Download to read offline
![Draft_ppt_dmss[1][2] (1) FINAL123455667.pptx](https://cdn.slidesharecdn.com/ss_thumbnails/draftpptdmss121final-250720163613-fd8ed22f-thumbnail.jpg?width=640&height=640&fit=bounds)
Access Controls Capability Maturity Model (CMM).pptx
- 1.
- 2. ACCESS CONTROLS CMM(1/3) 2 Please see the following slide for the assessed current and desired future states. Optimized Processes and procedures are constantly improved upon through communications and a learning process. These items represent best practices and a strategic and competitive advantage for the organization. Managed Processes and procedures are defined and repeatable, and individual team members have specific training and duties specialized for them. Cross-functional training has occurred, so no single member of the team is considered irreplaceable but rather the entire team works as a cohesive unit to complete required tasks. Defined Processes and procedures are codified, and this documentation is shared with the full team. Training occurs within the team and peer learning takes place between the group. Organizational knowledge is defined and codified within the processes and procedures used by the group. Repeatable Processes and procedures exist but are not fully defined. Individual activities are still key to the overall success of the activities, with limited ability to have backups of key functions. Noncomplicated tasks can be completed repeatedly with the expectation of a similar outcome. Initial Processes are ad hoc with limited structure and rely solely on the individual knowledge and effort of employees. Documentation or codification of these processes is limited. Process Maturity Business Strategies and Policies People and Organizational Structure Management Reports Models and Methodologies Systems and Data Business and Risk Management Processes Attributes of the Capability Maturity Continuum: Delivery Capabilities: Strategies and policies provide key company stakeholders with a common understanding of the company’s risk appetite, risk tolerances and expected standards of conduct. Key tasks are assigned to people with the requisite knowledge, skill and expertise. Roles and responsibilities of risk taking versus risk monitoring must be defined and delineated. For management to make informed decisions, reports must be prepared with the appropriate frequency, be easy to use, capture succinctly and highlight key information for decision-making. Properly developed models can help identify and quantify risks, support the analysis of risk/reward trade-offs and portfolio diversification, and evaluate the cost- effectiveness of risk- mitigation alternatives and the allocation of capital to absorb potential losses. Information systems must support methodologies and reporting; provide relevant, accurate and timely information; meet the company’s business requirements; and be flexible for future enhancements. In order to avoid or accept risks, uniform processes and procedures related to risk-taking activities must be developed, implemented and monitored continuously.
- 3. ACCESS CONTROLS CMM(2/3) 3 Continuum Business Strategies and Policies Business and Risk Management Processes People and Organizational Structure Management Reports Models and Methodologies Systems and Data Optimized Business strategies and policies drive value for the organization. Best-of-breed policies and procedures are reviewed from both internal and external sources to ensure that a learning organization exists. World-class actionable security intelligence is utilized to drive organizational decisions. Continuous benchmarking and best-practice metrics are employed. External best practices are considered. Organizational culture classifies security as a strategic corporate competency, supports and rewards knowledge sharing, and provides learning and growth opportunities for its people. Dashboards are fully developed and highly automated. Actionable KPIs are used as a record information source to drive projects throughout the enterprise. Information is used by all IS employees. Strategic methodologies that emphasize continuous improvement in information security are enacted with key members of management. Technology processes optimize and leverage information through real-time security threats analysis. Managed Policies and strategies are closely monitored and reviewed for accuracy. Adjustments are made regularly to ensure applicability. Effectively utilizing information security drives formal business and risk management processes. Processes are constantly updated to ensure that they are appropriate and up to date. Executive-level sponsorship encourages the constant improvement of information security throughout the organization. All employees are encouraged to manage security functions. Cross-departmental reporting is in place and utilized by the organization to make key decisions related to security. Automated security alerts are configured across the organization. Input from the business is used to constantly refine and improve methodologies and the information security model at an enterprise level and is communicated clearly. Mature security systems and processes are utilized in order to protect the enterprise from threats. Defined Policies and strategies are centrally housed and maintained. Enforcement of these policies is centrally mandated and monitored. All policies align to the overall business strategies. Policy enforcement occurs regularly. Defined and standardized processes are in place for all information security activities. Procedures are uniformly performed, measured and reviewed regularly for required changes. Training programs are common. Roles, responsibilities and corporate culture are adequate to support information security. People are aware of information security resources and utilize them. Centralized management of key security reporting is in place. A standard set of information security reports is produced and used to protect the organization. Ad hoc capabilities and standard reporting definitions and tools exist. Enhanced security models and methodologies are available and utilized for decision-making. Formalized methodologies are available and shared throughout the organization and security is assessed across the organization. Security systems and processes are defined, managed and used for reporting and threat mitigation. Detective and preventive controls are automated and pervasive among all key systems.
- 4. ACCESS CONTROLS CMM(3/3) 4 Continuum Business Strategies and Policies Business and Risk Management Processes People and Organizational Structure Management Reports Models and Methodologies Systems and Data Repeatable Policies and strategies exist in different areas of the organization and are followed. A uniform understanding of existing policies is not held across the organization and ad hoc policy enforcement occurs. Information security techniques are mostly informal, and responsibilities are only somewhat defined. Critical processes are documented and standardized. Management has distributed some information security knowledge resource materials within the organization. Limited training is offered to all employees and responsibilities are defined. Key security-related information and some analytical reports are available and understood. Executive management has access to high-level summary information (e.g., board books). Departmental methodologies are in place. The overall organization understands the need for security and has standard approaches for providing the general elements of security. Threat mitigation is primarily performed by a wide array of disparate systems and manual processes. Controls are more detective than preventive in nature. Initial Policies and strategies exist but are maintained in different silos throughout the organization and may be executed upon in differing ways. Policy gaps exist with nonuniform coverage. Processes are in place for most tasks that occur but are ad hoc in nature and not clearly documented. Processes are not uniform across the organization. Individuals within the organization use information security, but uniform understanding of the proper business use and definition differs. Training exists but is mostly ad hoc. Developing reports that are relevant require significant effort and are often on paper. Critical intelligence information and metrics may not be available, measured or managed. Models are not used by management to support information security initiatives. Little reliance exists to employ information security measures. Systems are inefficient or nonexistent. All threat mitigation is performed on an ad hoc basis. Uniform system approaches to information security do not exist.