Business Process Security Maturity Model – An Overview

The BPSM model is proposed to harness the convergent themes of the pillars of this research, namely the ISO 17799 security standard and the SSE-CMM security metric within a BPM business environment. The purpose is to integrate security into the business process itself and to continually monitor and correct the security posture, maturity and performance of the security process. The BPSM model is illustrated in Figure 5.4.

Figure 5.4 - Business Process Security Maturity Model 5.8.1 Phase 1: Initiation

It is during the Initiation Phase that the business process, which originates from a BPM environment, is initially analysed using a business process modelling technique as illustrated in Step 1.2. FDD and meta-notation are examples of agile development methods applicable to this task. The initial risk analysis and management activities are carried out to design a security plan. This security plan includes the security controls or counter-measures as illustrated in Step 1.1. The security metrics are established during this phase and are based on the security

1 Initiation

Controls + Business Process 2 Integration

Secure Business Process 3 Assessment

Assess Business Process Security Maturity

Maintenance / Monitoring / Improvement 4 Improvement

BP (M)

Controls Risk Management

ISO Risk Assessment

Business Process Definition

SSE-CMM Appraisal

Security Process Baseline

1.1 1.2 1.3

baselines and potential maturity as determined by the ISO 17799 and the SSE-CMM. The risk assessment process institutes the security policy and determines which security controls are to be used. The ISO 17799 is used to establish the security counter-measures and is used to provide the security guidelines about which security controls to select and implement. A security appraisal is conducted using the SSE-CMM to establish the security baselines and to establish security performance or maturity targets as illustrated in Step 1.3. It is used to set up the continuous monitoring process by establishing the current and potential status of security in the business process.

The Initiation Phase creates the following deliverables; the organisational security policy, the security controls, the security baseline for the business process, the process definition together with its security elements using meta-notation, a risk treatment and risk priority plan, SoA, SoC, the assurance argument, the requisite security metrics and security goals. The result of the Initiation Phase is a security-element enhanced business process which contains its security security-elements.

5.8.2 Phase 2: Integration

The security controls and counter-measures are inserted into the business process during the Integration Phase and are represented as the Controls + Business Process in Figure 5.4. This results in a security-enhanced business process. FDD and meta-notation are used to document this representation. The meta-notation includes the security element dimensions, namely, the security subjects, security objects, security constraints, security classifications and security policy. The security controls originate from Step 1.1 in the Initiation Phase, namely the risk assessment activities and ISO 17799-selected counter-measures, which are assessed, using the SSE-CMM, against the current security baseline of the business process and its potential security maturity or performance. The output of this phase is a security-enhanced business process which is the input to the Assessment Phase.

5.8.3 Phase 3: Assessment

It is during the Assessment Phase that the security-enhanced business process is evaluated. It is represented as the Secure Business Process in Figure 5.4.

Security metrics are applied to the Secure Business Process which is assessed

and evaluated, using the SSAM, to establish its maturity status. The goal is to achieve an optimising or Capability Level 5 maturity which ensures the security elements of the business process are continuously improving. However, the organisation utilising the BPSM model may choose to achieve a level or maturity of security that meets their desired security position. The analysis and evaluation of the Secure Business Process identifies the gaps in the performance by analysing its current status against its targeted performance. This analysis and assessment constitutes the input for the Improvement Phase.

5.8.4 Phase 4: Improvement

It is during the Improvement Phase that the improvement opportunities are identified by measuring the changes in the security performance as reported by the Assessment Phase. These security improvements are implemented to improve the security performance, strength or maturity of the Secure Business Process.

This results in the Secure Business Process together with its new needs which are returned to the Initiation Phase to be re-evaluated.

These steps are analogous to the PDCA cycle and to maintaining a process in SPC. They result in the management of the security maturity posture in business processes in a continuous cycle of evaluation, assessment, improvement and re-assessment against the established and proposed security maturity status and performance.

The BPSM model provides the means to both initiate and maintain the security posture of a business process. It accommodates changes to both the business process and its security profile. Any changes to the business process originating from the BPM environment or any changes to the security profile of the business process in the form of new threats, vulnerabilities or any changes to the IT infrastructure such as the introduction of new technology for example, will result in a re-commencement of the Initiation Phase to incorporate the changes. This will produce a new business process definition which is re-evaluated by the risk analysis and management activities to establish its security needs. This affects the security plan, the counter-measures and the security policy. The ISO 7799-based security controls as counter-measures are re-selected to match the new demands of the amended security needs of the business process. Similarly the SSE-CMM

security appraisal will be repeated to establish a set of new baselines and maturity targets to meet the altered security position.