As you can tell in the table above, this makes it very easy to compare control objectives with the authority documents that call for them. It makes it easy to identify how the authority documents overlap each other. It makes it easy to reveal how the requirements are organized and which controls they call for.

Using the HTML version of the matrices

By default the HTML version of the IT Impact Matrices are shown with all of the authority document groups collapsed and showing a boolean value of either the group supporting the control or not (marked by an "X") . Any group may be expanded to see each authority document entry by clicking the small plus sign () next to the group's name, as shown below.

Once the plus sign has been clicked, the table will expand and each individual authority document will be listed, along with the pertinent section or paragraph within the document that pertains to the control in question. Collapsing back to the overall authority group is accomplished by clicking the minus sign as shown below.

Using the Excel spreadsheet version of the matrices

The Excel spreadsheet version of each of the matrices is slightly modified due to the inherent differences between Excel and HTML. The changes are in the way that the authority groups open and close, additional links within the authority groups, and the addition of navigation tabs and a CMMI tab for tracking progress.

By default the Excel version of the IT Impact Matrices are shown with all of the authority document groups collapsed and showing a boolean value of either the group supporting the control or not (marked by an "X") . Any group may be expanded to see each authority document entry by clicking the small plus sign () next to the group's name, as shown below.

Once the plus sign has been clicked, the table will expand and each individual authority document will be listed, along with the pertinent section or paragraph within the document that pertains to the control in question. In addition, each authority document has its own active link so that you can download the document in question. Collapsing back to the overall authority group is accomplished by clicking the minus sign as shown below.

 

Tracking your control maturity level (Excel only)

In addition, the Excel version of the tables also includes a maturity model (CMMI) tab so that you can track your organization's maturity level as it relates to your compliance status.

A maturity model is a structured collection of elements that describe characteristics of effective processes. They provide a place to start, a structure for prioritizing actions, and a way to define what improvement means for an organization.

Whether or not an organization fulfills a control's objective isn't a Boolean answer - there is no real way to determine simply if we are or aren't complying by providing a yes or no answer. It's a matter of levels of maturity. No auditor would say that your organization has complied with a required objective if your staff at one point in time executed a control (such as "tested for security of a system") but then never repeated the process nor measured its success.

There are six more or less agreed upon and defined levels of process maturity for an organization within the frameworks we've studied. Some frameworks such as CMMI ignore level zero while others such as CobiT include zero. In addition, CobiT adds seven qualitative attributes in order to better identify an organization's level of maturity. These seven attributes are awareness and communication; policies, standards, and procedures; tools and automation; skills and expertise; responsibility and accountability; goal setting; and measurement. For goal setting and measurement, we have combined the CobiT attributes with the CMMI general goals for each level. Here are the levels and their associated attributes and goals as we apply them within the Unified Compliance Framework.

0. Nonexistent (complete lack) There are no recognizable processes that fit this particular control, nor does the organization recognize that there is an issue to be addressed regarding this control.

1. Initial (chaotic, ad hoc, individual heroic efforts) There is evidence that the organization has recognized that the issue exists and needs to be addressed. Without standardization, there are ad hoc approaches to each issue that are either applied person-by-person or situation-by-situation. In other words, processes are unpredictable, poorly controlled, and reactive.

Awareness and communication - recognition of the need for the process is emerging, but there is sporadic, often confusing communication of the issues.

Policies, standards and procedures - There are ad hoc approaches to processes and practices and policies are as yet undefined.

Tools and automation - While tool usage might exist, there is no planned approach.

Skills and expertise - Required skills are not identified and no training plan exists.

Responsibility and accountability - Ownership is based upon personal pride without any definition of accountability and responsibility.

Measurement - At this point, metrics cannot provide a trusted baseline because the baseline either does not exist or is being developed.

Goal setting - The overall goal is to be able to perform the base practices without any real measurement by

o Identifying and involving relevant stakeholders

o Perform the base practices

2. Repeatable (project management, process discipline) The process is used repeatedly. Similar procedures are followed by different groups or people when undertaking the same task. However, there is no formalized standardization, documentation, communication, or training of procedures. All intellectual property of the process is locked inside each person's mind.

Awareness and communication - Management are aware of the need to act and are able to communicate their basic issues.

Policies, standards, and procedures - Informal documentation and understanding of policies, standards, and procedures exist. Intuitive common processes are emerging based upon individual expertise.

Tools and automation - Individuals within the organization have created tool based automation that may or may not have become common usage among their peers.

Skills and expertise - For critical areas, minimum skill requirements have been identified. On the job training is provided in response to specific needs only, without a formal training plan being developed.

Responsibility and accountability - Individuals are assuming responsibility and are being held informally accountable. However, there is confusion about responsibility when problems occur, leading to the finger pointing and blame.

