This document discusses assessing the security maturity of an organization. It introduces a new assessment tool called the Security Maturity Assessment (SMA) which is based on the Capability Maturity Model (CMM) approach. The SMA evaluates an organization's security practices across ten areas outlined in the ISO 17799 standard and assigns maturity levels between 1 to 5 to indicate how well practices are defined, managed, and optimized. Conducting an SMA involves interviewing staff, collecting documentation, tabulating results, and presenting findings to help organizations measure security readiness over time, ensure compliance, and prioritize improvements.

1. Schlumberger Public
Assessing the Security Maturity
of an Organization
Claude R. Baudoin
Colin R. Elliott

2. Overview
Organizations need to measure their level of readiness w.r.t. security risks
 You cannot improve what you do not measure
This is an irrational exercise absent a standard or methodology that provides
objective and comparable measurements
Schlumberger Public
A standard like ISO 17799 does not automatically allow an organization to:
 establish its level of compliance
 measures progress over time
 decide on required actions
 prioritize them in view of finite budgets and resources
We have developed a new assessment tool, the Security Maturity Assessment
 based on the SEI Capability Maturity Model (CMM) approach
 includes practical advice on how to conduct an assessment
 fits within an overall security improvement plan
 patent pending

3. The Challenge
The CIO or CSO needs to know:
 How secure am I?
 Am I better off now than I was at this time last year?
Schlumberger Public
 Am I spending the right amount of money?
 How do I compare with my peers?
Conflicting inputs and constraints:
 Clients and regulators demand provable assurances
 Vendors propose products
 Budget constraints

4. A Source for Best Practices – ISO 17799
Originally “British Standard 7799”
Adopted internationally as ISO 17799 in 2000
Divides security into 10 areas:
 Information Security Policy
Schlumberger Public
 Organizational Security
 Asset Classification and Control
 Personnel Security
 Physical and Environmental Security
 Communication and Operations
Management
 Access Control
 System Development and Maintenance
 Business Continuity Management
 Compliance

5. “Capability Maturity Model” Concept
Created in 1995 by the
Software Engineering Level 5: Optimizing
• Process Change Management
Continuous process capability
Institute (SEI) at improvement
• Defect Prevention
• Technology Change Management
Carnegie-Mellon
Level 4: Managed
Schlumberger Public
Product quality planning; tracking
University to improve
of measured software progress. • Software and Quality Management
• Quantitative Process Management
Level 3: Defined
software processes Software process defined and
institutionalized to provide
• Organization Process Focus
• Organization Process Definition
5 levels product quality control. • Training Program
• Integrated Software Management
• Software Product Engineering
“Key Process Areas” Level 2: Repeatable
• Intergroup Coordination
• Peer Reviews
must be in place to Management oversight and
tracking of projects; stable • Requirements Management
qualify for each level planning and product baselines. • Project Planning
• Project Tracking / Oversight
Level 1: Initial • Subcontract Management
Widely adopted by the Ad hoc, unpredictable, chaotic. • Configuration Management
software industry

6. Mapping ISO 17799 to Maturity Levels
3.1.1 Information Security Policy Document
“A policy document should be approved by
management, published and communicated, as
appropriate, to all employees. It should state Defined
management commitment and set out the
Schlumberger Public
organization’s approach to managing
information security.”
Managed
3.1.2 Review and Evaluation
“The policy should have an owner”
There should be a “defined review process” Optimized
ensuring that “a review takes place in response
to any changes affecting the basis of the
original risk assessment…”  Regroup these three
4.1.7 Independent review of information security concerns into Levels 3, 4
The implementation of the Information Security and 5 of the same row of
Policy should be “reviewed independently to the assessment matrix
provide assurance that organizational practices
properly reflect the policy.”

7. The Assessment Matrix (sample row)
ISO 17799 Level 1 Level 2 Level 3 Level 4 (Managed) Level 5
Categories (Initial) (Repeatable) (Defined) (Optimizing)
Level • Informal, ad • Formal & • Enforced & • Dynamic
Definitions hoc documented measured • Process exists
• Not written (in writing) • Responsibilities for catching
down, may be are defined deviations and
communicated explicitly making
through constant
Schlumberger Public
coaching improvements
III.1 Information Coverage of No Security policy exists, Specific policy Security policy covers Clear responsibilities
Security Security Policy security but as a general exists supporting all areas of business. and mechanisms in
Policy Review of policy in statement. business goals, Security policy is place to upgrade
effective place Inferring what is clearly stating in owned by appropriate policy if required after
implementation specifically mandated detail what is functions including IT every breach of policy,
of information or prohibited requires mandated or but also Finance, HR, and if business
security policy consulting specialized prohibited. Legal, etc. changes occur such
Review of personnel. A "normal" person Organization policies as acquisition,
Information No regular reviews. can easily define the roles and divestiture, or major
Security Policy understand it. responsibilities in changes in business
Reviews carried following procedures. processes.
out at intervals, Reviews carried out --
but no clear intervals and
management responsibility for the
responsibility to reviews are defined
trigger reviews or explicitly in the policy.
exploit results A report on non-
compliance is created
and distributed to the
business units for their
review and action.

8. SMA – Part of an Overall Security
Improvement Process
Schlumberger Public
2. Security
3. Corrective
Maturity Action Plan
Assessment
1. Management
Awareness and
Commitment
5. Ongoing 4. Action Plan
Monitoring Execution

9. Conducting the Assessment
Communicate the purpose and process of the assessment
Determine who will be interviewed
Conduct the interviews and collect documentation
Schlumberger Public
Ask follow-up questions
Tabulate the results
Evaluate the results and form an initial conclusion
Present the draft of the assessment results to the client
Obtain any information to correct factual errors or omissions
Deliver the final report

10. Pragmatic Aspects of an Assessment
Interviewee Selection and Psychology
 Include non-IT and non-manager personnel
 Each type of person in the organization has hopes and fear
Schlumberger Public
 They have agendas, which often conflict
Objective Questions
 Bad question: “Do you think you have a good security policy?”
 Good question: “Were you asked to read and sign a security
policy when you joined the company?”
 A good question allows independent verification
Judging SMA Levels
 CMM levels are much easier to apply than 0—10 scales

11. Presenting the Results Graphically
Schlumberger Public

12. cbaudoin@cebe-itkm.com