Scroll Top

Five Levels of Information Security Maturity Model

Five Levels of Information Security Maturity Model
keyboard
By PKF Team Blog December 2, 2018

Five Levels of Information Security Maturity Model

A Cyber-Attack Is The Intelligent And Sophisticated Type Of Modern Day Robbery And Fraud
The business is exposed to an increased risk of hacking and unauthorized breaches into its information systems. Losses and costs relating to cyber liability incidents have escalated exponentially given that the world has become much more computer-dependent and technology is rapidly advancing. The losses suffered by organizations for cyber incidents that interrupt their operations as well as liability to third parties (customers, patients or others) have become commonplace. The question facing organizations today is not if they will suffer a cyber attack but when.
chart-01

Additional highlights

chart-02
All of the nine publicly traded companies involved lost at least $1 million in the scams; two lost more than $30 million. In total, the nine issuers lost nearly $100 million, most of which was never recovered. One company made 14 wire payments over the course of several weeks, resulting in over $45 million in losses
The losses took two different forms, one involving emails from imposters purporting to be senior company executives and one involving emails impersonating the companies’ vendors
chart-03
Following the losses, all of the companies involved sought to enhance their payment authorization procedures and verification requirements for vendor information changes. The companies also took steps to bolster their account verification procedures and outgoing payment notification process to aid detection of fraudulent payments
Email scams like the ones investigated here have caused business losses of over $5 billion since 2013

This publication is a good reminder that all companies are vulnerable to cyber scamming and should look to enhance their payment authorization procedures and tighten up their employee training and awareness.

It is vital to maintaining the information security system at the proper level in order to avoid negative consequences of cyber-attacks and increase the level of the client and public trust. Management in corporate and public organizations has to pay closer attention to how well information security is being managed and how well the company is protected from internal and external cyber threats. Some of the questions that a corporation stakeholder (including CEO) would like to be able to address include:

  • What are the gaps in the organization’s cybersecurity program across people, processes and technology?
  • How mature is the organization today?
  • What level of maturity should the organization strive for?
  • What can the management do to improve the organization’s security posture? How should the management prioritize those improvement opportunities?

Many small and mid-sized businesses have a false sense of security that they are not big enough or do not possess information that would attract the interest to cybercriminals. However, the insurance industry suggests that 50 percent of businesses report having been the victim of an attack and 60 percent of those struck are small and medium-sized businesses.

What Is Information Security Maturity Model?

The Information Security Maturity Model as a benchmarking and an assessment tool can provide a response to the abovementioned questions. The information Security Maturity modelling and control over information security processes is based on a method of evaluating the organization, by rating it from a maturity level of non-existent (0) to a maturity level of optimized (5). This approach is derived from the maturity model that the Software Engineering Institute (SEI) defined for the maturity of software development capability.

Although concepts of the SEI approach were followed, the Information Security Maturity Model differs considerably from the original SEI, which was oriented toward software product engineering principles, organizations striving for excellence in these areas and formal appraisal of maturity levels so that software developers could be ‘certified’.

A generic definition is provided for the security maturity scale, which is similar to Capability Maturity Model (CMM) but interpreted for the nature of information security management processes. With the Information Security Maturity Model, unlike the original SEI CMM approach, there is no intention to measure levels precisely or try to certify that a level has exactly been met. The Information Security Maturity assessment is likely to result in a profile where conditions relevant to several maturity levels will be met.

Using the maturity models developed for each of information security processes, management can identify:

  • The actual performance of the enterprise – where the enterprise is today;
  • The current status of the industry – the comparison;
  • The enterprise’s target for improvement – where the enterprise wants to be;
  • The required growth path between ‘as-is’ and ‘to-be’.

Below is an example of the graphical representation method used to make an organization’s information security assessment results visually interpretable and help management decide on supporting particular information security cases:

chart-06
chart-07

The advantage of the approach is that management can easily position itself on the maturity scale (as shown in Table 1) and determine what to do in order to improve the results of information security activities and minimize the potential risk. This scale has a mark of 0 (zero) as often times management processes just do not exist. The division into categories from 0 to 5 reflects a simple scale of maturity, which shows how the processes develop from the level “does not exist” (0) to the level “optimization” (5).

The maturity model makes it possible to assess the level of development of information security management processes (processes) and determine to what extent these processes are actually effective. The high level of development of information security management processes or their effectiveness is primarily determined by the IT objectives and business processes supported by IT. The degree of actual involvement of processes is mainly determined by the ROI that an organization anticipates getting back. For example, there may be a critical infrastructure process and/or system that require more complex security management than other less critical processes and systems. On the other hand, however, the degree and complexity of controls used in processes are mostly determined by the organization’s risk appetite and applicable requirements that must be followed.

The scale of maturity models is aimed to help IT specialists to explain to the management of the organization where exactly IT Security deficiencies as well as to determine the corresponding tasks to be performed. In order to correctly determine the level of maturity, the organization’s business goals, its operating environment, and industry best practices must be taken into consideration. In particular, the maturity management level will be determined by the organization’s dependence on IT, the complexity of the technology and, most importantly, the value of its information.

