Information Assurance Capability Maturity Model Explained
Information Assurance Capability Maturity Model Explained
The organization DigitalGlobe is the organization that has been chosen for an abbreviated assessment. The paper will discuss the considerations for decreasing risk and mitigating assessed vulnerabilities. Information covered will be a summary of the assessed challenges in the information assurance security plan. An overview of the key information assurance considerations will be covered in the paper. Options for addressing risk items, recommendations for mitigation approach for the risks assessed will be discussed.
Information Assurance Assessment Tasks and Challenges
A capability maturity model (CMM), such as the Information Security Assurance Capability Maturity Model (ISA-CMM), as described by Security Horizon (2012), outlines the sequence of steps that are executed and how they are improved over time, how they are defined and the steps are taken to implement them. ISA-CMM identifies nine process areas that are related to performing Information Assurance task or activities as described by Security Horizon (2012). For every one of the nine activities, a capability maturity level from zero to five is assigned. If the capability is high there is an understanding that the area is in compliance with the ISA-CMM and if on the lower end the area needs attention to come into compliance. The place or responsibility of information assurance is connected to ISA-CMM to continually improve the capability of the information assurance process. ISA-CMM as Security Horizon (2012) points out, is designed to gain assurance that the information assurance process is consistent and repeatable over time.
The object of preforming the ISA-CMM is to improve the predictability, control and process effectives within the organization. The process as describe by Security Horizon (2012) is a sequence of steps performed or followed to achieve a specific process. CMMs is a guide to assist the business in achieving statistical process control. Process maturity shows the amount to which a detailed process is defined, managed, measured, controlled, and believed effective as described by Security Horizon (2012).
Information Assurance Considerations
Generic practices are activities that apply to all processes. They address the management, measurement, and institutionalization aspects of a process. In general, they are used during an appraisal to determine the capability of an organization to perform a process.
Within ISA-CMM, as Security Horizon (2012) point out, there are thirty-five information assurance considerations or practices segregated into nine focused areas that present the complete process and practices to be considered to implement an information assurance activity. These nine areas as described by Security Horizon (2012) that can be broken organizational support activities, on-site customer management and gathering information at the site that should be kept in mind when evaluating facts for information assurance. The organizational support areas entail providing training, coordinating with customer's organization and manage the information security assurance process. The on-site customer management area is laying out the initial information security requirements. The steps for gathering on-site information include assessing threats than assessing vulnerabilities and finally the impact assessment. The other on-site information to be collected is the information security risk assessment. Once these activities are completed, the analysis of the information gathered is completed, and results are delivered. ISA-CMM as Security Horizon (2012) points out, is designed to gain assurance that the information assurance process is consistent and repeatable over time.
Addressing Risk Items
There are options for addressing risk items. Two issues to consider when performing a risk assessment as described by Calder & Watkins (2015). First, there should be a regular review of security risk and the controls related to the security risks. While doing the review, a few things should be taken into consideration such as new threats, vulnerabilities, reviewing the impact of changes to the business such as goals, technology, process or even changes to laws and legislation. The second issue is the standard requires the business to identify the competencies needed by the people working with the ISMS framework.
A qualitative approach is commonly used is to identify assets, threats, vulnerabilities, impacts, risk assessment, and controls as described by Calder & Watkins (2015). Assets are tracked in a risk log. In the risk log, each asset identified by the team, which the owner(s) is of the asset, any known threats(s) and all of the vulnerabilities that effects the asset get recorded in the corporate risk log.
The information asset inventory will be conducted on processes, information, information systems, hardware, software, etc. A threat is something that can go wrong about an identified asset as Calder & Watkins (2015) points out. The vulnerability is something that exposes the asset open to being attacked by something that is a known threat. The impact is the outcome of an exploit of something that is vulnerable from a threat which then causes the impact to an asset. The assets accessibility, integrity or the confidentiality could be breached. Risks are assessed to identify potential business harm that might result from exploitation of a threat to understanding the business impact for each as Calder & Watkins (2015) points out.
Methods of Mitigation Security Risks
An assessment should be completed to conclude if the threat exploiting the vulnerability creates an impact. Than the business assesses and identifies the level of risk classification to be assigned to the risk and enables one to identify, for each risk if it is an acceptable risk or on the other hand something that requires controls to be put in place. A control is a mitigation or countermeasure put in place for risks found. A business can accept a risk or transfer the risk to others. Five types of controls are identified by Calder & Watkins (2015) which are directive, preventative, detective, corrective and recovery controls. The directive control consists of creating of a policy. The preventative control is put in place to stop or reduce the impact of vulnerability or attack. The detective control is triggered based on the discovery of an attack and provides an immediate control action. Business continuity or disaster recovery control is known as a recovery control. The directive control as Calder & Watkins (2015) points out is a way of delivering the preventative, detective, and corrective controls.
Conclusion
This abbreviated assesttment was assemobled for DigitalGlobe. The paper discussed considerations for decreasing risk using the ISA-CMM. Then the assessed challenges were discussed in the information assurance security plan which are thirty-five information assurance considerations or practices segregated into nine focused areas that present the complete process and practices outlined in the ISA-CMM. Then options for evaulaging risk items was discussed alon with a risk a control or mitigation approach. This abbrivated assesment will allow DigitaGlobe to manage information assurance security risks and reduce the risk of assets being involved in attacks and breaches once implemented.
References
Calder, A., & Watkins, S. (2015). IT governance: An international guide to data security and ISO27001/ISO27002, 6th edition. Kogan Page.
Jacobs, S. (2016). Engineering information security: The application of systems engineering concepts to achieve information assurance, 2nd edition. Wiley.
Moeller, R. R. (2010). IT audit, control, and security. Wiley.
Peltier, T. R. (2013). Information security fundamentals, second edition. CRC Press.
Quigley, M. (2011). ICT ethics and security in the 21st century: New developments and applications. IGI Global.
Sadiku, M. N. O., Alam, S., & Musa, S. M. (2017). Information assurance benefits and challenges: An introduction. Information & Security, 36, 1–5. doi:10.11610/isij.3604
Security Horizon. (2012). Information security assurance capability maturity model (ISA-CMM), draft version 3.2. Security Horizon.