Enterprise Security Maturity Assessment

Leader: Claude Baudoin, Senior Consultant, Cutter Consortium

Length: 1 day

Overview:

Organizations know they need to have a solid information security posture and preparedness. However, how one asseses the needs and prioritizes the actions is often left to improvisation. The Security Maturity Assessment methodology combines the credibility of the ISO 27001/27002 standard with the proven effectiveness of the Capability Maturity Model (CMM) to create an actionable assessment process and an approach your organization can use to prioritize security improvements.

Workshop Goals:

At the end of the workshop, the participants will understand:

• The range of issues that lie within the "enterprise security" scope
• The benefits of viewing the security posture of the organization in terms of a maturity model
• How to evaluate the current security using a matrix of maturity levels vs. ISO 27001/27002 categories
• How to use this same model to determine the actions required to improve the maturity level
• How to set priorities among these actions

Intended Audience:

This workshop will benefit IT Managers and CIOs, Information Security Managers, Enterprise Risk Managers, and Information Security engineers who need a strategic view of their work.

Prerequisites:

The participants should understand general information security risk categories and their consequences on the enterprise. Some familiarity with the existing security measures of the enterprise is beneficial, but not mandatory.

Outline:

• Defining expectations
• The state of enterprise security -- Lack of formal methodologies
• History of security guidelines: BS 7799, ISO 17799, ISO 27001/27002
• The Capability Maturity Model
• Combining ISO and CMM: the Security Maturity Assessment
• Assessment Pragmatics
• Presenting the Results
• The overall security improvement process
• Getting Started