The Information Security Assessment Questionnaire is an easy-to-use tool based on the 5-step Maturity Model. Information Security Assessment Questionnaire is made up of 72 high-level information security questions, together with useful extended information. It has been designed to help measure the security status of individual environments within their organization by allowing them to perform a ‘quick and easy’ assessment. In particular, it allows to:

chart-08

Conclusion

Cyber-crimes are having and will continue to have a growing negative impact on the global economy. All organizations should be adopting strategies to protect themselves and minimize losses and planning to respond to such attacks. Businesses should be reviewing their computer systems, training and monitoring staff and developing an incident response plan to prevent cyber incidents. Both prevention and response are not simply an IT problem. They require a team approach involving multiple departments and vendors (IT, management, human resources, public relations, etc.).

Unfortunately, these issues are not only relevant for large corporations, but mid-size and small businesses also cannot afford themselves to ignore these threats as well. Cyber incidents have a higher tendency to severely impact or even bankrupt unprepared SMB organizations. They are becoming the most sought-after target by cybercriminals nowadays.

Next steps

Ensuring the continuous improvement of an organization’s information security management is the key to minimizing the risk of cyber-attacks. Once the surface for a cyber-attack is decreased, cybercriminals might find themselves in a difficult situation, they will have to look for new approaches and loopholes in your organization.

PFC recommends undertaking preventive actions against cyber-crime by requesting Complementary Information Security Maturity Level and Compliance Assessment. We will assist you to run a quick assessment of your organization’s maturity level and identify the company’s potential security issues.

Below is an example of the graphical representation method used to make an organization’s information security assessment results visually interpretable and help management decide on supporting particular information security cases:

Related Posts

Seven reasons to use benchmarking and possible traps

“Benchmarking provides an inventory of creative changes that other companies have enacted” – John Langley We are living in a volatile world constantly changing and evolving. Intense competition requires the businesses to remain fit and ready for daily challenges. As Bill Gates noted in his book “Business at the speed of thought”, nowadays the businesses […]

09 Jul 2017
Income Tax changes for 2019-2020

While the press mainly focused on spending cuts, we listed here changes that will have more impact on finance side of our clients.

19 Dec 2019
sale
Is your Business Ready for Sale?

“Action is the foundational key to all success.” — Pablo Picasso According to the study done by the Royal Bank of Canada, one in four business owners who are at the age of 50 of small and medium-sized business want to sell their business within the next five years. Unfortunately, 77 percent of owners do not […]

29 Dec 2016
thinking
Have you had enough with your current ERP?

The classic case based on real experiences across different companies, solutions, and consultants, typically revolves around understanding a client’s business environment “AS IS” and then figuring out its “TO BE” state.

06 May 2019
calculator
Personal and Corporate Tax Deadlines

Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid. – Frank Zappa

25 Feb 2020
chart
Passive income – Keep it below $50K

Under the new rules, investment income will be tweaked with a number of adjustments to come up with a new amount called, “adjusted aggregate investment income”.

04 May 2018
meeting room
New Internal Control Framework

To improve is to change; to be perfect is to change often. (Winston Churchill) If it is not broken why fix it? – Is this practical or a myth? We have all heard about the theory of “survival of the fittest”, which is applicable for humans, animals and businesses. This theory has stood the […]

08 May 2016
coffee
2018 Personal Tax Planning Update

Are you sure of using all the tax deductions you are eligible for? Are you filing and paying your taxes on time and avoiding penalties and interest? We can help you optimizing your taxes and saving money.

21 Jan 2019
hacker
Cybersecurity 101

Human beings have a natural tendency to remember good times and push to the back of their minds some more difficult issues in life. Basically most of us have a tendency not to focus on things that are not perceived to be likely to happen in the short term and can overlook the inevitability of […]

07 Mar 2016
skyscraper
CTN Accounting Joins PKF PFC

PKF Antares is delighted to announce the planned merger with GTA (Ontario) based accounting and business advisory firm CTN Accounting (CTN).

18 Dec 2019
Income Sprinkling – Is This Possible Anymore?

The draft rules announced by the Department of Finance on December 13, 2017, now extend the TOSI rules to certain family members over the age of 17.

18 Nov 2018
it
Keep Calm and Keep Mining – What is Taxable in Crypto Mining?

There has been a lot of hype about Cryptocurrencies – about its legitimacy as an alternative currency as well as the merits of holding it as an investment.

29 Mar 2018
art
6 Reasons Why You Need An Internal Audit Manual

Every internal audit function has its own internal audit framework which is Internal Audit Charter (the “Charter”). The Charter outlines the organizational status and role of the internal audit function, independence and governance, etc. However the Charter usually provides high level guidance, and therefore, it is also essential to have a robust Internal Audit Manual […]

18 Sep 2017
gas
Measurement of Oil and Gas Production in Western Canada

Laws control the lesser man… Right conduct controls the greater one. Mark Twain The Ancient Egyptians Measurement has been a necessity for many centuries in order to facilitate not only commerce but also everyday life. The ancient Egyptians were amongst the pioneers of this and as early as the 4th and 3rd millennia BC […]

08 May 2016
Tax Planning challenges for Private Corporations – Items need to consider

Tax Planning challenges for Private Corporations – Items need to consider

08 Feb 2018