Cyber Maturity Elements and Levels

There are 19 Cyber Maturity elements spread across the three security areas (people, process and technology). Each element has a corresponding question that helps determine your organization's maturity. A list of the elements and questions are laid out for your reference. 

_________________________________________

19 Security Elements

Security Awareness and Training

Category: People

Nowadays information systems have evolved to be pretty secure, but we still need people to do many tasks. They're often the weakest link in the cybersecurity chain. People do things like writing down or reusing passwords, giving out sensitive information, or leaving their screens unlocked while they grab a cup of coffee. Security training is the best tool for closing this gap.

Level 0 - No security awareness or training.

Level 1 - Ad hoc or minimal security awareness training with no ongoing training.

Level 2 - Basic, generic security training or awareness materials are provided. Training is ongoing and provided at least annually.

Level 3 - Security training is provided to 100% of team members at least annually, along with ongoing awareness efforts to reinforce company policies/procedures.

Level 4 - Basic security awareness training is provided to all team members, with some targeted training provided based on roles.

Level 5 - Targeted, role-based security training is provided for all team members. Continuous event-driven awareness is also provided (e.g. immediate training for policy infractions or in response to new threats).

 

Security Organization

Category: People

Somebody's got to manage all the cybersecurity activities in your organization. It's important that the right individual, with the right skills is put in charge.

Level 0 - No security personnel or defined security role exists.

Level 1 - Have an informal security official.

Level 2 - Have a named security official (internal or contractor).

Level 3 - Have a dedicated IT security/risk team member with appropriate skills/certifications.

Level 4 - Have a named CISO/senior level official, but is not a stakeholder in key business decisions.

Level 5 - Have a CISO who is equivalent to other C-level executives in decision making.

 

Documentation

Category: Business Process

Account for the many aspects of cybersecurity in your organization’s documentation. Build an information security foundation with strong policies that govern the actions that team members take with your data.

Level 0 - No policy, procedure, or other documentation is present.

Level 1 - Minimal policy, procedure, or other documentation, which does not cover all critical assets and business processes.

Level 2 - Formal documentation exists to cover a majority of business processes and assets, but in a decentralized manner. Formal oversight and approval is not present.

Level 3 - A centralized IAM solution is in place and supports a majority of corporate resources. Multi-factor authentication (MFA) is utilized for critical/highly sensitive resources.

Level 4 - Formally documented and approved security program documentation, which is continuously updated based on risk rather than scheduled updates. Documentation must be reviewed at least annually.

Level 5 - Formally documented, approved, and continuously updated documentation is present, and is classified as Strategic, Tactical, or Operational. Documentation is organized into supporting hierarchies based on these levels. Documentation must be reviewed at least annually.

 

Information Security Management System (ISMS)

Category: Business Process

An Information Security Management System (ISMS) is a comprehensive plan to ensure Information Security goals are being achieved. It has three parts: 1) Defined Leadership, 2) Documented Policies & Procedures, and 3) Monitoring Capabilities.

Level 0 - No formal processes, responsibilities, or documentation exists for managing information security (InfoSec).

Level 1 - Minimal, informal processes, responsibilities, or documentation exists for managing InfoSec.

Level 2 - Documented processes/policies exist, but they are maintained in an ad hoc manner. Information security is an informal assignment and does not have dedicated resources.

Level 3 - Formally documented policies exist to meet all compliance requirements, and they are reviewed & approved at least annually. Roles and responsibilities are defined, and sufficient resources are available to fill them.

Level 4 - Security processes have KPIs and metrics which are monitored at least annually to identify and implement improvements.

Level 5 - Formally defined documentation, as well as strategy for managing ISMS functions exists. These include procedures for generating metrics, driving process improvements, and supporting risk-based business decisions.

 

Risk Assessment

Category: Business Process

Everything that you do as an organization to generate value comes with risk - the possibility that you won't be able to generate that value. Data can be stolen, buildings can burn down, or competitors could copy your secret formula and steal all your customers.

Risk Assessment helps you to identify and prioritize these risks; because so much of our businesses are information-based, cybersecurity risks are increasingly important to deal with.

Level 0 - No risk assessments are performed.

Level 1 - Risk assessment is completed, but may not be done routinely or is only done per compliance requirements.

Level 2 - Risk assessments conducted more frequently than required by compliance requirements (at least annually).

Level 3 - Risk assessments performed more frequently than required by compliance requirements (at least twice a year), and include a broader scope, e.g. assessment of critical business processes rather than just asset-based assessment.

Level 4 - Risk assessment incorporates data from continuous monitoring for ongoing assessment of key risk indicators.

Level 5 - Continuous monitoring provides near real-time, ongoing risk assessment. Risk metrics are included in business decisions making processes.

