With the ever-evolving landscape of information security risk and compliance standards and regulations, challenges for organizations to sustain these requirements are continually increasing. The complexity grows manifolds when organizations require adhering to multiple standards and regulations for various business operations. CXOs across the industry sectors often face the daunting task of deploying sustainable controls while ensuring repeatability and improvement in the process adopted. Hence the challenge faced today is not just limited to achieving compliance but also involves maintaining the status of management assertion along with improving processes to address requirements across standards and governing regulations in a cost-effective manner.
To address the challenge of overcoming the impending risks for meeting compliance requirements, an organization needs to look in aspects of –
- Strategic planning and framework designing for Infosec and cyber compliance
- Policy and technical controls enforcement
- Technical assessments and reviews
- Compliance audit and review
Compliance sustenance and quality of performance
Compliance management is often considered a burden on the back of the security operations. However, that narrative needs to be changed. With the focus shifting toward setting a baseline and then improving on it, it is necessary to ensure that the identified controls are deployed, documented, managed, and optimized for their easy evaluation in terms of either planned or actual results.
Maturity models provide us an avenue to focus on the performance of the controls and processes deployed to meet compliance requirements. Adopting maturity models for security risk, compliance, and governance is sure to reduce costs, increase productivity, streamline project cycles, limit risk exposure, and more. These results could be reproduced and, at times, even improved by using the models to assess the current state and compare it to the planned as well as industry benchmark.
The history of maturity models leads us to the Capability Maturity Model (CMM) as developed at Carnegie Mellon University and the Capability Mamturity Model Integration (CMMI) as established at the Software Engineering Institute based on Carnegie’s CMM. Another available standard is the SSE-CMM, based on Carnegie’s CMM with applicability to systems engineering projects encompassing wider aspects of IT rather than just software engineering. IT Governance Institute’s COBIT maturity model also takes a plunge in the maturity assessment of the controls and processes as identified to be applicable and as deployed at an organization.
All the three standards mentioned above focus on continual improvement principles with repeatability or process and sustenance of standards as a set. However, we would consider COBIT and SSE-CMM for the maturity assessment of the controls deployed and creating the performance index. The selection of the two standards is based on the fact that COBIT is considered the de facto standard for IT and SSE-CMM that provides wider applicability to various IT projects.
We would also be considering the Six-Sigma DMAIC methodology for process efficiency and improvement as it provides statistical methods of performance measurements. The Six-Sigma model would also help in creating a quality measurement index with less subjectivity and an enhanced quantitative approach for the performance index.
COBIT maturity model
COBIT comprises 34 IT processes organized into four domains –
- Plan and organize
- Acquire and implement
- Deliver and support
- Monitor and evaluate
COBIT management guidelines comprise the maturity model, process description, information criteria, and IT resources, that indicate improvement potential, critical success factors, key goal indicators, and key performance indicators for each process. The COBIT framework, detailed control objectives, and audit guidelines improve the IT organization’s level of control, risk mitigation, and performance sustenance. Management guidelines can be used with this knowledge base and COBIT Online® benchmarking to prioritize and guide improvement.
COBIT maturity model outlines level as listed below –
- Initial / ad-hoc
- Repeatable but intuitive
- Defined process
- Managed and measurable
SSE-CMM® is a process reference maturity model that focuses on the requirements for implementing security in a system or series of related systems that constitute the Information Technology Security (ITS) domain. However, experience with the model has demonstrated its utility and applicability to security domains other than IT. Within the ITS domain, the SSE CMM® model focuses on the processes used to achieve ITS, most specifically on their maturity. SSE-CMM® model does not dictate a specific process to be used by an organization, let alone a specific methodology. Rather, the intent is to allow the organization implementing the SSE-CMM® model to use its existing processes, regardless of whether those processes are based on another ITS guidance document.
The maturity Levels as defined in SSE-CMM are –
- Performed informally
- Planned and tracked
- Quantitatively controlled
- Continuously improving
Six Sigma seeks to improve the quality of process outputs by identifying and removing the causes of defects (errors) and minimizing variability in manufacturing and business processes. It uses a set of quality management methods, including statistical ones, and creates a special infrastructure within the organization. A Six Sigma project whenever is carried out in an organization followas a specific sequence of steps with quantified targets. These targets can be financial (cost reduction or increased profitability ) or whatever is critical to the customer of that process (cycle time, safety, delivery, etc.). Six-Sigma’s DMAIC methodology focuses on –
- Improve or optimize
Maturity model comparisons
When we compare the models of COBIT and SSE-CMM, the maturity levels of the two standards need to be taken into consideration. A high-level assessment of the two provides us with the following mapping –
Table 1: SSE-CMM and COBIT maturity model mapping
SSE-CMM maturity levels
COBIT maturity levels
Initial / Ad-hoc
repeatable but intuitive
Planned and tracked
Managed and measurable
This certainly sets out the tone that following the SSE-CMM model would help to ensure that the COBIT maturity model is also asserted, and the processes will provide a defined approach to increasingly attain higher maturity for the processes.
While comparing the SSE-CMM and Six-Sigma maturity models, we identify that the two models can be aligned in a staggered approach to attain the overall efficiencies –
- Performed informally
- Measure and analyze
- Improve or optimize
- Control and track
While there may be different approaches to measure and attain Infosec compliance, it is important to arrive at a common framework and methodology before we embark on the journey of overall process maturity assessment.
This is specifically important when the organization is looking at adopting automation tools. Matured processes that are repeatable and flexible help in ensuring that the automation tools provide the defined and desired output rather than becoming a bottleneck and sunk cost for aborted implementation efforts.