82-10-40 The Information Security Program
Maturity Grid
Timothy R. Stacey
Payoff
The Information Security Program Maturity Grid is a tool composed of five stages of security maturity and five measurement categories that may be used by management in evaluating an enterprise's maturity from the perspective of information security.
Introduction
A position paper38developed for the workshop for the National Institute of Standards and Technology outlines the interrelationships of the quality assurance, Configuration
Management, and security disciplines. It notes that a synergy can be developed if these disciplines maintain open lines of communication with each other and coordinate their activities.
The Carnegie Mellon University Software Engineering Institute's Software Capability Maturity Model39(CMM) provides the intuitive view that as enterprises involved with software development increase in process maturity, their risk of failure in developing software decreases. The Systems Engineering CMM40and preliminary work toward the development of a Security Engineering CMM41 support the maturity versus risk
relationship illustrated in Exhibit 1.
Risk/Information Security Program Maturity Relationship
In his landmark book,42Philip Crosby outlines a simple tool, the Quality Management Maturity Grid, with which“even the manager who isn't professionally trained in the quality business can determine where the operation in question stands from a quality standpoint.” Based on the interrelationships of quality assurance, configuration management, and the security field, and on the relationship between process maturity and risk reduction, it appears natural that the Quality Management Maturity Grid could be tailored for use by managers in assessing an enterprise's information security program maturity.
This article outlines the stages of maturity and provides five measurement categories which, when combined, reveal an enterprise's overall information security program maturity.
38 Rene H. Sanchez, ÒThe New Alliance: Gaining on Security Assurance.ÓProceedings of the International
Invitational Workshop on Developmental Assurance. National Institute of Standards and Technology. 16 - 17
June, 1994.
39 M. Paulk, W. Curtis, and M. B. Chrissis. A Capability Maturity Model for Software, Version 1.1.
CMU/SEI-93-TR-24 ADA1 263403.Pittsburgh, PA. Software Engineering Institute, Carnegie Mellon University. February 1993.
40 A Systems Engineering Capability Mauturity Model, Version 1.0. CMU/SEI-94-HB-4. Pittsburgh, PA.
Software Engineering Institute, Carnegie Mellon University. December 1994.
41 Proceedings from the Security Engineering CMM Workshop. NSA. Ft. George G. Meade, MD. 18 - 20
January, 1995.
42 Philip B. Crosby, Quality is Free. New York: McGraw-Hill. 1979. Previous screen
Five Stages of Security Maturity
The proposed grid, shown in Exhibit 2, contains five stages of security maturity: uncertainty, awakening, enlightenment, wisdom, and benevolence.
The Information Security Program Maturity Grid
Uncertainty
Awakening
Enlightenment
Wisdom
Stage I: Uncertainty
The lowest stage of information security program maturity, uncertainty, is characterized by a total lack of understanding of information security. Security is viewed as a hindrance to productivity. Although system integrity and availability requirements may be
understood, failures to live up to these reliability requirements are viewed as system engineering failures rather than security incidents. Threats are not analyzed or understood. Protection strategies (prevention, detection, and recovery) are not formally addressed. Safeguards, if installed at all, usually consist of“guns, guards, and gates.” Although the facility may be protected, the information assets may be wide open.
If in place at all, security is implemented from an industrial security perspective. System administrators or system programmers may implement information security on an ad hoc basis with a user ID or password system. In addition, the system administrator may restrict the system files from universal access solely to protect the system domain. End-users are usually on their own.
When incidents occur, if recognized as incidents, they may be reported to a general help desk, to industrial security, or to a system administrator. However, there usually is no mechanism in place to investigate or track the reports.
When security incidents occur, management places blame on external forces rather than on the lack of protections. The threat population and their anticipated frequencies are unknown. Crisis security management is the standard method of operation. So that, when incidents occur, the question becomes, “How can we recover?” Due to this mentality, many organizations find that they cannot recover and they perish.
