented in Roles and Audits of the security awareness of
awareness of employees and writing and made responsibilities to
acknowledgments are personnel corporate contract or available to
all maintain and performed. A system security. temporary staff.
Employees communicate the of re- personnel upon receive a copy of
security policy are acknowledgment hiring. security policy on
defined. occurs periodically hiring and are Acknowledgement and
upon changes to required to of the policy is the security policy.
acknowledge tracked and stored Incidents are receipt. as part of
the HR analyzed for policy of the performance employee. improvement
to the security awareness procedures. Security No education
Security Security A specific party is Training plans are education
or training is education and education is responsible for
periodically reviewed and technical provided. technical documented
and defining and to conform to the training training are not
included as part maintaining the changing needs of the provided of
the hiring security education business. Training consistently and
process. and technical records are reviewed the Technical training
program. against policy and responsibility is training roadmaps
Training records are exceptions lead to at the discretion exist for
each captured in the corrective actions. of management. employee.
employee's file. Review and planning for future training is part of
the appraisal process. VI.3 Responding to Disciplinary None
Managers have The definition of The documented After each incident
Security Process for documented. intuitive violations, process
includes that causes the Incidents and Company Reaction is
awareness of investigation roles and procedure to be Malfunctions
Security ad hoc. need, can quote process, and list responsibilities
for invoked, the process Violation multiple levels of applicable
each step, and a is reviewed and, of penalty, penalties is clear
workflow. when applicable, the including but not documented,
process is revised limited to firing. distributed, (including the
Managers and signed by the training or the HR appropriate penalty
clauses). independently parties, and agree on how to personnel has
initiate and been educated as conduct to the content. disciplinary
actions. VII.1 Secure Areas Protection The IT Access control is
List of secure All access to secure Auditing of access from
equipment is provided on an perimeters and IT areas is control
system logs is unauthorized left ad hoc basis access rights to
performed by a done periodically. access. unattended typically by
IT those areas are mechanism (e.g., Changes in facilities Physical
with no manager. No documented and badge access control and
management entry control controls defined list of published.
system) that allows trigger a review and to office, beyond access
rights is for personal revision of the access room. physical
published or identification and procedures. Physical building
managed. auditing. Access security for access. control is managed
IT facilities. centrally for granting and revoking rights and is
linked to hiring and termination policies. VII.2 Equipment Fire
alarm The fire Procedures for The fire alarm Reaction to actual
Security system in not alarm system the fire alarm system is
tested. alarms is reviewed present. exists and system are
Procedures exist and improvements people have visible and for
evaluation of implemented into been posted, the fire alarm the
current system informally including system including and
alternative made aware evacuation path, damage systems reviewed of
the behavioral assessment and where necessary. system. actions,
Halon recovery, warnings, etc. evacuation headcount, etc. Personal
No policies Policies for There is a A specific party is The
personal workstation for personal personal documented responsible
for workstation policy is policy workstations workstations policy
for defining and regularly reviewed to exist. exist but are not
personal maintaining the ensure it conforms to published or
workstations and personal the changing needs of adopted fully steps
are taken to workstation the business. Personal across the spread
its policy. workstation needs are organization. awareness among
Sensitive reviewed and changes employees. information is are made
where protected by necessary. Audits are means of carried out to
ensure encryption. that the organization maintains a recognized
workstation policy to ensure efficient management. Protection There
are no There is an There is a formal A specific party is The safety
threat policy from procedures informal safety documented
responsible for is regularly reviewed to environmental in place to
threat protection policy in place. It defining and ensure it
conforms with threats and protect from policy in place. details all
the maintaining the the changing needs of hazards. safety threats
This is not steps that need to safety threat the business. The
Protection or hazards. enforced be followed to control guidelines.
policy is regularly from human throughout the protect from reviewed
and changes carelessness organization and potential hazards. are
made where (eating, the details of the necessary to ensure smoking,
policy are not continued compliance. drinking). documented.
