Process Maturity Assessment

Assessing Your IT Security Processes

By Peter Chronis, CISSP, PMP

Systematic IT Risk ReductionSystematic IT Risk Reduction

Enterprise Risk Management requires a thoughtful analysis of the people, processes and technologies used to manage IT risk and your organization’s risk tolerance.

Creating a system that:•Continually assesses processes and mitigation strategies•Monitors security programs at the operational and program level•Adapts to evolving threats•Focus on reducing risk profile over the next 6-24 months

2

Tailoring Your ApproachTailoring Your Approach

No correct “one size fits all” approach to managing risk.

Assess risk tolerance Align with

organizational strategy and SLAs

Evaluate organizational talent

Avoidance, acceptance, transfer

Incorporate thought leaders

Aligning with the right standard

3

Security Process Assessment Security Process Assessment

IT security process analysis

Effectiveness/maturity

Program level management

Assessing the gaps Defining the

security strategy for your organization

4

Very few corporations know what what kind of data resides on their network, where it is, who has access to it and the cost associated with its theft.

Process Improvement CycleProcess Improvement Cycle

Assess Security Processes

Rate Process Effectiveness

Group & Identify Gaps

Define Strategy

Execute Plan

5

Security Process IdentificationSecurity Process Identification

Assess your IT security process footprint ensuring wide coverage of all processes used to reduce your enterprise IT risk.

ISO 27002: Policy Access Control Application

Development BC/DR Cryptography Governance Physical Network/Telcom. Others

6

Process Improvement StrategyProcess Improvement Strategy

Assess Security Processes

Rate Process Effectiveness

Group & Identify Gaps

Define Remediation

Execute Plan

7

Maturity AssessmentMaturity Assessment

Rate the effectiveness of your existing security processes using a maturity model. Interviewing your security and business stakeholders to identify organizational needs and identify process gaps.

•Level 0 – Not preformed•Level 1 –Ad hoc and reactive.•Level 2 – Repeatable, possibly with consistent results but not rigorous. •Level 3 - Managed to a documented standard (SLA) and subject to some degree of improvement over time. •Level 4 – Actively managed operationally using metrics that maximize efficiency and effectiveness. •Level 5 - Focus on continually improving process performance through incremental and innovative technological improvements.

8

Process Improvement StrategyProcess Improvement Strategy

Assess Security Processes

Rate Process Effectiveness

Group & Identify Gaps

Define Remediation

Execute Plan

9

Program Gap Analysis ExampleProgram Gap Analysis Example

10

Processes A-D require a mitigation strategy to close the gap between the existing processes and what is required to reduce risk

Real Life Threat – Operation Real Life Threat – Operation AuroraAurora

•Access to source code repositories •IE configurations•Local admin. privileges•Logging and event correlation•Bot C&C communication

•Security awareness for offshore employees/partners

•Much, much more

11

Be Watchful of Security TrendsBe Watchful of Security Trends

•Annual/Quarterly Security Reports•Top security blogs•Industry sites•Conferences•Networking•Vendor presentations

12

Process Improvement StrategyProcess Improvement Strategy

Assess Security Processes

Rate Process Effectiveness

Group & Identify Gaps

Define Remediation

Execute Plan

13

Mitigation GuidanceMitigation Guidance

IT risk mitigation strategies must:•balance business impact with cost •be operationally supportable• explore technology, process innovation, resource reallocation•adapt as threats evolve•define success using operational metrics

14

Process Improvement StrategyProcess Improvement Strategy

Assess Security Processes

Rate Process Effectiveness

Group & Identify Gaps

Define Remediation

Execute Plan

15