Monday, June 23, 2014

IT Security Maturity Assessment | Control Self Assessment

IT – Security Maturity Assessment – Control Self-Assessment
IT Security maturity assessment: it is a Self-Evaluation assessment carried out by organization that informs where it stands in terms of IT Security and shows its Strength, weakness and areas where  IT security improvement is needed in an organization.
Organizations analyze IT Security on the bases of ISO 27002 standards. This tool was intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its information security program. Unless otherwise noted, it should be completed by chief information officer, chief information security officer or equivalent, or a designee and hardly takes few hours to analyze the overall IT maturity. The rating scale consist on 5 levels from 1 to 5 and every IT security related point carefully analyze by the analyze maturity team or individual and then they decided where that point put down.

Level 1
Level 2
Level 3
Level 4
Level 5
Performed Informally = Adhoc
Planned = Proscribed
Well Defined = Standardized
Quantitatively Controlled = Quantitative
Continuously Improving = Optimized
Level 5 is the highest level of maturity.

The Key advantages to implementing this program includes earlier detection of risk and the development of action plans that will safeguard organizational data against significant business risk and indicates the organizational IT security maturity level.

Also figure below shows the IT Security Maturity Graph.

The areas covered in assessment tool:

1.      Risk Management (ISO 4)
2.      Security Policy (ISO 5)
3.      Organization of Information Security (ISO 6)
4.      Asset Management (ISO 7)
5.      Human Resource Security (ISO 8)
6.      Physical and Environmental Security (ISO 9)
7.      Communications and Operations Management (ISO 10)
8.      Access Control (ISO 11)
9.      Information Systems Acquisition, Development, and Maintenance (ISO 12)
10.  Information Security Incident Management (ISO 13)
11.  Business Continuity Management (ISO 14)
12.  Compliance (ISO 15)

Documenting Conclusions & Reporting:
1. Include both negative and positive findings.
2. Prioritize findings related to IT security risks.
3. Stay consistent with the methodology and scope.
4. Provide practical remediation path, accounting for the organization’s strengths and weaknesses.