Protection from power and communication cabling from interception
or damage. VII.3 General Controls Inspection of Incoming There is
no There is a A responsible The key goods incoming goods are formal
process documented party is identified screening process is goods
for not to inspect process whereby to manage the regularly reviewed
to hazards inspected. incoming goods. all incoming processes and
ensure they conform to It is carried out goods are procedures for
the changing needs of in an ad inspected per a inspecting the
business. Goods hoc manner. defined plan. incoming goods screening
needs are for safety reviewed and changes compliance. are made
where necessary. The organization maintains historical files of
incoming goods; these are regularly reviewed to ensure that there
are no discrepancies. Process of There is no An informal A formal
process An inventory of Audits of the removal of standardized
process exists is documented organizational organization's property
organization's procedure for property and published the property is
are carried out property for removal removal. to organization
maintained and periodically and of property. for property updated
regularly. changes to the removal removal. A group or process are
made individual is where necessary. identified to verify that the
process is followed. Equipment There are no Equipment Equipment is
A responsible Record of equipment maintenance equipment maintenance
is covered by party is identified maintenance is maintenance
carried out on an insurance and the to oversee examined to
determine policies and ad hoc basis equipment equipment fault
patterns or abuses. the based on maintenance maintenance
Appropriate changes equipment manufacturer controls the policies
are are incorporated into maintenance recommended determination of
followed. the maintenance is done only service intervals risk.
policies. on failure. Sensitive Data Data disposal Data disposal A
responsible The disposal procedure data disposal disposal procedure
is procedure is party is identified is audited regularly and
procedure procedure is informally formally defined to oversee that
the appropriate steps not defined. defined. and published to
disposal procedure incorporated into the the organization. is
followed. procedure. VIII.1 Operational Management None - each
Common Documented in Roles and Procedures include a Reporting
Procedures and Responsibilities incident is awareness of writing
and made responsibilities are mechanism to evolve procedures
Responsibilities and handled ad procedures available to all IT
defined. them. Incidents are cover: Procedures hoc on a best Effort
for staff (and other Escalation and analyzed to suggest All types
of Incident effort basis. repeatability department staff reporting
chains improvements. There security Reporting includes staff with
IT roles) exist. Issues and is a quality incident
Procedures meetings, requests are improvement process, Contingency
training recorded as documented and plans sessions, trouble
tickets. applied. Audit trails coaching and similar Recover actions
and authority VIII.2 System Planning Testing of None; new Testing
is A formal The responsibility Policy is Includes issues and
Acceptance new systems are informal and is document to define,
review, periodically of capacity information placed in performed
based defining the and ensure reviewed and planning and systems
operation on individuals' testing and compliance with revised upon
any Systems requirements without any knowledge, not deployment of
the testing policy change in the Acceptance. and upgrades formal
test on a formal new and is defined. There production systems
Issues to be prior to procedure. process. upgraded systems are
system level or organizational considered deployment is defined.
tools that prevent structure. Testing include: unauthorized
methodology and Performance changes to tools are and Computer
production continuously Capacity systems. examined to Requirements
Documents exist determine Error Recovery detailing applicability to
the and Restart interfaces into the organization and Procedures
change then introduced. Security management Controls/Issues
process. Manual Processes Business Continuity Arrangements
Additional Load on existing machines Training in the operation of
the new equipment VIII.3 Protection Detection and No IT staff has A
formal, A specific party is The procedure Procedures Against
protection detection, informally documented responsible for
includes a cover: Malicious against protection defined procedure
for defining and mechanism for All types of Software malicious
measures, procedures for detecting and maintaining the evolution.
Incidents virus and software. reporting, detecting and handling
detection and are analyzed to malicious User or recovery handling
malicious protection suggest software awareness of procedures
malicious software and procedures, improvements. The incident
procedures to exist, and software and virus attacks informing and
toolset is Contingency deal with dealing virus attacks. exists and
is training the users, continuously plans malicious with There are
no communicated to managing the examined and Audit trails and
software malicious common tools, all employees as detection and
updated to provide similar Procedures software formal part of the
recovery efforts, maximum protection Recover actions for reporting
and virus documentation, corporate security and selecting and
against changing and authority and recovery attacks is or training
policy. A maintaining the treats. from virus entirely programs for
all standard set of protective tools. attacks reactive employees.
protective tools is and defined and handled in deployed. an ad hoc
Training is given manner. to all employees. Policy No policy
Software A software A specific party is List of authorized relating
to or monitoring licensing policy responsible for software is
licensed monitoring policies are is documented monitoring and
periodically software and exists informal and and published to
maintaining reviewed to conform prohibition of regarding performed
on an all employees. authorized to the changing unauthorized
software ad hoc basis. The software licenses needs of the software
installation. IT organization, for the enterprise. business.