Spending is rarely targeted for security. It is usually allocated for recovery from incidents. The frequency and cost effects of the incidents that occur are unpredictable. Thus, business planning and strategies depend on a crisis management environment. When incidents occur, the whole enterprise can be thrown into turmoil. All organizations must replan when incidents occur.
Moreover, the enterprise does not learn from its past inattention to security breaches. The enterprise in this stage—uncertainty—does not have time to learn. The more dependent the enterprise is on its data processing capabilities, the more crisis driven the enterprise becomes. Replanning is commonplace. The enterprise does not take time to plan security initiatives.
In summary, the enterprise in Stage I does not understand why it continually has problems with its information assets. It has a high failure rate; its information assets seem to be brittle, unstable, and inaccurate; and its corporate secrets seem to be public
knowledge.
Stage II: Awakening
The second stage of information security program maturity, awakening, is characterized by both the realization that information security engineering may be of value and the
inability to provide money or time to support information security activities. Security is viewed as a commodity that can be bought on the open market. Management allocates funds to procure systems or products with high-reliability components rather than to determine their actual reliability needs. As a result, management often overspends by buying equipment that far exceeds its requirements.
The Information Security Officer.
Once management realizes that information security may be of value, an
organizational information security officer is appointed. However, once appointed, the officer will most likely report to industrial security, Configuration Management, MIS or IT, or some other functional area. The function of the information security officer will be to act as a central point for the funneling of incident reports. The officer responds to incidents after the fact.
The information security officer collects gross statistics and is likely to notice major trends and identify major threats. The officer will identify the significant threats and develop policies and procedures in response to the most frequently occurring crises. The information security officer may provide rudimentary reports to upper management (e.g., number of incidents per month).
Little funding will be allocated to the prevention of incidents. Funds will be spent primarily on procuring expensive, higher-reliability components. Money will be wasted on the wrong or incomplete safeguards supplied by vendors touting their built-in security.
Because security is designed based on past major threats and because the relative costs of differing protection strategies are not explored, the amount of money spent in crisis is high. Losses may be high especially when they do not follow the historical trend.
The organizational information security officer attempts to assist organizations that have experienced security compromises. The officer will identify safeguards that must be
complied with. End-users view security restrictions as an unnecessary hindrance. Often, they are because of the restrictions that are mandated universally across the entire enterprise rather than on an as-needed basis.
Incidents, failures in system integrity, or availability become recognized as information security problems. Despite the implementation of more and more security hurdles,
compromises still happen. The end-user's productivity is affected now both by the security incidents and by the safeguards set in place to protect the system.
In summary, the enterprise in Stage II—awakening—does not understand why it continually has problems with the security of its information assets. It has a high incident rate, its information assets seem to be vulnerable, and its corporate secrets seem to be unprotected.
Stage III: Enlightenment
The third stage of information security program maturity, enlightenment, is
characterized by both the realization that a companywide information security infrastructure is necessary and that resources must be allocated to support information security activities. In this stage, security is no longer viewed solely as a commodity that can be purchased. Rather, information security must be designed consistent with an enterprise's needs—it must be designed from within.
Management realizes that because of the importance of information security to the entire enterprise, information security must be implemented from the top down. For the
information security officer to be effective, the officer must report to top management. Corporate information security policy and a corporate security training program are developed. However, management usually develops and mandates that enterprisewide security requirements be followed by all organizational elements regardless of applicability.
The information security officer institutes a formal reporting procedure. End-users more readily identify reportable incidents. The information security officer develops an information security strategy and performs an information security assessment based on that strategy. The strategy is developed based on both an analysis of past incidents and an analysis of a standard threat population (e.g., a published or general-purpose threat population). The strategy identifies the vulnerabilities of the information assets to the standard threat population and identifies appropriate protection strategies.
