Cyber Security Institute
§ Current Worries
Top 3 Worries
- Regulations
- Old Firewall Configurations
- Security Awareness
§ Listening
For the best information
- The underground
- Audible
- Executive Excellence
- Music (to keep me sane)
§ Watching
For early warnings
- 150 Security Websites
- AP Newsfeeds
- Vendors
Wednesday, January 05, 2005
A Long Way to Grow
First results from a new security management survey indicate that many companies have only rudimentary practices in place
The charts on the following pages reflect first results from the Security Capability Model, a survey tool codeveloped by CSO and Carnegie Mellon University’s CERT Coordination Center (CERT/CC) to help respondents compare their security processes—-particularly pertaining to information security—-with those of other organizations.
The Security Capability Model obviously draws some inspiration from the Capability Maturity Model (CMM), a rigorous tool for process management in software application development created by CMU’s well-known Software Engineering Institute (SEI).
They don’t yet feel there’s a long enough history” to clearly state what constitutes “mature” information security practices.
Methodology The Security Capability Model survey was posted online at CSO’s website and at the CERT website.
The industries most heavily represented in the response base were finance/banking/accounting (14%), health care/pharmaceutical (12%), manufacturing (11%) and government (10%).
In lieu of attempting an absolute standard for correct or mature practices (though a variety of those already exist elsewhere, ranging from ISO standards to SEI’s own Octave risk management methodology), the model provides the opportunity to benchmark against others in 22 specific practices.
One chart presents the full survey results, grouping the practices under four headings: managing risks, setting policies, securing systems and networks, and handling corporate security.
Looking at the first practice area on the chart, 60 percent of the total response base said they have a process in place for conducting regular vulnerability assessments.
For comparison, the model also measures corporate security capability in a few areas outside of infosec: facility access, business continuity plans, employee awareness training and background checks.
Allen says more capable—-and successful—-organizations are those treating security as a business objective; these companies achieve regulatory compliance by documenting existing processes, rather than by scrambling to jury-rig new processes to meet the letter of the law.