Software when involved in A software audits are reviewed software
inventory and exceptions lead procurement, licensing tool is to
corrective actions. applies controls used to monitor informally.
and ensure compliance. VIII.4 Housekeeping Monitoring of No
Informal Capacity plan and Ownership of the New technology,
processing monitoring monitoring as capacity capacity plan and
contractual power and exists. part of system management capacity
agreements, and storage to Capacity management process covering
management supplier selection ensure adjustments procedures
processing process is defined. are continuously availability are
performed on an power, memory, Formal researched and performed as
needed basis. disc space, mechanism for introduced into the in
reaction No management LAN/WAN business managers environment in to
capacity plan or capacity, backup to place order to provide the
problems. model is capacity, number requirements into necessary
resources specifically of user the plan and a link while optimizing
the defined. workstations, exists between the costs. physical space
capacity planning and power. process and the budgeting process.
VIII.5 Network Covered by other Management questions in this
section VIII.6 Media Handling Procedures No IT staff has Formal, A
specific party is Procedures are Media includes: and Security and
controls procedures informally documented responsible for
periodically IT computer to protect or controls defined procedures
for defining and reviewed to address room media computer are in
place procedures and protecting maintaining the changes in the type
(e.g., backup media to protect controls for computer media
procedures for the or volume of tapes, computer protecting exist
and are access control computer media to removable hard media.
computer media. communicated to systems and be handled. Audit
drives, CD- There is no all employees as auditing of access logs
are reviewed ROMs, etc.) formal part of the to computer and
exceptions lead User media documentation, corporate security media.
to corrective action. (e.g., CD- access logs, or policy. Controls
ROMs, floppy training programs are in place to discs, etc.) for all
employees. limit and track access to media. Training is given to
all employees. VIII.7 Exchanges of Security of No defined No
corporate A corporate A specific party is The standards are
Standards for Information and exchange of procedures standard or
policy standard for the responsible for periodically secure
Software data and to secure exists addressing security exchange
defining and reviewed to address exchange of software with the
securing the of data and maintaining the changes to the data data
and other exchange exchange of data software with standards for the
being exchanged or software with organizations. of data or and
software with other secure exchange the means of 3rd parties and
software. other organizations is of data and exchanging. The
outsourcing organizations. documented and software. An information
vendors. published to all information classification policy
Information employees. classification continually evolves.
classification policy determines policy what can be and how it is
transmitted. IX.1 Business Documentation No An informal, An access
policy A specific party is The access policy Access rights
Requirements of business awareness undocumented statement
responsible for statement is encompasses for Access requirements or
practice access control defining access defining and periodically
accounts for Control for access of access practice is rights of
each maintaining the reviewed to conform network, control. control.
applied on an ad user or group of access policy to the changing
operating Access policy hoc basis. users exists and is statement
and needs of the system, and statement published. ensuring it is in
business. Security application defining the alignment with
incidents are access. access right of business reviewed and ACLs,
user and each user or requirements. modifications to the system
group of users. access policy accounts, etc. Protection of
statement are made Automatic connected where appropriate.
identification of services from terminals and unauthorized portable
use. devices. Review of user Timeout of access right remote systems
and left unattended capabilities for extended Policy periods of
time concerning the use of network and network services. Network
controls in place IX.2 User Access System of No An informal, A user
account A specific party is The user account Deletion vs.
Management formal control undocumented policy defining responsible
for policy is disabling registration/de- over user account access
rights, defining and periodically accounts. registration for access
to practice is privilege levels, maintaining the reviewed to
conform Unique id for access to IT IT applied on an ad and user
account to the changing all users. services. services. hoc basis.
creation/deletion policy. User needs of the Immediate rules exists
and is account business. Audit account published. creation/deletion
requirements are removal for records are reviewed and users who
archived. modifications to the change duties user account policy or
leave the are made where company. appropriate. User's Multiple
accounts privilege in per individual are overriding created or
deleted system/application through a single restriction. point of
control. Record kept of all privileges allocated. System routine to
grant privilege to users. Access control to program source library
IX.3 User Security of user Passwords An informal, A published A
specific party The password policy is Limit the number
Responsibilities password. User are not undocumented password is
responsible periodically reviewed of password password used.