Because of the security awareness program and the development of a formal incident reporting procedure, incident reports contain the relevant data required by the information security officer to enable timely, proper diagnosis of the incident. In addition, the
information security officer is now able to collect more precise statistics and produce more accurate analyses to define more thoroughly the information security threat. Senior
management, in this stage, receives more detailed reports that support the information security officer's professional judgment.
Risk analyses convince management to allocate resources to the prevention of information security safeguards. However, once the initial studies have been conducted, the protection strategies developed, and the safeguards installed, the fervor for information security diminishes. The information assets are believed to be safe.
At first, losses appear to be both expected (i.e., predicted through risk analyses) and manageable (i.e., planned, anticipated, and consciously accepted as security cost/benefit trade-offs). However, as time progresses, losses increase because of the complacency of the enterprise, the changing threat population, and the evolving, rapidly changing nature of information technology. Previously prepared risk analyses become stale and demonstrate loose applicability to the evolving environment.
Because of the thorough security awareness training program, end-users are more vigilant and tend to initiate more incident reports. Because risk analyses have been
performed, a balanced population of safeguards has been selected, resulting in the shift of the end-user's view of the security restrictions from a hindrance to the necessary.
Cost/benefit studies convince management of the need for security, and they understand the business necessity for security. The enterprise undertakes the information security
engineering activities of awareness training, risk analysis, and risk-reduction initiatives. In summary, through management commitment and information security engineering improvement, the enterprise in Stage III, awakening, is identifying, prioritizing, and protecting its assets. The enterprise is seeking solutions to prevent information security problems rather than simply recovering from incidents as they occur.
Stage IV: Wisdom
The fourth stage of information security program maturity, wisdom, is characterized by an information security program that more closely reflects the enterprise's environment and responds to the enterprise's evolving needs.
If Stage III is characterized by a companywide, top-down approach to information security, this stage represents the bottom-up approach. In this approach, the lowest-level entities are empowered and encouraged to evaluate and develop their own risk-based management strategies and to customize the enterprise's existing information security program to respond to their own needs.
Because of an increased understanding of information security principles, management visibly participates in the information security program. Management actively encourages all employees to participate as well. Management is able to make informed security policy decisions and to support its decisions with conviction. Although the information security officer may not necessarily be a member of the enterprise's senior staff, information security principles are accurately represented there.
Based on increased responsibilities and work load, the information security officer has established an infrastructure. Responsibilities have increased to include periodic
information security assessments(i.e., security assessment updates), penetration testing, and auditing. The information security officer has developed positive, mutually beneficial relationships with all support organizations. Such interactions with other organizations (e.g., line management, product assurance, and purchasing) promote acceptance and enhance an effective enterprisewide implementation of the security program.
Threats are continually reevaluated based on the changing threat population and on security incidents. All security safeguards are open to suggestion and improvement. Legal actions are prescribed for each type of incident.
Risk analyses are now developed that contain greater detail and accuracy because of a greater understanding of both the threat population and the enterprise's vulnerabilities. Resources are continually allocated to the optimization of the information security program. Additional or more cost-effective safeguards are continually identified. Studies are now conducted because of the realization that the threat evolves and that the enterprise's information systems and technologies continually grow. Losses that occur have been managed, anticipated through continual cost/benefit trade-offs (e.g., risk analyses).
Once the functional organizations have been empowered to augment the enterprise's information security program, risk management occurs at all levels of the enterprise. Information security engineering research activities are initiated to keep up with the rapidly changing environment. Information security practitioners now undergo periodic training and refresher courses. A complete information security training program has been developed—expanded from awareness to a continuous, technical, customized, detailed security training program. The training is tailored to the needs of the differing audiences (i.e., awareness, policy-level, and performance-level training).
In summary, the information security activities of an enterprise in Stage IV, wisdom, are planned, budgeted, and routine. Through the use of enterprise-specific threat models, and through the preparation of detailed risk analyses, the enterprise understands its vulnerabilities and protects its information assets.
Stage V: Benevolence
The fifth stage of information security program maturity, benevolence, is characterized by continual information security process improvement through research and participation and the sharing of knowledge in public and professional forums.
