CMMI, COBIT AND O-ISM3 CAPABILITY LEVELS MAPPED Inovement - CREATIVE COMMONS ATTRIB-NODERIVS 3.0 LICENSE 2007, SOME RIGHTS RESERVED.
INFORMATION SECURITY MANAGEMENT MATURITY MODELLICENSE AND COPYRIGHT This work is licensed under the Creative Commons Attribution-No Derivative Works 3.0 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/3.0/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.The cover is cropped from the Wikimedia Commons “Streichholz” by Sebastian Ritter, licensed under the Creative Commons Attribution-ShareAlike 2.5 License, used withpermission of the author.Any copyrighted material mentioned in this document is property of their respective owners.2 Inovement - CREATIVE COMMONS ATTRIB-NODERIVS 3.0 LICENSE 2013, SOME RIGHTS RESERVED.
INFORMATION SECURITY MANAGEMENT MATURITY MODEL1 Formal Management PracticesManagement systems normally evolve to fit the purposes of the organization they serve. Several management practices contribute to this evolution: Implementation. Practice performed when no pre-existing management system or management process. This practice uses information from an assessment of the organizations goals and informal management practices in place to design an appropriate management system or process. As GP-3 ISM Design and Evolution is the process used to implement other processes, it is used to underpin management systems. Operation. Practice routinely performed that normally implies in addition to execution: Testing. Checking whether we get the expected outputs from invented or selected inputs purposefully fed into the process. This is performed using TSP-4 Service Level Management. Monitoring. Checking whether the outputs of the process and the resources used are within normal ranges. This is performed using TSP-4 Service Level Management with metrics. Improving. Making changes in the process to make it better fit the purpose (or to lead to a saving in resources by removing faults before they produce incidents, removing bottlenecks that hamper performance or making trade-offs. This management practice needs information gained from testing, monitoring or diagnosing the process. The gains from the changes (if any) can be diagnosed with subsequent testing, monitoring or auditing. GP-3 ISM Design and Evolution is the process used to improve other processes. Planning. Organizing and forecasting the amount, assignment and milestones of tasks, resources, budget and deliverables with a common goal. Evaluation. Practice performed periodically or as required. Assessment. Checking whether the existing process matches the organizations needs and compliance goals, or if it performs better and with better use of resources than it used to. This practice is performed using GP-3 ISM Design and Evolution. Audit. Checking whether the process inputs, activities and results match their documentation. This practice is performed using GP-2 ISM System and Business Audit. Certify. Checking whether process documentation, inputs, outputs and activities comply with a pre-defined standard, law or regulation. The certificate is a proof of compliance that third parties can trust. This practice is performed using GP-2 ISM System and Business Audit. Rationalization. Reporting to supervisors the value of the process for the organization and justifying the use of resources. Inovement - CREATIVE COMMONS ATTRIB-NODERIVS 3.0 LICENSE 2013, SOME RIGHTS RESERVED. 3
INFORMATION SECURITY MANAGEMENT MATURITY MODEL2 Capability LevelsThe following definition of capability levels in terms of the metrics used to manage the process is not subjective, enabling auditors to use evidence to determine the capability of aprocess. Capability Level Metrics Enabled Management Activities Undefined Not Documented None Defined Documented Audit / Certify Managed Documented Audit / Certify Scope Testing Activity Monitor Availability Rationalization Efficacy Improvement • Remove faults before they produce incidents • Feedback on the result of changes Controlled Documented Audit / Certify Scope Testing Activity Monitor Availability Rationalization Efficacy (comparison with ideal outcome) Improvement Load (what resources are used to produce the outcomes, • Remove faults before they produce incidents finding bottlenecks) • Feedback on the result of changes Update (are outcomes recent enough to be valid) • Remove bottlenecks that hamper performance Planning Optimized Documented Audit / Certify Scope Testing Activity Monitor Availability Rationalization Efficacy Improvement Load • Remove faults before they produce incidents Update • Feedback on the result of changes Efficiency, ROSI • Remove bottlenecks that hamper performance; • Finding points of diminishing return: • Making tradeoffs. Planning4 Inovement - CREATIVE COMMONS ATTRIB-NODERIVS 3.0 LICENSE 2013, SOME RIGHTS RESERVED.
INFORMATION SECURITY MANAGEMENT MATURITY MODEL3 Capability Levels MappingO-ISM3 Cobit CapabilityCapability CMMI Capability Levels LevelsLevels Management processes areNot Applicable not applied IncompleteUndefinedThe process might be used, Performed Processes are ad hoc andbut it is not defined or A performed process is a process that satisfies the specific goals of the process area. It supports and enables the disorganizedDocumented. work needed to produce work products. Processes follow a regularNot Applicable pattern Not Applicable Managed A managed process is a performed process that has the basic infrastructure in place to support the process. It isDefined Processes are documented planned and executed in accordance with policy; employs skilled people who have adequate resources to produceThe process is and communicated controlled outputs; involves relevant stakeholders; is monitored, controlled, and reviewed; and is evaluated forDocumented and used. adherence to its process description Defined A defined process is a managed process that is tailored from the organizations set of standard processes according to the organizations tailoring guidelines, and contributes work products, measures, and other process improvementManaged information to the organizational process assets.The process is Defined andthe results of the process A critical distinction between capability levels 2 (Managed) and 3 i(Defined) s the scope of standards, processare used to fix and improve descriptions, and procedures. At capability level 2, the standards, process descriptions, and procedures may be quitethe process. (ISO9001 different in each specific instance of the process (e.g., on a particular project). At capability level 3, the standards,equivalent) process descriptions, and procedures for a project are tailored from the organizations set of standard processes to Not Applicable suit a particular project or organizational unit and therefore are more consistent, except for the differences allowed byThe following metrics are the tailoring guidelines.used: ● Scope Another critical distinction is that at capability level 3, processes are typically described more rigorously than at ● Activity capability level 2. A defined process clearly states the purpose, inputs, entry criteria, activities, roles, measures, ● Availability verification steps, outputs, and exit criteria. At capability level 3, processes are managed more pro actively using an ● Efficacy understanding of the interrelationships of the process activities and detailed measures of the process, its work products, and its services. Inovement - CREATIVE COMMONS ATTRIB-NODERIVS 3.0 LICENSE 2013, SOME RIGHTS RESERVED. 5
INFORMATION SECURITY MANAGEMENT MATURITY MODELO-ISM3 Cobit CapabilityCapability CMMI Capability Levels LevelsLevelsControlledThe process is Managedand milestones and need ofresources is accurately Quantitatively Managedpredicted. A quantitatively managed process is a defined process that is controlled using statistical and other quantitative Processes are monitored techniques. Quantitative objectives for quality and process performance are established and used as criteria in and measuredThe following metrics are managing the process. Quality and process performance is understood in statistical terms and is managed throughoutused: the life of the process. ● Load ● UpdateOptimizedThe process is Controlledand improvement leads to Optimizinga saving in resources Good Practices are followed An optimizing process is a quantitatively managed process that is improved based on an understanding of the and automated common causes of variation inherent in the process. The focus of an optimizing process is on continually improvingThe following metrics are the range of process performance through both incremental and innovative improvements.used: ● Efficiency, ROSI6 Inovement - CREATIVE COMMONS ATTRIB-NODERIVS 3.0 LICENSE 2013, SOME RIGHTS RESERVED.