password policy defines for defining and to conform to the attempt
before confidentiality practice is password maintaining the
changing needs of the the system locks level applied on an strength
(e.g., password policy. business. Periodic out the user. ad hoc
basis. length, Record of audits (cracking) of Record and make
inclusion of password passwords are user aware of special histories
is performed to ensure unsuccessful characters), archived.
compliance and logon attempts aging, and exceptions are noted,
Enforcement of usage. documented, and password rules corrective
action is taken. Good-practice No An informal, A good-practice A
specific party A process exists to No display of guidelines to
guidelines undocumented guidelines is responsible solicit
suggestions for system identifiers users in exist. guidelines is
statement is for defining and best-practice guidelines until logon
has ensuring good provided to defined and maintaining the from
internal and been successful security. users on an ad incorporated
good-practice external sources and to General notice hoc basis.
into user guidelines. incorporate them into warning that the
training the organization's user system should programs. security
guidelines. only be used by authorized users If error occurs at
logon do not indicate what the error was Cryptographic No An
informal, A good-practice A specific party A process exists to
Controls guidelines undocumented guidelines is responsible solicit
suggestions for exist. guidelines is statement is for defining and
best-practice guidelines provided to defined and maintaining the
from internal and users on an ad incorporated good-practice
external sources and to hoc basis. into user guidelines.
incorporate them into training the organization's user programs.
The security guidelines. guidelines cover: encryption, digital
signatures, key management, non-repudiation services IX.4 Network
Covered in other area in this Access Control section IX.5 Operating
Covered in other area in this System Access section Control IX.6
Application Covered in other area in this Access Control section
IX.7 Monitoring Covered in other area in this System Access section
and Use IX.8 Mobile Mobile No An informal, A good-practice A
specific party A process exists to Laptop, Mobile, Computing and
Computing and guidelines undocumented guidelines is responsible
solicit suggestions for and Palmtop Teleworking Teleworking exist.
guidelines is statement is for defining and best-practice
guidelines security to ensure provided to defined and maintaining
the from internal and company users on an ad incorporated
good-practice external sources and to information is not hoc basis.
into user guidelines. incorporate them into compromised. training
the organisation's user programs. security guidelines. X.1 Security
Risk There is no An informal A published A specific party The risk
assessment Requirements assessment and framework undocumented risk
assessment is responsible and risk management of Systems risk or
risk risk and risk for defining and policies are management
assessment. assessment management maintaining the periodically
reviewed used for and risk procedure risk assessment to conform to
the analyzing management exists. and risk changing needs of the
security practice is management business. Changes are requirement
applied on an guidelines. made to the policy ad-hoc basis. An
archive is where required. kept of the risks identified and the
action taken to manage the risk. Safety check No safety An informal
There is a A specific party The safety checks are while procuring
checks are procedure documented is responsible regularly reviewed
to new program carried out exists whereby procedure that for
defining and ensure that they and software when new programs is
followed maintaining the conform to the procuring and software
before any software safety changing needs of the new are assessed
software is check business. There is a software. before being
purchased. guidelines. regular risk analysis is put in to the This
ensures Modifications to carried out to ensure operational that all
software vendor supplied safety of existing environment. purchased
packages are systems and This task in conforms to made to comply
compromise to their performed on company with system security is
controlled. an ad-hoc security requirements Emphasis is given on
basis. guidelines. and vendor quality certification of consent is
new products. obtained before doing so. X.2 Security in Validation
There is no An informal There is a A specific party The validation
control Application control while validation process exists
published is responsible procedure is regularly Systems data input
to of where data is standard which for defining and reviewed to
ensure that application information both verified describes the
maintaining the they conform to the system on before it is
validation tests validation changing needs of the Data validation
application entered in to that are control business. Periodic of
stored systems. applications performed. guidelines. audits are
performed of information and existing There is a data on
application Output Data data is documented systems to ensure
Validation verified. Basic process which compliance. tests like is
followed. Exceptions are noted, missing or documented and
incomplete corrective action is data, invalid taken. characters in
fields are performed on an ad-hoc basis. X.3 Cryptographic
Cryptographic There are There is an There is a A specific party The
cryptographic Controls control no informal documented is
responsible controls are regularly cryptographic practice procedure
for defining and reviewed to ensure that controls employed which
defines maintaining the they conform to the or existing whereby
some the steps which cryptography changing needs of the system
files are outlines which control business. Audits are architecture
encrypted. document guidelines. carried regularly to does not This
is done at classifications Separate key ensure that information
support the user need to be management that should be cryptography.
