Security Maturity Model Questionnaire

Security Maturity Model Questionnaire

 

Underprepared • Implement security processes with formal guidelines across all departments • Automate cybersecurity processes wherever possible • Conduct periodic reviews to fine tune security operations In Transition • Assess suppliers and contractors to ensure they fulfil information security assurances • Align business needs with security requirements to avoid competing objectives and ensure the entire organisation pursues the same goal • Implement incident response and management procedures that enable users to take immediate action Security Leaders • Automate as many cybersecurity processes as possible • Integrate threat intelligence into automated processes to help tools find threats that slipped through network defences • Align business and security needs to achieve cloud adoption and other digital transformation business objectives

 

Organisation Culture

  1. No dedicated security role with responsibilities either in the IT or other risk/compliance departments
  2. Information security is addressed within the organisation with at least employee responsible for it
  3. A CISO exists and sets security strategy for the organisation
  4. Information security is implemented throughout customer facing, operations, and support functions
  5. Suppliers and subcontractors are assessed to ensure they fulfil security assurances

Technology and Controls

  1. Standard network security tools are used (main objective = preventing network breaches)
  2. Standard network security tools are used to gain visibility of which data assets are being secured (main objective = detecting threats)
  3. Security processes are semi-automated to defend against threats; Static “normal” network behaviour and context are created to understand the status of risk profiles at a single point in time
  4. Advanced tools are used to anticipate and prepare for unknown threats
  5. The majority of security processes are automated; Leveraging threat intelligence is a business objective; Adaptive network behaviour and context are created to understand the real-time status of risk profiles

Security Operations

  1. Security practices are implemented without formal guidelines
  2. Security practices are embedded in formal guidelines to be used by IT and information security teams Guidelines and security processes are established in all IT, customer facing, operations, and support functions; Incident response procedures are defined
  3. Periodic reviews are conducted to fine-tune security operations, and incident response procedures are implemented
  4. Continuous tests of security operations are conducted, including automated incident response and management with technical, customer facing functions, operations, and support staff

People

  1. No dedicated security role with responsibilities either in the IT or other risk/compliance departments
  2. Information security is addressed within the organisation with at least employee responsible for it IT and information security teams are aware of AND carry out security practices as defined by formal guidelines; Training is received to ensure both teams are kept up to date
  3. Technical, customer facing functions, operations, and support staff receive training and education to keep up to date on information security risks
  4. Technical, customer facing functions, operations, and support staff regularly participate in incident response activities

 

Cloud Adoption

  1. No organisation-wide cloud strategy
  2. Cloud infrastructure is fully automated Cloud strategy set by IT and business units (but without security inputs) to re-set business processes to achieve desired outcomes
  3. Cloud strategy set by IT, business units and security Have optimised internal processes as a result of cloud and automated controls are enabled to allow for distributed clouds

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s