maturityMaturity is something we expect from respected folks or grown folks but what about your privacy and security program, do you check it’s maturity?  You have all of these plans, policies, procedures, and training but is it actually meeting your needs?  Time to talk maturity assessments.

HIPAA For MSPs by David Sims Maturity Assessments
00:00:00 00:00:00

Some people who know us may say that the two of us are the least qualified to judge maturity levels.  However, we know they don’t really mean that.  We are mature, where it matters anyway and privacy and security is where it does matter.

There are many different frameworks or plans out there for maturity models.  The NIST CSF has the Implementation Tiers.  SANS, C2M2, SecureWorks, and many other names exist with recommendations.  The point is there should be an assessment of how well you are doing with your program.  As privacy and security become part of your day-to-day activity and company culture you will want to know what works and what needs to be improved.

Maturity of security awareness

SANS has a very simple list to reflect how aware your organization really is concerning security requirements.  You start at the bottom with level 1 and proceed to 5 as your program matures.  Unfortunately, level 2 is compliance focused.  That means all of those programs that worry about checking the box for compliance and HIPAA made easy approaches will get you no higher than level 2 without more work.

Here is how Lance Spitzner, Director, SANS Security Awareness, explained levels 1 and 2:

Level 1:  No Security Awareness Program Okay, this is pretty simple, there is no awareness program, there is no attempt to train and educate the organization.  As a result, people do not know or understand organizational policies and procedures, do not realize they are a target and are highly vulnerable to most human-based attacks. Only about 30% of the organizations I run into have absolutely no awareness program.  Instead, I find most organizations are at Level 2.  This actually may not be a good thing.
Level 2: Compliance Focused This is an awareness program designed primarily to meet specific compliance or audit requirements.  Training is limited to annual or ad-hoc basis, such as an onsite presentation once a year or quarterly newsletters.  There is no attempt to change behavior.  As a result, employees are unsure of organizational policies, their role in protecting their organization’s information assets and how to prevent, identify or report a security incident.  To be honest this is where I find most organizations are at.  If you ask if they have a security awareness program they say “Kind of”.   The danger with this is management believes you are doing ‘something’, that since you have some type of awareness program employees are secure and there is nothing else to be concerned about.  In other words, this creates a false sense of security.  In reality, you are most likely just as vulnerable and have the same amount of risk as Level 1.  Management just does not realize it.
“people do not know or understand organizational policies and procedures”

Notice this scale is talking about security awareness of the organization as a whole.  It assumes there are already policies and procedures in place.  But, we know there are plenty of groups that think they are at level 2. But, we know there are plenty of groups that think they are at level 2.  But, if you don’t have any written policies and procedures that are actually followed by staff it is hard to say you have made it that far.   In the level 1 description, he said “people do not know or understand organizational policies and procedures” and in order to get past that one element of level one you must have them, use them, and make people aware of them.

SANS maturity

Source: SANS maturity model

Some of the other maturity models are very complex and drill down much further than a few steps or some generalities like the SANS one does.  Unless you have mastered some of the smaller ones, though, there isn’t much use in digging deeper.  Start somewhere is what is important, as always.  How do you eat an elephant was all the way back in episode 4.  That thought still hasn’t changed.

Maturity of risk management plans

To get started just ask questions.  The process means asking hard questions, though, and providing honest answers.  Audit scripts does a 5 questions list for a wide variety of security program elements that some may find helpful.  The specific risks you address should be evaluated in some maturity model.

Let’s start with just checking the maturity of your security risk analysis (SRA) plans.  To do a proper SRA there should be a list of threats and vulnerabilities.  Then, you identify the likelihood and impact to determine the risk you believe they mean to your organization.

When Kardon does a security risk analysis we add a series of questions that ask what is your general plan for those threats and vulnerabilities.  Finally, we ask how well are you doing with the plans you identified.  Originally, we provided a matrix for making those decisions.

Turns out that was more like parents having to identify problems with their kids – you usually give them the benefit of the doubt.  But, when you drill down and ask specific questions the answers change a good bit.  We now ask specific maturity questions that automatically calculate a maturity score.  Results are dramatically different.  Math is so much easier to deal with on these things.

We took the approach that any implementation would require three elements, at a minimum:  Training, Documentation, Incident Response Plan prepared.  We ask where you stand with each of these elements in addressing a specific risk.  Then, math determines your overall level of maturity.

Our maturity levels include:

    • Chaotic – 0
    • Informal – 1
    • Reactive – 2
    • Stable – 3
    • Proactive – 4
    • Optimized for continuous improvement – 5

For example, consider a ransomware attack threat, it should be considered a High risk for any healthcare organization.  If you answered the element questions as follows:

Element Answer
Training Undocumented or no training
Documentation No written policies, procedures, documentation
Incident Response Incident response team concept never discussed

The maturity level of your program’s ability to deal with that risk is chaotic at best based on those answers.  The bare minimum you should be at, in our opinion, for all your High Risk items is Stable.  That means the answers would be at least:

Element Answer
Training Documented training for staff is comprehensive
Documentation Written policies, procedures, plans, documentation exists and includes proof of regular reviews, and necessary BAAs in place
Incident Response Team has been assigned and working to determine roles and responsibilities consistently

Ultimately, you would want to be at a Proactive level.  However, many organizations are still in the Chaotic level so jumping from 0 to 4 is a big leap.  Make progress.  It isn’t going to get easier the longer you wait.

Maturity of the organization

Those examples are where we are looking directly at a specific risk and not the organization as a whole.  Back in 2014 Enterprise Strategy Group released a matrix that looked at the organization as a whole where cybersecurity is concerned.  It says there are three types of organizations:  Basic, Progressing, and Advanced.  They also look at different categories to define where you stand in each area.  Philosophy, People, Process, and Technology.

I think the classification can often be made without anything more than the Philosophy for many organizations.  If it doesn’t start from the top then you know it isn’t going to be secure at the bottom.  The three Philosophy options are driving the rest of the maturity model.  Is cybersecurity a “necessary evil”, something that must be integrated into the business, or part of the culture.

enterprise strategy group maturity

Peter Drucker promoted the concept of “What gets measured gets managed.”  Drucker also said that  “Management is doing things right; leadership is doing the right things.”  Just doing things that aren’t contributing to the growth and effectiveness of your privacy and security program isn’t helpful.  You need to see that you are continuing to do things that move you forward and prepare you for the next threat you face.  Maturity isn’t a place it is a process that never ends no matter whether it people, processes, or systems.