Five Levels of Information Security Maturity Model

A CYBER-ATTACK IS THE INTELLIGENT AND SOPHISTICATED TYPE OF MODERN DAY ROBBERY AND FRAUD

The business is exposed to an increased risk of hacking and unauthorized breaches into its information systems. Losses and costs relating to cyber liability incidents have escalated exponentially given that the world has become much more computer-dependent and technology is rapidly advancing. The losses suffered by organizations for cyber incidents that interrupt their operations as well as liability to third parties (customers, patients or others) have become commonplace. The question facing organizations today is not if they will suffer a cyber attack but when.

Some US statistics that may be of interest to the reader. Addressing SEC investigation into 9 public companies that fell victim to cyber fraud. Although these are public companies (listed on a US exchange), it applies just as much to private companies as well.

Additional highlights

All of the nine publicly traded companies involved lost at least $1 million in the scams; two lost more than $30 million. In total, the nine issuers lost nearly $100 million, most of which was never recovered. One company made 14 wire payments over the course of several weeks, resulting in over $45 million in losses

 

The losses took two different forms, one involving emails from imposters purporting to be senior company executives and one involving emails impersonating the companies’ vendors

Following the losses, all of the companies involved sought to enhance their payment authorization procedures and verification requirements for vendor information changes. The companies also took steps to bolster their account verification procedures and outgoing payment notification process to aid detection of fraudulent payments

Email scams like the ones investigated here have caused business losses of over $5 billion since 2013

This publication is a good reminder that all companies are vulnerable to cyber scamming and should look to enhance their payment authorization procedures and tighten up their employee training and awareness.

It is vital to maintaining the information security system at the proper level in order to avoid negative consequences of cyber-attacks and increase the level of the client and public trust. Management in corporate and public organizations has to pay closer attention to how well information security is being managed and how well the company is protected from internal and external cyber threats. Some of the questions that a corporation stakeholder (including CEO) would like to be able to address include:

  • What are the gaps in the organization’s cybersecurity program across people, processes and technology?
  • How mature is the organization today?
  • What level of maturity should the organization strive for?
  • What can the management do to improve the organization’s security posture? How should the management prioritize those improvement opportunities?

Many small and mid-sized businesses have a false sense of security that they are not big enough or do not possess information that would attract the interest to cybercriminals. However, the insurance industry suggests that 50 percent of businesses report having been the victim of an attack and 60 percent of those struck are small and medium-sized businesses.

WHAT IS INFORMATION SECURITY MATURITY MODEL?

The Information Security Maturity Model as a benchmarking and an assessment tool can provide a response to the abovementioned questions. The information Security Maturity modelling and control over information security processes is based on a method of evaluating the organization, by rating it from a maturity level of non-existent (0) to a maturity level of optimized (5). This approach is derived from the maturity model that the Software Engineering Institute (SEI) defined for the maturity of software development capability.

Although concepts of the SEI approach were followed, the Information Security Maturity Model differs considerably from the original SEI, which was oriented toward software product engineering principles, organizations striving for excellence in these areas and formal appraisal of maturity levels so that software developers could be ‘certified’.

A generic definition is provided for the security maturity scale, which is similar to Capability Maturity Model (CMM) but interpreted for the nature of information security management processes. With the Information Security Maturity Model, unlike the original SEI CMM approach, there is no intention to measure levels precisely or try to certify that a level has exactly been met. The Information Security Maturity assessment is likely to result in a profile where conditions relevant to several maturity levels will be met.

Using the maturity models developed for each of information security processes, management can identify:

  • The actual performance of the enterprise – where the enterprise is today;
  • The current status of the industry – the comparison;
  • The enterprise’s target for improvement – where the enterprise wants to be;
  • The required growth path between ‘as-is’ and ‘to-be’.

Below is an example of the graphical representation method used to make an organization’s information security assessment results visually interpretable and help management decide on supporting particular information security cases:

The advantage of the approach is that management can easily position itself on the maturity scale (as shown in Table 1) and determine what to do in order to improve the results of information security activities and minimize the potential risk. This scale has a mark of 0 (zero) as often times management processes just do not exist. The division into categories from 0 to 5 reflects a simple scale of maturity, which shows how the processes develop from the level “does not exist” (0) to the level “optimization” (5).

The maturity model makes it possible to assess the level of development of information security management processes (processes) and determine to what extent these processes are actually effective. The high level of development of information security management processes or their effectiveness is primarily determined by the IT objectives and business processes supported by IT. The degree of actual involvement of processes is mainly determined by the ROI that an organization anticipates getting back. For example, there may be a critical infrastructure process and/or system that require more complex security management than other less critical processes and systems. On the other hand, however, the degree and complexity of controls used in processes are mostly determined by the organization’s risk appetite and applicable requirements that must be followed.

The scale of maturity models is aimed to help IT specialists to explain to the management of the organization where exactly IT Security deficiencies as well as to determine the corresponding tasks to be performed. In order to correctly determine the level of maturity, the organization’s business goals, its operating environment, and industry best practices must be taken into consideration. In particular, the maturity management level will be determined by the organization’s dependence on IT, the complexity of the technology and, most importantly, the value of its information.

The Information Security Assessment Questionnaire is an easy-to-use tool based on the 5-step Maturity Model. Information Security Assessment Questionnaire is made up of 72 high-level information security questions, together with useful extended information. It has been designed to help measure the security status of individual environments within their organization by allowing them to perform a ‘quick and easy’ assessment. In particular, it allows to:

Conclusion

Cyber-crimes are having and will continue to have a growing negative impact on the global economy. All organizations should be adopting strategies to protect themselves and minimize losses and planning to respond to such attacks. Businesses should be reviewing their computer systems, training and monitoring staff and developing an incident response plan to prevent cyber incidents. Both prevention and response are not simply an IT problem. They require a team approach involving multiple departments and vendors (IT, management, human resources, public relations, etc.).

Unfortunately, these issues are not only relevant for large corporations, but mid-size and small businesses also cannot afford themselves to ignore these threats as well. Cyber incidents have a higher tendency to severely impact or even bankrupt unprepared SMB organizations. They are becoming the most sought-after target by cybercriminals nowadays.

Next steps

Ensuring the continuous improvement of an organization’s information security management is the key to minimizing the risk of cyber-attacks. Once the surface for a cyber-attack is decreased, cybercriminals might find themselves in a difficult situation, they will have to look for new approaches and loopholes in your organization.

PFC recommends undertaking preventive actions against cyber-crime by requesting Complementary Information Security Maturity Level and Compliance Assessment. We will assist you to run a quick assessment of your organization’s maturity level and identify the company’s potential security issues.

>