discretion and encrypted and procedures are encrypted is kept on an
ad-hoc the process to used for digital encrypted and that the
basis. be followed to signatures and encryption method achieve
this. encryption. used is adequate. Vulnerabilities There are There
is a There is a A specific party The key management of no key
process in documented is responsible system is regularly
cryptographic management place where by key for defining and
reviewed to ensure keys. procedures. suitable key management
maintaining the they conform to the Key management system which key
management changing needs of the management exists, based defines
the system. business. Key system. upon an steps to be Separate key
management needs are Documentation informal set of followed. This
management reviewed and changes of key standards, ensures that the
procedures are are made where management procedures and type of
used for digital necessary. Audits are system secure algorithm and
signatures and carried out to ensure (activation & methods.
length of keys encryption. that the organization de-activation are
considered Cryptographic maintains a recognized date, certificate
to identify level keys have certification authority information) of
defined to ensure key cryptographic activation and protection and
efficient protection deactivation key management. dates. All keys
are protected against modification and destruction in case of
private key compromise. X.4 Security of Protection and No change An
informal There is a A specific party The change control System
Files control of control procedure documented is responsible policy
is regularly system test procedure exists for standard for defining
and reviewed to ensure data. in place and change available to
maintaining the that it conforms to Change control no control. This
employs change control the changing needs procedure provisions task
is describing the guidelines. of the business. Control of for the
performed on procedures to Version control Version control
operational protection an ad-hoc follow to ensure for software logs
are audited and software of system basis. that the change update is
any exceptions are test data. control maintained and documented,
noted procedures are archives are kept and corrective followed of
all versions. action is taken if correctly necessary. X.5 Security
in Awareness of There is no An informal There is a A specific party
The software The new software is Development software process in
procedure documented is responsible update policy is put in a test
and Support upgrade to place to exists to standard for defining and
regularly reviewed environment to check Processes enhance the
monitor monitor available to maintaining the to ensure that it for
anomalies with security level security risk vendor web employees
software update conforms to the security policies posed by sites to
obtain describing the guidelines. An changing needs of before
software software procedures to archive is kept the business.
implementation installed on updates. This follow to ensure of all
software Periodic audits are machines. task is that all software
upgrades. performed of Software performed on installed on Change
control software upgrades upgrade an ad-hoc their machines
procedures and to ensure does not basis. is of the latest
contractual compliance. take into Security issues version.
agreements exist Exceptions are account the defined by the All
security to escalate noted, documented security of vendors are
issues with the security issues to and corrective the new only new
release appropriate action is taken if releases considered.
specific to levels and necessary. organizational remedy them.
system platform are identified and confirmed with the vendor. XI.1
Aspects of Contents of No plan. There is some There is a Employees
are Includes process Risk analysis of critical Business Business
knowledge of written and trained, and for improvement business
processes. Continuity Continuity what to do in properly training is
after each Identifies events that Management Process case of
disaster distributed plan. periodically invocation. can cause
interruptions Procedures and (e.g., based on Process refreshed. to
business processes, Schedules training or on includes: Plan
includes and includes assessment Included in the prior Fallback
alternate of the impact of those Process experience) procedures
communication interruptions. but no Resumption methods if
documented procedures communication process. Maintenance is
severely schedules affected. Process also includes: Assignment of
responsibilities Conditions for activation Development of Plan does
A set of There is a The The process is Business continuity
Business not exist. measures can written business management
reviewed in case process covers events Continuity Some be applied
in continuity chain of change in that are specific to the Process
awareness case of a process that responsible for system, staff,
local environment (i.e., Testing of of measures business includes
risks, executing the disaster recovery flood, power outage,
Business that can be interruption. events, roles business
contractor or political unrest, fire, Continuity taken in They do
not and continuity contract, hurricane, earthquakes, Process case
of a constitute responsibilities, process is business, etc.) and
business needs Review and business formal, technical define, and
all application, (i.e., credit card center Update of interruption.