 

Risk Management

Category: Business Process

Once you've assessed your risks, you should work to lower those risks. Risk management helps you prioritize, treat, and monitor security vulnerabilities over time. Decide which risks to address first. Continuous monitoring helps ensure your remediations remain effective.

Level 0 - No risk management is performed.

Level 1 - Risk management activities are minimal, and may be driven solely by compliance mandates.

Level 2 - Risk management includes factors outside of simple compliance requirements. An organization-defined risk appetite may be present, or informal decision about levels of acceptable risks.

Level 3 - Risk management is driven by an organizationally-defined risk threshold/appetite, which takes into account compliance requirements as well as industry/company factors

Level 4 - KPIs for risk management are established, and metrics are generated at least annually to evaluate the effectiveness of chosen mitigation strategies. If metrics exceed defined thresholds, corrective action is taken.

Level 5 - Risk management and the risk threshold/appetite are monitored in near-real time as part of continuous monitoring, and actions are taken to respond to elevated risk detected. The risk threshold/appetite should be continuously updated based on organizationally-defined criteria, compliance requirements, and other outside sources such as threat intelligence.

 

Risk Transfer

Category: Business Process

You can reduce risk but never eliminate it entirely. Cyber insurance can help you guard against residual risk. Your risk appetite will determine how much insurance coverage you choose your organization's operations.

Level 0 - No cyber insurance.

Level 1 - Cyber insurance coverage limit is $250K or less.

Level 2 - Cyber insurance coverage limit between $250K and $1M.

Level 3 - Cyber insurance coverage limit between $1M and $2M.

Level 4 - Cyber insurance coverage limit between $2M and $3M.

Level 5 - Comprehensive insurance with limits of $3M or more protecting against all losses.

 

Security Metrics Program

Category: Business Process

It's an old adage that you can't manage what you don't measure, and it's still true. You need to have adequate metrics from your cybersecurity program to facilitate management decisions about where and how to prioritize efforts, budget, etc.

Level 0 - No security metrics are captured.

Level 1 - Minimal, ad-hoc metrics are gathered to monitor execution and performance. Metrics are typically gathered reactively.

Level 2 - Some metrics are captured on a routine basis to proactively monitor basic execution or performance. They are reviewed annually.

Level 3 - Metrics are captured and reported at least twice a year, but may not be actionable or acted upon.

Level 4 - Actionable, relevant metrics are captured for a majority of cybersecurity efforts or activities, and reported at least twice a year.

Level 5 - All processes produce metrics, which are used to drive continuous security program improvements. Metrics from security program (specifically ongoing risk monitoring) are used to drive business decisions, and are reviewed at least quarterly.

 

Asset Inventory

Category: Technical Process

To protect your business, you must know what you have that's worth protecting! An asset inventory gives you insight into what data, systems, and physical assets attackers might compromise or steal.

Level 0 - Assets are not inventoried for IT management purposes. Organization does not have compliance / regulatory requirement to maintain an inventory.

Level 1 - Asset inventory updated manually and only per compliance requirements (e.g. once a year). Scope is limited to just assets in the compliance environment.

Level 2 - Inventory is updated more frequently than required per compliance requirements, but is still manually managed. Scope may be limited to just assets in the compliance environment, rather than the entire organization.

Level 3 - Asset inventory reviewed and updated at least twice a year, but not automated. Scope may be limited to just assets in compliance environment and not include full details of all assets (including hardware, software, networks, cloud resources, etc.). Inventory may be generated using a variety of tools, rather than a centralized database.

Level 4 - Inventory generation is mostly automated (e.g. via scanning/orchestration software), and is updated at least quarterly. Scope of inventory includes all organizational assets (hardware, software, networks, cloud environments, etc.)

Level 5 - Automated and continuous asset inventory with discovery in a centralized platform (tool-based). Scope is comprehensive (including hardware, software, network resources, and cloud environments), including all resources in use at a company regardless of environment.

 

Business Continuity and Disaster Recovery (BC/DR)

Category: Technical Process

In a disaster, people don't always make the best decisions, and may not have access to adequate resources. It’s better to prepare in advance. Make plans to recover and continue the operation of your organization.

Level 0 - No planning is done for continuity or recovery. Little to no redundancy is built in, and recovery capabilities are ad hoc.

Level 1 - Informal, possibly undocumented redundancy, continuity, or recovery planning is performed. Recovery is largely ad hoc.

Level 2 - Some documented procedures or plans exist for the continuity or recovery of processes/systems. They are largely ad hoc/decentralized and are not based on the criticality of the system/process.

Level 3 - Documented plans exist for redundancy, continuity, and recovery of critical processes/systems. Minimal testing is performed at least annually.

Level 4 - Documented plans exist for redundancy, continuity, and recovery of critical processes/systems. Plans are fully tested on an annual basis, ensuring a guarantee of continuity of operations.

