search:
               

• Say What You Do Products
• Effective Technical Communication
• Inclusive modeling -- how to diagram your processes
• Audience, clarity, logic, and brevity
• Word choices
• Does you use correct grammar?
• Eats, shoots, and leaves
• Frameworks
• The major frameworks used for establishing IT controls
• Analyzing the acceptance of framework controls
• A guideline for scoping controls
• Why it is a bad idea to cut and paste from the standards
• How capability maturity relates to frameworks
• Policies
• Effective Technical Communication
• Creating policies
• Should we (and do we) label media appropriately?
• Procedures
• Documenting your procedures
• Standards
• Documenting organizational standards
• Authors
• Rebecca Herold, CISSP, CISA, CISM, FLMI
• Dorian J. Cougias
• Marcelo Halpern
• Say What You Do eBook bundle
• Free IT policy guide
• Say What You Do eBook Edition
• Forms, Templates, and Samples
• Say What You Do toolkit
• Systems and Information Classification Standards
• Change Management
• Information Assurance Compliance Maturity Model Index (IACMMI)
• The Language of Compliance
• Systems and Info Classification

A maturity model is a structured collection of elements that describe characteristics of effective processes. They provide a place to start, a structure for prioritizing actions, and a way to define what improvement means for an organization.

Whether or not an organization fulfills a control's objective isn't a Boolean answer - there is no real way to determine simply if we are or aren't complying by providing a yes or no answer. It's a matter of levels of maturity. No auditor would say that your organization has complied with a required objective if your staff at one point in time executed a control (such as "tested for security of a system") but then never repeated the process nor measured its success.

There are six more or less agreed upon and defined levels of process maturity for an organization within the frameworks we've studied. Some frameworks such as CMMI ignore level zero while others such as CobiT include zero. In addition, CobiT adds seven qualitative attributes in order to better identify an organization's level of maturity. These seven attributes are awareness and communication; policies, standards, and procedures; tools and automation; skills and expertise; responsibility and accountability; goal setting; and measurement. For goal setting and measurement, we have combined the CobiT attributes with the CMMI general goals for each level. Here are the levels and their associated attributes and goals as we apply them within the Unified Compliance Framework.

0. Nonexistent (complete lack) There are no recognizable processes that fit this particular control, nor does the organization recognize that there is an issue to be addressed regarding this control.

1. Initial (chaotic, ad hoc, individual heroic efforts) There is evidence that the organization has recognized that the issue exists and needs to be addressed. Without standardization, there are ad hoc approaches to each issue that are either applied person-by-person or situation-by-situation. In other words, processes are unpredictable, poorly controlled, and reactive.

   Awareness and communication -- recognition of the need for the process is emerging, but there is sporadic, often confusing communication of the issues.

   Policies, standards and procedures -- There are ad hoc approaches to processes and practices and policies are as yet undefined.

   Tools and automation -- While tool usage might exist, there is no planned approach.

   Skills and expertise -- Required skills are not identified and no training plan exists.

   Responsibility and accountability -- Ownership is based upon personal pride without any definition of accountability and responsibility.

   Measurement -- At this point, metrics cannot provide a trusted baseline because the baseline either does not exist or is being developed.

   Goal setting -- The overall goal is to be able to perform the base practices without any real measurement by

o        Identifying and involving relevant stakeholders

o        Perform the base practices

2. Repeatable (project management, process discipline) The process is used repeatedly. Similar procedures are followed by different groups or people when undertaking the same task. However, there is no formalized standardization, documentation, communication, or training of procedures. All intellectual property of the process is locked inside each person's mind.

   Awareness and communication -- Management are aware of the need to act and are able to communicate their basic issues.

   Policies, standards, and procedures -- Informal documentation and understanding of policies, standards, and procedures exist. Intuitive common processes are emerging based upon individual expertise.

   Tools and automation -- Individuals within the organization have created tool based automation that may or may not have become common usage among their peers.

   Skills and expertise -- For critical areas, minimum skill requirements have been identified. On the job training is provided in response to specific needs only, without a formal training plan being developed.

   Responsibility and accountability -- Individuals are assuming responsibility and are being held informally accountable. However, there is confusion about responsibility when problems occur, leading to the finger pointing and blame.

   Measurement -- At this point metrics are binary - either the process is being performed or not. Baselines are now being established and defined.