defined, measures, managers and locations, or cannot be down more
Continuity Actions published, or reporting, and staff know what
legislation. than a few minutes) Process would occur managed plan.
communication. the chain is. Post-mortem Reasons that in an ad hoc
The plan has Testing occurs at reviews after Cause Review manner.
been tested at least annually execution with of the Plan least
once. and maintains documented the business improvement continuity
actions. process. XII.1 Compliance Restrictions in No Ad hoc
Systematic Clear Periodic review Copyright policy with Legal Place
on the restrictions restriction on restrictions, responsibility to
of the policy for Acquisition procedures Requirements Use of in
place. some documented, enforce the continuing Copyright awareness
Materials for documents based on the restrictions. improvement.
information Which There only. information Training is Periodic
review Maintenance of licenses May Be classification provided. of
the Check on software Intellectual Employees are restrictions to
held/used Property Rights aware. make sure Policy on software
they're disposal appropriate. Compliance with licenses Safeguards
No Some Clear Safeguards in Periodic review Personnel information
against loss, safeguards organizational responsibilities place
covering of systems in Copyright information destruction or
employed. data backed up to ensure that all place and Company
confidential falsification of No defined and secured. organization
organizational security of information organizational hierarchy as
Backups may records are not records. systems that deal Public web
sites records to whom be kept onsite. compromised. Training with
has access No logs kept Some user provided to organizational to
what of user activity is educate users. records. Each information.
activity. logged. Management incident is Organizational responsibly
to subject to a post data is kept ensure that mortem securely.
records are kept procedure that Documents are accurate and includes
a publicly secure. Access review of available that rights and
whether describe the privileges in applicable policy and place to
restrict policies were procedures that access to certain correctly
employees organizational communicated. should follow records. Web
Users are taught to maintain sites protected the incident integrity
and from reporting safety of defacement. procedures. Full
organizational Critical files audit logs records. identified and
maintained with protected against system falsification by
start/finish CRC checks, times, system etc. errors and corrective
action and name of person making alterations to the information.
Compliance Knowledge Data Legislation is Processes and There is a
with data of protection applied and procedures are regular process
protection legislation legislation is Data protection put in to
place in place to legislation is limited to discussed with
legislation is for monitoring review changes specific employees and
made available to ensure that the in legislation, or people or
contract or to employees in company is new needs of the departments
temporary a centralized continually business. (HR, Legal, personnel
location. compliant. The Training is etc.) and is upon hiring
Impact of responsibility to provided to not into specific
legislation and do so is clearly users to ensure documented.
departments. concerned data assigned. the continued has been
compliance with written up and legislation. The made available
process and to employees. responsibility to All affected receive,
processes investigate and include correct any appropriate reported
protection exception is steps. defined. Compliance of No Standards
and Standards and A clearly There is a regular Intellectual
Property information published codes of codes of designated process
in place to Rights systems with codes of practice are practice are
person or body review changes in Copyright published practice and
generally defined and has published standards Data Protection Act
standards or no understood but published responsibility for or
codes of codes of awareness are applied internally and the
reviewing, practice. Findings practice inconsistently are made
maintaining, and of non-compliance through the available to
training users on result in corrective organization. employees in a
the published action. centralized standards or location. codes of
practice. XII.2 Reviews of Documentation No Some Documents are
Responsibilities Documents are Laws on protection Security Policy
of regulatory documentation documentation made publicly are
assigned to created as soon as and/or correction of and Technical
and contractual exists. exists although available on the
individuals to there is a change in personal information Compliance
requirements it does not corporate web produce the contractual or
(employees and/or for each cover all site or on a documents as
regulatory clients, suppliers, information details of public notice
soon as a new requirements of the etc.) system
regulatory/contractual board. Full system is project. Procedures
for requirements documentation sourced. Documentation is disclosure
to proper for each IS. exists for Templates exist available to
authorities. There is no contractual and for the creation personnel
with ISO 9000 standard regulatory of documents correct clearance.