In this stage, information security engineering is considered an essential part of the enterprise's internal controls. Management also recognizes that each of the enterprise's controls contains information security components. Adequate resources are provided and Previous screen
management fully supports the computer security program. Management support extends to the funding of internal research and development to augment the existing information security program.
The information security officer regularly meets with top management. Process and technology improvement are the main concerns. Security is a thought leader. The
enterprise's information security professionals are recognized within the enterprise, within the security industry, and even by the enterprise's competitors. These security
professionals achieve notoriety through presentations at information technology conferences, publishing in trade journals, and serving on government task forces. The involvement and visibility of the enterprise's information security professional enhances the enterprise's image in the marketplace.
The causes of incidents are determined, and corrective actions are prescribed and monitored. Incident data is fed back into risk management to improve the information security posture.
Prevention strategies are implemented to their fullest from detailed and accurate
cost/benefit analyses, and losses are minimized and anticipated. Information security costs are justified and promoted because of their recognized contribution in reducing the
enterprise's indirect costs of doing business (i.e., management realizes that incidents and their associated costs of recovery, which drain the enterprise's overhead, have diminished). The enterprise recovers information security costs through the positive effect of a stable environment within the enterprise (i.e., an increase in productivity). The information security program may be partially funded by its contribution to marketing. This ultimate level of documented systems integrity, availability, and confidentiality may become a marketing tool that encourages business expansion through consumer recognition of a quality boost to the enterprise's traditional product line. In addition, the information security program may be partially funded by marketing its own information security services externally.
In this stage, information security protections are optimized across the enterprise. Enterprisewide protection strategies are continually reevaluated based on the needs and customized protection strategies identified by the enterprise's functional elements. Information security engineering activities (e.g., risk analyses, risk-reduction initiatives, audits, and research) are normal and continuous. Desirable security improvement
suggestions come from end-users and system owners.
In summary, the enterprise in Stage V, benevolence, knows that its assets are protected now and the enterprise is assured that its assets will continue to be adequately protected in the future. These assets are protected because the enterprise's planned, proactive
information security activities are continually adjusting and optimizing their protection strategies.
Information Security Program Improvement
The five measurement categories for evaluating an enterprise's information security
maturity are: management understanding and attitude, security organization status, incident handling, security economics, and security improvement actions. The following discussion outlines the steps necessary to improve an enterprise's ratings within the maturity
categories.
Management Understanding and Attitude
To attain Stage II, awakening, management must approve the procurement of: Previous screen
· The vendor-supplied, built-in software security (e.g., virus scanners, password packages, backup software, Configuration Management tools, and tape archiving tools).
· The vendor-supplied, built-in hardware security (e.g., equipment with high mean-time-between-failure ratings and inventorying a high number of line-replaceable units). To attain Stage III, enlightenment, management must support:
· The enterprisewide information security policies.
· The information security awareness training for end-users. To attain Stage IV, wisdom, management must:
· Attend security awareness training and actually obtain an understanding of the absolutes of information security engineering, and become able to make informed policy
decisions.
· Promote information security.
· Empower organizational elements to augment the enterprise's information security program consistent with the needs of the organizational element's needs.
To attain Stage V, benevolence, management must:
· Understand that information security engineering is an essential part of the enterprise's internal controls.
· Provide adequate resources and fully support the information security program to include internal research and development.
Security Organization Status
To attain Stage II, awakening, management must appoint an information security officer.
To attain Stage III, enlightenment:
· Management must change the reporting structure of the information security officer to top management.
· The information security officer must develop a corporate information security policy based on the standard set of threats.
· The information security officer must institute a companywide information security training program.
· The enterprise must develop an information security strategy based on past incidents and on an analysis of the threat population and the vulnerabilities of the enterprise's assets.
· Existing information security safeguards must be evaluated and augmented based on risk analyses performed in response to the standard set of threats.
