Critical Security Controls Maturity Model

One of the projects that we have been thoroughly engaged on at AuditScripts.com has been to work with the Council on Cybersecurity on the Critical Security Controls project. If you haven’t had a chance to see the project, I would strongly recommend that you take a look. The full text can be most easily found at the SANS Institute at the following link:

http://www.sans.org/critical-security-controls/

One question I get asked a lot is regarding maturity models and the Critical Security Controls. Is there a maturity model that I can use to measure myself against to see how I compare to other organizations implementing the controls? At this point the official answer from the Council is “No, there is no official model.” However that being said, there’s also quite a bit of discussion around what might constitute a solid maturity model.

To answer this question I think the first thing we need to understand is that the controls are not just a list of good things to do. They also compose a mentality and philosophy for securing information systems. Therefore to understand a potential maturity model, we have to understand the guiding principles that the controls teach. The core philosophies of the controls are:

“Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.

“Prioritization: Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.

“Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.

“Continuous monitoring: Carry out continuous monitoring to test and validate the effectiveness of current security measures.

“Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics.”

That being said, it seems like a good maturity model would need to be composed of more than just “What percentage of the controls have you implemented.” So in anticipation of the various summits held on the controls this year in London and Washington, DC, we created the following maturity model for organizations looking to measure themselves:

Level #0:              Project Initiation

Level #1:              Some Controls Implemented & Audited

Level #2:              All Controls Implemented & Audited

Level #3:              All Controls Automated

Level #4:              All Controls Reporting to Management

Level #5:              Continuous Monitoring & Remediation

This is meant to be a high level statement, not a deep dive or project plan. But I think it could be the start of an interesting discussion. Companies need to do more than simply check boxes that they’ve implemented the right controls. Those controls need to be integrated into business processes, automated, and placed in the hands of knowledgeable business owners. Hopefully this model encourages us to start considering each of these aspects as we judge our maturity.