requirements document requirements and there is a Periodic
inventory Regulatory agencies template used, for all central of
information (e.g., FDA or FCC in documents are information
repository where systems includes the United States) created as and
systems in the they are stored. checks that when required
organization. The templates compliance by individual have
designated requirements exist. employees. owners. Exceptions
trigger There is no a well-defined central data process to review
store for the procedures in order documents to eliminate this (need
to ask risk. people who know). XII.3 System Audit Control Against
No controls Terms of use Terms of use of The Periodic reviews of
Considerations Computer or of computer organizations responsibility
of who is authorized Misuse safeguards equipment are computer
managers is to do what. Safeguard of in place discussed with
equipment are defined. Tools Information Audit Tools to employees
and available from a employed to gathered from Prevent Misuse
contract or centralized monitor usage of monitoring tools is
temporary location computer used to make personnel (Intranet site,
equipment. decisions for future upon hiring. office notice Staff
has well policy. boards, etc) defined roles There is an incident
and access rights review procedure. to computer file Periodic
"white systems. hat" intrusion Personnel are attempts are made made
aware that and followed by their computer corrective actions.
related activities are being monitored, and to what extent.
Review/Audit No process Occasionally Reviewed at A clearly There is
a defined of information is in place reviewed or intervals, but no
designated mechanism to systems to audited if clear person or body
review and upgrade ensure they are senior management has the policy
after in compliance management, responsibility to responsibility
for every security with security auditors, etc., trigger reviews
the process, and incident (Is policies and ask of exploit reviews
it anything missing standards results regularly. from the policy
that could have prevented the problem?) Coverage of No Few Clear
Audit tools are Safeguards in place System Regime coverage
safeguards in responsibilities only available covering all audit
(event logging) exists. place. Audit to ensure that for use by key
tools. Periodic tools are not audit tools are personnel. review of
systems managed not misused. Access rights in place and securely
and Training and privileges security of systems user access is
provided to are enforced to that audit systems. not monitored.
educate users. maintain Users are educated security. on the
importance of safeguarding their audit tools. Compliance of No
Standards and Standards and A clearly There is a regular
Intellectual Property information published codes of codes of
designated process in place to Rights systems with codes of
practice are practice are person or body review changes in
Copyright published practice and generally defined and has
published standards Data Protection Act standards or no understood
but published responsibility for or codes of codes of awareness are
applied internally and the reviewing, practice. Findings practice
inconsistently are made maintaining, and of non-compliance through
the available to training users on result in corrective
organization. employees in a the published action. centralized
standards or location. codes of practice.
[0027] Referring to the Security Assessment Matrix shown in Table
1, to perform the assessment for a given item, the assessment
entity need only perform the following steps: (i) find the item in
question, first by category then by sub-category; (ii) read the
descriptions under each maturity level and determine if
requirements of that maturity level are met; and (iii) record the
highest maturity level for that item that is met by the
organization's current information security policies and
practices.
[0028] Once the preliminary rating has been completed, it may be
displayed in a graphical manner. In one embodiment of the
invention, the preliminary rating is displayed using a Security
Maturity Assessment Reporting Tool (SMART). SMART allows the
preliminary rating to be shown at a detailed level, i.e., all 61
elements are shown, or at a summary level, i.e., only 10 broad
categories are shown. Further, SMART allows the organization to
compare the preliminary rating to a predefined goal, an industry
average, or to a prior assessment. Additionally, the layout of the
SMART report allows an organization to readily identify areas that
require improvement.
[0029] FIG. 3 illustrates a portion of a SMART report in accordance
with one or more embodiments of the invention. A first column (10)
lists the broad categories. A second column (12) lists the items
within each of the categories. A third column (14) graphically
represents the "assessed capability maturity" (ACM) (16). The third
column is sub-divided into five levels (L1, L2, L3, L4, and L5)
corresponding to the maturity levels listed above. For each item,
the ACM is represented by shading the corresponding row up to the
appropriate level. If the ACM is not at a goal (18), i.e., the
level at which the organization wishes to be for the particular
item, then an additional shading representing a gap (20) between
the goal (18) and the ACM (16) is present.
[0030] For example, in FIG. 3, Category 2 contains four items: Item
D (2), Item E (4), Item F (6), and Item G (8). Specifically,
looking at Item G (8), the ACM (16) is at level 2 (22), while the
goal (18) is at level 3 (24). Thus, a gap (20) is present between
level 2 (22) and level 3 (24) on the row containing Item G (8).