To attain Stage IV, wisdom:
· The information security officer must create an information security infrastructure. · The information security officer must modify corporate information security policy
based on a custom, enterprise-specific set of threats.
· Information security assessments must be updated periodically and penetration and audit capabilities must be supported.
· The information security officer must develop strategic alliances with other
organizations (e.g., configuration management, product assurance, and procurement). To attain Stage V, benevolence:
· Top management must regularly meet with the information security officer. · Information security must be able to address technical problems with leading-edge
solutions obtained through internal research and development.
· Information security's role must expand into the community to augment the enterprise's image.
Incident Handling
To attain Stage II, awakening:
· The information security officer must collect incident reports. · The information security officer must respond to security incidents. · Rudimentary statistics must be collected to identify major trends.
To attain Stage III, enlightenment:
· The information security officer must develop a formal incident reporting procedure. · Incident reports must contain the relevant data required to enable timely, proper
diagnosis of the incident.
· Detailed statistics must be collected and analyzed to more thoroughly define the information security threat.
To attain Stage IV, wisdom:
· Threats must continually be reevaluated based on the changing threat population and on the security incidents enhancing the accuracy of the risk analyses.
· Legal actions must be prescribed for each type of incident.
To attain Stage V, benevolence, incident data must be analyzed and fed back continually to improve the information security process.
Security Economics
To attain Stage II, awakening, management must provide funding, albeit limited, for information security, allocated primarily for the procurement of safeguards supplied by vendors touting their built-in security.
To attain Stage III, enlightenment, expenditures must be managed and justified and funding information security activities selected as a result of a risk analysis.
To attain Stage IV, wisdom:
· Expenditures must be managed and continually justified through periodic risk analyses of greater accuracy, identifying additional or more cost-effective safeguards in response to the continually changing threat environment.
· Losses must be anticipated through cost/benefit trade-offs. To attain Stage V, benevolence:
· The cost savings aspect of a completely implemented information security program must be thoroughly understood and realized.
· Information security expenditures must be justified and reduced, and partial funding must be obtained by information security's contribution to marketing.
· Information security may generate its own marketing center.
Security Improvement Actions
To attain Stage II, awakening, the information security officer must begin to implement enterprisewide security policies and procedures.
To attain Stage III, enlightenment:
· The information security officer must provide a security awareness training program to encourage end-users to be more vigilant and to initiate more incident reports.
· Management must understand the business necessity for security.
· Management must fund the information security engineering activities of awareness training, risk analysis, risk-reduction initiatives, and audits.
To attain Stage IV, wisdom:
· Risks must be accurately evaluated and managed.
· Information security engineering research activities must be initiated to keep up with the rapidly changing environment.
· Information security awareness must be expanded to a continuous, technical, and detailed security training program.
To attain Stage V, benevolence:
· The information security engineering activities (e.g., risk analyses, risk-reduction initiatives, audits, and research) must become normal, continual activities.
· The information security officer must obtain desirable security improvement suggestions from end-users and system owners.
How to Prepare A Security Maturity Profile
To prepare a grid, assessors simply review each cell on the Information Security Program Maturity Grid (see Exhibit 2 ) to determine whether that cell best describes their enterprise's level of maturity. If only the bottom row applies for each column, that category should be considered immature. If the second or third row applies, that category should be considered moderately mature. If the fourth or fifth row applies, that category should be considered mature.
Sample Security Maturity Grid Profiles
Exhibits 3, 4, 5, and 6 provide enterprises' summation of their information security posture as well as a sample Information Security Program Maturity Grid for that posture.
Conclusion
The Information Security Program Maturity Grid is a tool introduced to aid managers in the appraisal of an enterprise's information security program. In addition, information security program improvement initiatives have been proposed for each of the measurement
categories.
Author Biographies
Timothy R. Stacey
Timothy R. Stacey is employed by Science Applications International Corporation, a division of Rockwell Space Operations Company, Houston, Texas.