Level 5 - The organization approaches BC/DR from a resiliency perspective. All critical systems and processes are designed and tested to withstand failures, with continuous improvement to the BC/DR capability based on lessons learned and emerging threats. BC/DR testing is done annually.

 

Breach Response Capability

Category: Technical Process

Your organization’s data makes it a valuable target for hackers. Even the best defenses will sometimes be breached. It is vital to plan your response. Don’t get caught off guard by legal requirements for reporting a breach.

Level 0 - No planning is performed, and the organization has not identified any legal/regulatory breach reporting requirements. Breach responses are ad hoc.

Level 1 - Organization has identified and documented any legal, regulatory, and/or contractual breach response requirements. Breach responses are ad hoc

Level 2 - Breach response is planned and documented. This response capability is focused solely on the company's legal requirements, and does not include a risk-based approach.

Level 3 - Breach response includes identified response capabilities such as forensic investigation, credit protection, etc., but does not have guarantees in place (i.e., in the event of a breach, a contract would have to be issued for the forensic investigation).

Level 4 - Breach response includes identified response capabilities, such as forensic investigation, as well as some guaranteed services (i.e., retained professional services).

Level 5 - Breach response includes pre-defined and guaranteed capabilities such as legal response, forensic investigation, credit protection, PR management, etc.

 

Configuration and Change Management

Category: Technical Process

Improper software configurations can introduce critical vulnerabilities. Ensure you are securely processing and storing sensitive information. Maintain your systems so they stay secure.

Level 0 - System configurations are not documented, and changes are made without formal review, approval, or testing.

Level 1 - System configurations may utilize some baseline (such as standard cloud hosting PaaS configurations), and changes may have some informal review and approval processes.

Level 2 - Best practices are used, at a minimum, as a starting point for configuration (e.g. CIS Benchmarks). Some formality exists in change management.

Level 3 - System configurations are documented/controlled (e.g. via virtualization/cloud orchestration), and changes require review, approval, and testing. Best practices may be utilized as starting points, with documentation of any tailoring as appropriate.

Level 4 - Automated configuration management scans with alerts generated for any systems out of compliance. Change management procedures define and require formal review, approval, testing, and acceptance.

Level 5 - Fully automated configuration management and alerts for any changes to the environment, including hardware, software, and network configuration. Change management tool and process allows for prior approval of changes to suppress false positive alerts.

 

Continuous Monitoring

Category: Technical Process

Cybersecurity concerns are constantly evolving. Firewalls and encryption can help. Monitor these systems continuously to ensure they are working correctly. Audits can also provide a secondary means of finding issues.

Level 0 - Implementation and effectiveness of controls, countermeasures, and safeguards are not evaluated.

Level 1 - Implementation and effectiveness of controls, countermeasures, and safeguards is monitored on an ad hoc basis, such as monitoring/alerting tools. Monitoring is purely operational and not tied to risk or compliance requirements.

Level 2 - In addition to monitoring, point-in-time assessments of controls are conducted on an ad hoc basis.

Level 3 - Regular (At least an annual point-in-time audit and routine reviews (minimum twice a year) are performed to identify any deficiencies in controls.

Level 4 - Some controls have automated continuous monitoring, such as alerts generated by network monitoring tools. Non-automated monitoring is performed quarterly or semi-annually.

Level 5 - Near-real-time monitoring is performed to identify and immediately alert on any deficiencies in control implementation and operation. This monitoring should comprise a mix of technical monitoring capabilities and manual reviews.

 

Cyber Event Awareness

Category: Technical Process

Cyber event awareness is crucial. You must know what's going on in your information systems. To respond to malicious activity on your network, you have to be aware that something has happened!

Level 0 - Little to no visibility into cyber events, such as breaches, anomalous traffic, or suspicious activity. Review of event data may not be performed, or are purely reactive.

Level 1 - Minimal visibility into cyber events, such as breaches, anomalous traffic, or suspicious activity. A review of event data is performed manually and is mostly reactive.

Level 2 - Basic logging and event detection (alerting capabilities are present, though they may be decentralized. Log reviews may be done manually, or a basic level of automation is present but must be done at least monthly.

Level 3 - Logs are centrally collected and analyzed using technological means (e.g. a syslog server, SIEM tool, etc.). Alerts are manually investigated, and response capabilities are not real-time. Logs are reviewed at least weekly.

Level 4 - Near-real-time information collection and analysis capability coupled with responses from a security operations center that are also near-real time. This may be an outsourced managed security provider.

Level 5 - Cyber event awareness includes the use of tools/platforms to achieve near real-time collection, analysis, and correlation of data from sources such as system logs and security tools.

This awareness should also include external information sources, such as threat intelligence.

Security operations must monitor alerts, and system capabilities should include automated countermeasures. This may be an outsourced managed security provider.