Measurement - At this point metrics are binary - either the process is being performed or not. Baselines are now being established and defined.

Goal setting - The overall goal for this phase is to institutionalize a managed process through

o Establishing an organizational policy

o Documenting processes and procedures

o Providing the necessary resources

o Assigning responsibility

o Training the staff

o Managing configurations

o Monitoring and controlling the process

o Objectively evaluating adherence

o Reviewing the status with higher level management

3. Defined (institutionalized) The process is defined/confirmed as a standard, documented course of action. Existing practices have been formalized into policies that have been documented and communicated. Standards have been created to regularize key parameters within policies. Procedures that carry out these policies have been harmonized, documented, communicated, and staff trained. However, there is no continuous monitoring and measurement that the processes are being followed according to procedure.

Awareness and communication - Management is formal and structured in is communication of their understanding of the need to act.

Policies, standards, and procedures - The policies, standards, procedures, and processes are defined and documented for all key activities. Usage of good practices has emerged.

Tools and automation - A plan has been defined for the use and standardization of process automating tools. However, individual too usage may not be integrated with other related tools.

Skills and expertise - Skill requirements are defined and documented for all areas. A formal training plan has been developed, but the actual training that takes place is based upon individual initiative.

Responsibility and accountability - Process owners have been identified with process accountability and responsibility defined and documented. However, process owners are unlikely to have full authority to exercise their initiatives.

Measurement - Tolerances of change for metrics are being established.

Goal setting - The overall goal for this phase is to institutionalize a defined process through

o Ensuring full dissemination of defined procedures and processes

o Collecting improvement information

4. Managed (quantified) Process management and measurement takes place. Through the monitoring and measurement of compliance with organizational policies, standards, and procedures the organization is able to intervene and take actions where processes are not effective.

Awareness and communication - Management is able to maturely use techniques and tools to communicate their understanding of their full requirements.

Policies, standards, and procedures - All aspects of the process are documented and repeatable. Policies are approved by management and documented. Standards for developing policies and procedures are adopted and followed.

Tools and automation - Tools are implemented according to a standardized plan and some have been integrated with other related tools. Tools are being used in main areas to automate management of processes, as well as monitor critical activities and controls.

Skills and expertise - Skill requirements are routinely updated for all areas with proficiency being ensured for all critical areas. Mature training techniques are applied according to a training plan with knowledge sharing being encouraged. Internal domain experts are involved in training. Effectiveness of the training plan is routinely assessed.

Responsibility and accountability - Process owners have full authority to exercise their initiatives with accountability and responsibility fully accepted by management. A reward culture has been put into place.

Measurement - Metrics are now statistically valid with an increase in their breadth and interconnectedness.

Goal setting - Effectiveness and efficiency are linked to business goals and the overall IT strategy. Root cause analysis is being standardized through institutionalizing a quantitatively managed process by

o Establishing quantitative objectives for procedures and processes

o Stabilizing sub-process performance

5. Optimizing (process improvement) Process management includes deliberate process optimization/improvement. Processes are being continuously refined to a level of best practice.

Awareness and communication - Management is able to integrate tools and techniques when proactively communicating their forward-looking understanding of issues and requirements based upon trend analysis.

Policies, standards, and procedures - Process documentation has evolved into automated workflows. Policies and procedures are standardized and integrated to enable end-to-end improvement.

Tools and automation - Tools are fully integrated with other related tools to enable end-to-end support of processes, automatically detect control exceptions, and improve the process. Standardized toolsets are used across the enterprise.

Skills and expertise - Based upon organizational goals, continuous improvement of skills is formally encouraged. Training and education support best practices and use leading-edge concepts and techniques. Knowledge sharing and knowledge-based systems have been formalized.

Responsibility and accountability - Process owners are encouraged to make their own decisions and take action on their own accord. The acceptance of accountability and responsibility has been cascaded throughout the organization in a consistent manner.

Measurement - Metrics are used adaptively, depending upon the current need.

Goal setting - An integrated performance measurement system links IT performance to business goals. Exceptions are globally and consistently noted by management through root cause analysis. Continuous improvement has been inculcated into organizational culture through

o Ensuring continuous process improvement

o Correcting root cause analysis of problems

Supporting vendor information

Beginning with the PCI-DSS related tables, the Unfied Compliance Framework is working with vendor groups such as the PCI Security Vendor Alliance and others to include vendors that have proven they directly support the controls we've aligned them with. Therefore, within the Excel tables we've added a tab that shows the currently mapped vendor products.

In order to be mapped into the tables, the vendors are run through a screening process and must show us in their manuals which page or pages the user can turn to for guidance on using their products to support the control in question.