The IRMA Community
Newsletters
Research IRM
Click a keyword to search titles using our InfoSci-OnDemand powered search:
|
Measuring Information Security: Combining the SSE-CMM with the ISO 17799 Standard
Abstract
Information security (IS) incidents are on the rise with new attacks reported daily. How have system administrators and security professionals reacted to these new threats? Traditionally, system owners have rushed to “acquire the latest cure” (Nielsen, 2000). They have implemented today’s fix with little thought to the benefit truly gained from such tools. This historical approach to system security is yielding to a model of increased accountability. In short, IS professionals are being asked, “How secure are we?” (Payne, 2001). Answers to this and similar questions are not easily derived (Payne, 2001). Dating back to the late 1970’s and early 1980’s, when the annual loss expectancy (ALE) calculation was being developed, security professionals have attempted to define security by a single distinct value: ALE (Fletcher, 1995). Since that time, additional IS management documents, defined by Fletcher (1995) as third-generation information security tools, have been developed, including a number of guidance documents, which have been published to assist organizations in establishing and maintaining their IT security programs. Examples include the NIST Handbook, the CSE Guide, ISO 17799, etc. (Hopkins, 1999). Unfortunately, problems reside in these guidance tools; specifically, they lack the ability to measure defined IS parameters easily, effectively or efficiently (Payne, 2001). This research has yielded a metric-based IS maturity framework constructed from the combination of the ISO 17799 standard and the Systems Security Engineering Capability Maturity Model (SSE-CMM). The study has illustrated the complementary nature of the SSE-CMM and ISO standard and shown how the SSE-CMM can be leveraged to assess the maturity of the practices implemented according to ISO 17799 standard specifications. The end result is a self-facilitated metrics-based security assessment (MBSA) framework, which will allow organizations to assess the maturity of their IS processes. By using the SSE-CMM to measure the maturity of industry accepted IS process standards, the findings of this study enable professionals to measure, in a more consistent, reliable, and timely manner, areas for improvement and effectiveness. Furthermore, the findings allow a more dependable qualitative measurement of the returns achieved through given IS investments. Ultimately, this research has provided professionals an additional, more robust self-assessment tool in answering: “How secure are we?”
|
|