 

Physical and Facility Security

Category: Technical Process

The physical environment in which data is stored or processed needs to be secured against physical threats such as theft or damage from natural disasters, as well as properly managed against environmental risks.

Level 0 - No physical or environmental access controls are present.

Level 1 - Physical access is minimally controlled. Environmental controls, if present, are manual.

Level 2 - Physical access is controlled for all facilities on a per-user basis.
Environmental controls are centrally monitored.

Level 3 - Physical access is controlled and centrally monitored. Environmental controls are automated.

Level 4 - Physical access control systems are integrated into continuous monitoring tools utilized by security operations.

Level 5 - Security and Environmental controls are part of continuous monitoring and cyber event detection.

 

Security Testing and Vulnerability Management

Category: Technical Process

Utilize tools and techniques to identify security flaws in your systems. Make the appropriate modifications, then test again. Threats evolve, so test regularly to ensure your systems are properly protected.

Level 0 - No security testing is performed. Vulnerabilities are not identified and remediated.

Level 1 - Testing is ad-hoc or coverage is incomplete (e.g., vulnerability scans are run but a pen test is not conducted). Vulnerabilities are not addressed in a timely manner

Level 2 - Formal testing is done at least annually. Coverage may be partial, but environments with sensitive data must be in scope for testing. Vulnerabilities are addressed in a timely manner.

Level 3 - Formal testing is supplemented by periodic informal tests. Coverage may be partial, but environments with sensitive data must be in scope for testing. Vulnerabilities are addressed in a timely manner.

Level 4 - All environments are included in the scope of testing and frequency is periodic. Vulnerabilities are addressed in a timely manner and resolution is verified by subsequent scans.

Level 5 - Formal testing is conducted on a regular schedule (e.g., an annual pen test). supplemented by near-real-time testing (e.g. continuous vulnerability scans). All types of security testing relevant to your organization are done (e.g. static code scan, network scan)

 

Data Protection

Category: Technology

Information security starts with strong policies that govern the actions team members take with your data. Data is valuable, and it’s essential that you have adequate data protection policies and controls in place to safeguard it.

Level 0 - No data protection controls in place

Level 1 - Minimal data protection controls are present and are ad-hoc.

Level 2 - Robust but ad-hoc or system-specific data protection controls are implemented, without centralized management or strategy.

Level 3 - Basic documented and enforced data protection controls, including data classification, handling, and use of encryption. Processes are largely manual.

Level 4 - Data protection controls include documentation and some systematic enforcement, such as forced encryption, DLP (Data Loss Protection), or other means.

Level 5 - Robust data classification, handling, encryption at rest, and encryption in transit controls are implemented and enforced systematically, via DLP or similar tool. i.e. all data protection security controls are enforced and managed by such tools.

 

Identity and Access Management (IAM)

Category: Technology

Once you've figured out what assets you have to protect, determine who should and shouldn't have access. Then implement access controls to allow authorized team members access to data, while keeping everyone else out.

Level 0 - Identity and access management (IAM) is not present across all systems, and may be largely provided by or controlled outside the organization (i.e. by application providers).

Level 1 - Identity and access management is ad hoc but present across all systems, and lacks central management capabilities. 

Level 2 - Some centralized IAM tools are utilized, but they do not cover all platforms/environments.

Level 3 - Documented policies and procedures exist for corporate IAM. Some centralized tool(s) are used, such as SSO, but not all corporate resources are supported.

Level 4 - A centralized IAM solution is in place and supports a majority of corporate resources. Multi-factor authentication is utilized for critical/highly sensitive resources.

Level 5 - All corporate resources require the use of a centrally-managed IAM solution including multi-factor authentication.

 

Mobile Device Security

Category: Technology

Smartphones, tablets, and laptops power business. But they make theft of sensitive data more likely. Securing and managing mobile devices is crucial due to their massive storage capacities, and how easy they are to steal.

Level 0 - No mobile device security is present, and data on mobile devices is not managed.

Level 1 - Minimal mobile device security is present. Device configurations are not centrally managed.

Level 2 - Defined policy/procedures for MDM (Mobile Device Management) exist, with some decentralized management capabilities (e.g. Google Apps restrictions or Exchange ActiveSync configuration requirements).

Level 3 - Decentralized mobile device management is present for all devices, e.g. enforcing per-application restrictions such as Google Apps or Exchange ActiveSync. 

Level 4 - A centralized MDM solution is deployed to manage corporate data on mobile devices and mobile device access to corporate resources.

Level 5 - A mandatory, comprehensive mobile device management solution is deployed. The MDM enforces all organization-defined controls over data, such as encryption, remote wipe/lock, and handling regardless of platform/device (smartphones, tablets, laptops, removable drives, etc.)

Have more questions? Submit a request