2. ACCESS CONTROLS CMM (1/3)
2
Please see the following slide for the assessed current and desired future states.
Optimized
Processes and procedures are constantly improved upon through communications and a learning process. These items represent best
practices and a strategic and competitive advantage for the organization.
Managed
Processes and procedures are defined and repeatable, and individual team members have specific training and duties specialized for them.
Cross-functional training has occurred, so no single member of the team is considered irreplaceable but rather the entire team works as a
cohesive unit to complete required tasks.
Defined
Processes and procedures are codified, and this documentation is shared with the full team. Training occurs within the team and peer learning
takes place between the group. Organizational knowledge is defined and codified within the processes and procedures used by the group.
Repeatable
Processes and procedures exist but are not fully defined. Individual activities are still key to the overall success of the activities, with limited
ability to have backups of key functions. Noncomplicated tasks can be completed repeatedly with the expectation of a similar outcome.
Initial
Processes are ad hoc with limited structure and rely solely on the individual knowledge and effort of employees. Documentation or codification
of these processes is limited.
Process
Maturity
Business
Strategies and
Policies
People and
Organizational
Structure
Management
Reports
Models and
Methodologies
Systems
and Data
Business and
Risk Management
Processes
Attributes of the Capability Maturity Continuum:
Delivery Capabilities:
Strategies and policies
provide key company
stakeholders with a
common understanding
of the company’s risk
appetite, risk tolerances
and expected
standards of conduct.
Key tasks are assigned
to people with the
requisite knowledge,
skill and expertise.
Roles and
responsibilities of risk
taking versus risk
monitoring must be
defined and delineated.
For management to
make informed
decisions, reports must
be prepared with the
appropriate frequency,
be easy to use, capture
succinctly and highlight
key information for
decision-making.
Properly developed
models can help identify
and quantify risks, support
the analysis of risk/reward
trade-offs and portfolio
diversification, and
evaluate the cost-
effectiveness of risk-
mitigation alternatives and
the allocation of capital to
absorb potential losses.
Information systems
must support
methodologies and
reporting; provide
relevant, accurate and
timely information; meet
the company’s business
requirements; and be
flexible for future
enhancements.
In order to avoid or
accept risks, uniform
processes and
procedures related to
risk-taking activities
must be developed,
implemented and
monitored continuously.
3. ACCESS CONTROLS CMM (2/3)
3
Continuum
Business Strategies
and Policies
Business and Risk
Management
Processes
People and
Organizational
Structure
Management Reports
Models and
Methodologies
Systems and Data
Optimized
Business strategies
and policies drive value
for the organization.
Best-of-breed policies
and procedures are
reviewed from both
internal and external
sources to ensure that
a learning organization
exists.
World-class actionable
security intelligence is
utilized to drive
organizational
decisions. Continuous
benchmarking and
best-practice metrics
are employed. External
best practices are
considered.
Organizational culture
classifies security as a
strategic corporate
competency, supports
and rewards
knowledge sharing,
and provides learning
and growth
opportunities for its
people.
Dashboards are fully
developed and highly
automated. Actionable
KPIs are used as a
record information
source to drive projects
throughout the
enterprise. Information
is used by all IS
employees.
Strategic
methodologies that
emphasize continuous
improvement in
information security are
enacted with key
members of
management.
Technology processes
optimize and leverage
information through
real-time security
threats analysis.
Managed
Policies and strategies
are closely monitored
and reviewed for
accuracy. Adjustments
are made regularly to
ensure applicability.
Effectively utilizing
information security
drives formal business
and risk management
processes. Processes
are constantly updated
to ensure that they are
appropriate and up to
date.
Executive-level
sponsorship
encourages the
constant improvement
of information security
throughout the
organization. All
employees are
encouraged to manage
security functions.
Cross-departmental
reporting is in place
and utilized by the
organization to make
key decisions related to
security. Automated
security alerts are
configured across the
organization.
Input from the business
is used to constantly
refine and improve
methodologies and the
information security
model at an enterprise
level and is
communicated clearly.
Mature security
systems and processes
are utilized in order to
protect the enterprise
from threats.
Defined
Policies and strategies
are centrally housed
and maintained.
Enforcement of these
policies is centrally
mandated and
monitored. All policies
align to the overall
business strategies.
Policy enforcement
occurs regularly.
Defined and
standardized
processes are in place
for all information
security activities.
Procedures are
uniformly performed,
measured and
reviewed regularly for
required changes.
Training programs are
common. Roles,
responsibilities and
corporate culture are
adequate to support
information security.
People are aware of
information security
resources and utilize
them.
Centralized
management of key
security reporting is in
place. A standard set
of information security
reports is produced
and used to protect the
organization. Ad hoc
capabilities and
standard reporting
definitions and tools
exist.
Enhanced security
models and
methodologies are
available and utilized
for decision-making.
Formalized
methodologies are
available and shared
throughout the
organization and
security is assessed
across the
organization.
Security systems and
processes are defined,
managed and used for
reporting and threat
mitigation. Detective
and preventive controls
are automated and
pervasive among all
key systems.
4. ACCESS CONTROLS CMM (3/3)
4
Continuum
Business Strategies
and Policies
Business and Risk
Management
Processes
People and
Organizational
Structure
Management Reports
Models and
Methodologies
Systems and Data
Repeatable
Policies and strategies
exist in different areas
of the organization and
are followed. A uniform
understanding of
existing policies is not
held across the
organization and ad
hoc policy enforcement
occurs.
Information security
techniques are mostly
informal, and
responsibilities are only
somewhat defined.
Critical processes are
documented and
standardized.
Management has
distributed some
information security
knowledge resource
materials within the
organization. Limited
training is offered to all
employees and
responsibilities are
defined.
Key security-related
information and some
analytical reports are
available and
understood. Executive
management has
access to high-level
summary information
(e.g., board books).
Departmental
methodologies are in
place. The overall
organization
understands the need
for security and has
standard approaches
for providing the
general elements of
security.
Threat mitigation is
primarily performed by
a wide array of
disparate systems and
manual processes.
Controls are more
detective than
preventive in nature.
Initial
Policies and strategies
exist but are
maintained in different
silos throughout the
organization and may
be executed upon in
differing ways. Policy
gaps exist with
nonuniform coverage.
Processes are in place
for most tasks that
occur but are ad hoc in
nature and not clearly
documented.
Processes are not
uniform across the
organization.
Individuals within the
organization use
information security,
but uniform
understanding of the
proper business use
and definition differs.
Training exists but is
mostly ad hoc.
Developing reports that
are relevant require
significant effort and
are often on paper.
Critical intelligence
information and metrics
may not be available,
measured or managed.
Models are not used by
management to
support information
security initiatives.
Little reliance exists to
employ information
security measures.
Systems are inefficient
or nonexistent. All
threat mitigation is
performed on an ad
hoc basis. Uniform
system approaches to
information security do
not exist.