Using Maturity Models in Security?
I have always thought that Maturity Models, such as over-used by Gartner for everything but their own dog's behaviour, were generally a good thing. They allowed us so-called Security Specialists to explain to our less-aware Bosses that our current security processes were of the standard of a Kindergarten, and inappropriate for any so-called professional enterprise such as we apparently were. When looking for useful Maturity Models, many of us adopted the model espoused by Gartner and modified by everyone else (the above is an RSA version).
NCSC (then CESG) adopted such a variant in about 2008 called "Information Assurance Maturity Model (IAMM) and encouraged all UK Government Agencies to adopt this as the basis of their assurance programs. But this year, some ten years later, NCSC have archived the references and stopped recommending the IAMM to Agencies.
The exact advice in April 2018 was:
The NCSC will no longer be offering the IAMM independent review or supported self assessment services. We are also withdrawing the IAMM assessment tool. If this causes any particular issues for a public sector organisation, please contact NCSC Enquiries.
We will retain our own IAMM framework on our website but you should be aware that we are not intending to update it now or in the future.
Anne W - Head of Cyber Security Assurance Schemes
The irony here is that there is a strong rumour out that our own Assurance Authority here in Australia is thinking of discarding their current Compliance Regime, in favour of just such a Maturity Model approach. Typical! We adopt a framework just as other more "mature" entities start moving away for that approach.
Why is NCSC (Anne W, et al) no longer pushing Maturity Models?
Their reasoning is that they (the models) were being misused to compare one enterprise (possibly with high risk business) with another (with no extraordinary risks evident). One might very well need to manage their Information Security strategically, the other probably not so much. NCSC used the term "Apples and Oranges", and are now emphasising Risk Management frameworks as more appropriate for UK Govt Agencies.
HALLELUJAH! Someone has finally see the light! If an enterprise doesn't understand their own specific risk circumstances, no Gartner, RSA, UK GOVT, NIST, OSI model for Information Assurance is going to help. These MIGHT be useful and considered Best Practice, but are they suitable for this enterprise? Until you understand the values in their information and data, and the most dangerous, most likely, most difficult to treat risks to these values, no real framework, model or method is of any use, because it is very difficult to understand how YOUR risks are effectively treated in that model.
There is no useful way to trace value to risk to treatment to treatment cost. Is it worth being proactive in Risk-Based or Business-Oriented approaches to Information Assurance? Who really knows?
If I have a brain tumour, I want a good brain surgeon to operate, but I really don't care if they drive a new Rolls Royce, or a 20 year old Subaru to get to the hospital. It is inconsequential to my critical operation. Likewise with any Enterprise Information Assurance program. What is consequential to the Asset risks that I am trying to treat and mitigate?
Lesson? Be very careful about what model you use for your Enterprise's security and assurance purposes. That decision IS part of your analysis and mandating one model over another may not be appropriate for this specific instance. Be flexible and have a few methods and models up your sleeve. Justify in your plans WHY you would prefer one over another for this instance.
