MCSE Boot Camp

Determining Your Organization's Risk Management Maturity Level

Before an organization attempts to implement the Microsoft security risk management process, it is important that it examines its level of maturity with regard to security risk management. An organization that has no formal policies or processes relating to security risk management will find it extremely difficult to put all aspects of the process into practice at once. Even organizations with some formal policies and guidelines that most employees follow fairly well may find the process a bit overwhelming. For these reasons, it is important that you make an estimate of your own organization's maturity level. If you find that your organization is still relatively immature, than you may want to introduce the process in incremental stages over several months, perhaps by piloting it in a single business unit until the cycle has been completed several times. Having demonstrated the effectiveness of the Microsoft security risk management process through this pilot program, the Security Risk Management Team could then slowly introduce it to other business units until the entire organization is using it.

How do you determine the maturity level of your organization? As part of Control Objectives for Information and Related Technology (CobiT), the IT Governance Institute (ITGI) includes an IT Governance Maturity Model. You may want to acquire and review CobiT for a detailed method for determining your organization's level of maturity. The Microsoft security risk management process summarizes elements used in CobiT and presents a simplified approach based on models also developed by Microsoft Services. The maturity level definitions presented here are based on the International Standards Organization (ISO) Information technology — Code of practice for information security management, also known as ISO 17799.

You can estimate your organization's level of maturity by comparing it to the definitions presented in the following table.

Table 3.2   Security Risk Management Maturity Levels

Organizational Risk Management Maturity Level Self Assessment

The following list of questions offers a more rigorous way to measure your organizational maturity level. The questions elicit subjective answers, but by honestly considering each of them you should be able to determine how well prepared your organization is for implementation of the Microsoft security risk management process. Score your organization on a scale of 0 to 5, using the previous maturity level definitions as a guide.

1. Information security policies and procedures are clear, concise, well-documented, and complete.
2. All staff positions with job responsibilities involving information security have clearly articulated and well understood roles and responsibilities.
3. Policies and procedures for securing third-party access to business data are well-documented. For example, remote vendors performing application development for an internal business tool have sufficient access to network resources to effectively collaborate and complete their work, but they have only the minimum amount of access that they need.
4. An inventory of Information Technology (IT) assets such as hardware, software, and data repositories is accurate and up-to-date.
5. Suitable controls are in place to protect business data from unauthorized access by both outsiders and insiders.
6. Effective user awareness programs such as training and newsletters regarding information security policies and practices are in place.
7. Physical access to the computer network and other information technology assets is restricted through the use of effective controls.
8. New computer systems are provisioned following organizational security standards in a standardized manner using automated tools such as disk imaging or build scripts.
9. An effective patch management system is able to automatically deliver software updates from most vendors to the vast majority of the computer systems in the organization.
10. An incident response team has been created and has developed and documented effective processes for dealing with and tracking security incidents. All incidents are investigated until the root cause is identified and any problems are resolved.
11. The organization has a comprehensive anti-virus program including multiple layers of defense, user awareness training, and effective processes for responding to virus outbreaks.
12. User provisioning processes are well documented and at least partially automated so that new employees, vendors, and partners can be granted an appropriate level of access to the organization's information systems in a timely manner. These processes should also support the timely disabling and deletion of user accounts that are no longer needed.
13. Computer and network access is controlled through user authentication and authorization, restrictive access control lists on data, and proactive monitoring for policy violations.
14. Application developers are provided with education and possess a clear awareness of 15.
15. Business continuity and business continuity programs are clearly defined, well documented, and periodically tested through simulations and drills.
16. Programs have commenced and are effective for ensuring that all staff perform their work tasks in a manner compliant with legal requirements.
17. Third-party review and audits are used regularly to verify compliance with standard practices for security business assets.

Calculate your organization's score by adding the scores of all of the previous items. Theoretically, scores could range from 0 to 85; however, few organizations will approach either extreme.

A score of 51 or above suggests that the organization is well prepared to introduce and use the Microsoft security risk management process to its fullest extent. A score of 34 to 50 indicates that the organization has taken many significant steps to control security risks and is ready to gradually introduce the process. Organizations in this range should consider rolling out the process to a few business units over a few months before exposing the entire organization to the process. Organizations scoring below 34 should consider starting very slowly with the Microsoft security risk management process by creating the core Security Risk Management Team and applying the process to a single business unit for the first few months. After such organizations demonstrate the value of the process by using it to successfully reduce risks for that business unit, they should expand it to two or three additional business units as feasible. Continue to move slowly, though, because the changes introduced by the process can be significant. You do not want to disrupt the organization to such a degree that you interfere with its ability to effectively achieve its mission. Use your best judgment in this regard — every system that you leave unprotected is a potential security and liability risk, and your own knowledge of your own systems is best. If you think that it is urgent to move quickly and to disregard the suggestion to move slowly, do that.

You should carefully consider which business unit to use for the pilot programs. Questions to consider relate to how important security is to that business unit, where security is defined in terms of the availability, integrity, and confidentiality of information and services. Examples include:

• Is the security risk management maturity level of that business unit above average when compared to the organization?
• Will the owner of the business unit actively support the program?
• Does the business unit have a high level of visibility within the organization?
• Will the value of the Microsoft security risk management process pilot program be effectively communicated to the rest of the organization if successful?

You should consider these same questions when selecting business units for expansion of the program.