Threat environment in our ever-expanding cyberspace is dynamic. Organizations cannot implement security measures at once and let them continue to function without any changes or updates. As cyberattacks continue to evolve in complexity and sophistication, an organization’s security posture should also mature with time and experience. To maintain consistency in their efforts, organizations often look for a standard or a framework to help them out with the basics.
A security maturity model supports your organization in conducting regular reviews for assessing its efforts to improve security practices. Such security models also guide an organization in what it needs to do to reach the next maturity level. Some of the most common security maturity models are PRISMA (Program Review for Information Security Assistance), SP-CMM (Security & Privacy Capability Maturity Model), Cybersecurity Capability Maturity Model (C2M2), NIST Cybersecurity Framework, etc. In the second article of our two-part series, we are focusing on PRISMA.
LIFARS Gap Assessment Solution is designed to ascertain your comprehensive information security, risk and compliance status (current). Not only we determine your current state along with your risk appetite and tolerance, we also provide you with actionable roadmap to reach target maturity level including strategy, structure, governance, and operations management plan.
What is PRISMA?
PRISMA standards for Program Review for Information Security Assistance. It is a NIST Computer Security Resource Center’s (CSRC) project that incorporates guidelines from NIST SP 800-53. It has three main objectives:
- Assisting federal agencies in improving their security programs;
- Supporting the planning activities for critical infrastructure protection; and
- Facilitating the exchange of good security practices within the federal community.
Considered as a highly effective maturity model, private organizations also adopt PRISMA to review the maturity of their security programs. When an organization reviews the maturity of its security practices, it is not equivalent to an audit or inspection. A PRISMA review focuses on nine primary reviews with five level of maturity: policies, procedures, implementation, test, and integration.
IT Security Maturity Level 1: Policies
While many maturity levels have a level 0, PRISMA requires organizations to have available documentation to achieve this maturity level. Organizations should have formal documentation containing “will” or “shall” statements that are available to employees. At this maturity level, the policies:
- establish a continuous cycle of risk management and monitor program effectiveness;
- cover major operations and facilities of an organization;
- are approved by the concerned stakeholders;
- distribute security roles and responsibilities and create a baseline for measuring the progress of security practices; and
- cover penalties and disciplinary actions for non-compliance of policies.
IT Security Maturity Level 2: Procedures
Policies require operational procedures to implement security controls. Procedures clarify how, where, when, who, and what for an organization’s security controls. These documents also describe the idea behind the control implementation and who is responsible for what. Procedures should define acceptable behavior and responsibilities for users, asset/process owners, security personnel, etc.
IT Security Maturity Level 3: Implementation
Organizations implement policies and procedures for a set target audience. This target audience includes stakeholders, top management, contractors, and vendors. The first step towards the implementation of policies and procedures is to communicate them to the intended parties. PRISMA highly discourage ad-hoc approaches and encourages organizations to follow consistent processes across the organization. It recommends that an organization may conduct training sessions to ensure that everybody is on the same page.
IT Security Maturity Level 4: Test
Threat environments continuously evolve, and hence, organizations cannot have static security practices. This maturity level requires that organizations should conduct regular tests to check the effectiveness of their implementations. The extent of tests depends on the risks faced by an organization. Conducting periodical tests helps in ensuring that an organization can take the required corrective actions as soon as it identifies loopholes, flaws, and weaknesses. Some of the testing requirements include:
- Conducting self-assessments as well as independent reviews/audits
- Documenting the type and frequency of vulnerability scans and efforts to minimize risks
- Designating the responsibility for conducting regular tests and reviews
IT Security Maturity Level 5: Integration
Cybersecurity is a shared responsibility. Security team alone cannot ensure that organization is not prone to cyber attacks. Security responsibilities should also become an integral part of organizational culture. The level of cohesiveness in this integration helps organizations in achieving cost-effectiveness cybersecurity. At this level of maturity, PRISMA also expects organizations to:
- Evaluate threats and upgrade existing security controls to evolve and adapt
- Periodical review of policies, procedures, implementation, and tests
- Decision-making process that relies on cost, risk, and business requirements
- Management of vulnerabilities and prioritization of mitigation measures
- Establishing the requirements for status metrics for the IT security program and putting efforts for meeting those requirements
Defending an organization’s IT assets is not a one-time battle. While attackers only need to succeed once to damage your organization’s financial stability and reputation, your security team defends IT infrastructure every day. Our experts, in their years of experience, have found that focusing on achieving security maturity leads to reduced cybersecurity expenses, in around three to four years. Have you previously adopted any maturity model to improvise your security practices? Tweet to us at @LIFARSLLC and let us know.