   Goal setting -- The overall goal for this phase is to institutionalize a managed process through

o        Establishing an organizational policy

o        Documenting processes and procedures

o        Providing the necessary resources

o        Assigning responsibility

o        Training the staff

o        Managing configurations

o        Monitoring and controlling the process

o        Objectively evaluating adherence

o        Reviewing the status with higher level management

3. Defined (institutionalized) The process is defined/confirmed as a standard, documented course of action. Existing practices have been formalized into policies that have been documented and communicated. Standards have been created to regularize key parameters within policies. Procedures that carry out these policies have been harmonized, documented, communicated, and staff trained. However, there is no continuous monitoring and measurement that the processes are being followed according to procedure.

   Awareness and communication -- Management is formal and structured in is communication of their understanding of the need to act.

   Policies, standards, and procedures -- The policies, standards, procedures, and processes are defined and documented for all key activities. Usage of good practices has emerged.

   Tools and automation -- A plan has been defined for the use and standardization of process automating tools. However, individual too usage may not be integrated with other related tools.

   Skills and expertise -- Skill requirements are defined and documented for all areas. A formal training plan has been developed, but the actual training that takes place is based upon individual initiative.

   Responsibility and accountability -- Process owners have been identified with process accountability and responsibility defined and documented. However, process owners are unlikely to have full authority to exercise their initiatives.

   Measurement -- Tolerances of change for metrics are being established.

   Goal setting -- The overall goal for this phase is to institutionalize a defined process through

o        Ensuring full dissemination of defined procedures and processes

o        Collecting improvement information

4. Managed (quantified) Process management and measurement takes place. Through the monitoring and measurement of compliance with organizational policies, standards, and procedures the organization is able to intervene and take actions where processes are not effective.

   Awareness and communication - Management is able to maturely use techniques and tools to communicate their understanding of their full requirements.

   Policies, standards, and procedures - All aspects of the process are documented and repeatable. Policies are approved by management and documented. Standards for developing policies and procedures are adopted and followed.

   Tools and automation -- Tools are implemented according to a standardized plan and some have been integrated with other related tools. Tools are being used in main areas to automate management of processes, as well as monitor critical activities and controls.

   Skills and expertise -- Skill requirements are routinely updated for all areas with proficiency being ensured for all critical areas. Mature training techniques are applied according to a training plan with knowledge sharing being encouraged. Internal domain experts are involved in training. Effectiveness of the training plan is routinely assessed.

   Responsibility and accountability -- Process owners have full authority to exercise their initiatives with accountability and responsibility fully accepted by management. A reward culture has been put into place.

   Measurement -- Metrics are now statistically valid with an increase in their breadth and interconnectedness.

   Goal setting - Effectiveness and efficiency are linked to business goals and the overall IT strategy. Root cause analysis is being standardized through institutionalizing a quantitatively managed process by

o        Establishing quantitative objectives for procedures and processes

o        Stabilizing sub-process performance

5. Optimizing (process improvement) Process management includes deliberate process optimization/improvement. Processes are being continuously refined to a level of best practice.

   Awareness and communication - Management is able to integrate tools and techniques when proactively communicating their forward-looking understanding of issues and requirements based upon trend analysis.

   Policies, standards, and procedures -- Process documentation has evolved into automated workflows. Policies and procedures are standardized and integrated to enable end-to-end improvement.

   Tools and automation -- Tools are fully integrated with other related tools to enable end-to-end support of processes, automatically detect control exceptions, and improve the process. Standardized toolsets are used across the enterprise.

   Skills and expertise -- Based upon organizational goals, continuous improvement of skills is formally encouraged. Training and education support best practices and use leading-edge concepts and techniques. Knowledge sharing and knowledge-based systems have been formalized.

   Responsibility and accountability -- Process owners are encouraged to make their own decisions and take action on their own accord. The acceptance of accountability and responsibility has been cascaded throughout the organization in a consistent manner.

   Measurement -- Metrics are used adaptively, depending upon the current need.

   Goal setting -- An integrated performance measurement system links IT performance to business goals. Exceptions are globally and consistently noted by management through root cause analysis. Continuous improvement has been inculcated into organizational culture through

o        Ensuring continuous process improvement

o        Correcting root cause analysis of problems