Thus, the organization can readily see that Item & (8) is below
the goal (18). By contrast, the organization can also readily see
that capability maturity level for Item F (6) is at the goal (26)
set for this item, so there is no gap relative to Item F (6).
[0031] Returning back to the SMA phase, once the preliminary rating
has been completed, the assessment entity reviews the preliminary
rating with the organization. During the review, the preliminary
rating may be revised, if necessary. Once this has been completed,
a final rating is generated.
[0032] During the corrective action plan (CAP) phase, the CAP is
generated using the final rating and the Security Assessment
Matrix. The proposed actions are aimed at improving the items that
have gaps and bringing the items up to the goal. Additionally,
items in the CAP may also be prioritized according to the needs and
resources of the organization. During the corrective action plan
execution phase, the CAP is executed. For example, if the SAM
states that for a certain item to be at Level 3, "the policy is
written down," and to be at Level 4, "there is an assigned manager
in charge of applying this policy," then it follows that if an
organization is assessed at Level 3 for this item, and its goal is
to be at Level 4, then the CAP should include the following action:
"Put a manager in charge of this policy."
[0033] The monitoring phase of the SMA includes periodic SMART
reports to ensure that goals are met and maintained. Further,
during this phase, the assessment entity may detect change in the
environment that might require additions or changes to the security
practices and/or policies. Additionally, during the monitoring
phase, the assessment entity may provide assistance for debriefing
the organization in the event of an information security incident.
In one or more embodiments of the invention, the monitoring phase
is optional.
[0034] FIG. 4 illustrates a flowchart detailing the SMA method in
accordance with another embodiment of the invention. Initially, the
organization's business goals are determined (Step 112), as well as
the associated risk in terms of information security (Step 114).
Written documentation is then collected about the organization's
existing information security policies and practices (Step 116).
Additional information is then collected via interviews (Step 118).
Using the information gathered in Steps 112 through 118, the SAM
rating is generated (Step 120). If additional information is
obtained (Step 122), then step 120 may be repeated. If no
additional information is obtained (Step 122), then a list of
corrective actions is proposed (Step 124). The corrective actions
are subsequently prioritized (Step 126) and executed (Step 128) to
generate modified information security policies and procedures. The
modified information security policies and procedures are then
monitored (Step 130). If there is a change in the information
security environment, e.g.) a first organization merges with a
second organization resulting in the first organization's network
being integrated into the second organization's network, or if the
time for a periodic review arrives (Step 132), then the process
proceeds back to Step 116.
[0035] The invention, in one or more embodiments, may have one or
more of the following advantages. The SMA method is a systematic
approach that includes a process, a detailed method for assessment
(i.e., SAM), and a reporting tool (i.e., SMART). Further, the SMA
method covers all aspects of information security and explicitly
defines what each level means for each item. Further, the SMA
method is action oriented. Further, each item is assessed as a
capability maturity rather than pass/fail, allowing an organization
to readily gauge where the organization is with respect to a
particular information security item and to measure progress over
time or against a goal, even if that progress is gradual.
Additionally, the security assessment matrix may be used as a list
of recommendations to detail how the organization may attain its
information security goals.
[0036] Further, the SMA method is easy to apply, as each item and
corresponding set of criteria for each maturity level associated
with the item are clearly defined. Further, the SMA method is
flexible, as it may be used for multiple purposes. For example, the
SMA may be used for the purpose of establishing to a customer or
regulatory authority that an organization has the required
capability to perform a certain task. The SMA may also be used for
the purpose of internally monitoring, over time, improvements
decided by the organization's management. The SMA may also be used
for the purpose of meeting a certain industry standard or reaching
a goal established through analysis of the competition's security
capabilities.
[0037] Further, the invention produces an objective rating of an
organization's information security practices and policies removing
the subjective element of the assessment process.
[0038] While the invention has been described with respect to a
limited number of embodiments, those skilled in the art, having
benefit of this disclosure, will appreciate that other embodiments
can be devised which do not depart from the scope of the invention
as disclosed herein. Accordingly, the scope of the invention should
be limited only by the attached claims.
* * * * *