Many small – and large – businesses have not invested in information security. With the changing landscapes in IT, every company is becoming a software company. We need to ensure that our business(es) are secured to protect the wealth generated by the operation.
I created security organizations at multiple companies built on a solid understanding of NIST 800-53. This publication is a government document. It is a bear to read, understand, and implement – and a highly recommended cure for minor insomnia. I have used my framework to communicate the need for security to executive teams and provide a framework to define where the company should invest.
The framework is based on two ideas: NIST 800-53 and Capability Maturity Model. Using the NIST document, I created a control card for each recommended control proposed in the publication. Each control card is then given a current maturity rating based on the 1-5 rating presented in the model. After assessing where you currently are as a business, you then give a desired maturity rating to each control.
Figure 1. Control Card Template
Figure 2. Control Card Example
Once all controls are given a current and desired maturity, you can identify the gaps of where you are, and where you want to be. Create projects to bridge these gaps and prioritize based on business risks the gaps present. After the project completes, update the framework and review the current and desired maturities again as the internal and external forces change. I recommend doing a yearly review once the framework is implemented.
- Steal this document
- Read and understand the model
- Give a Current Rating to each control
- Give a Desired Rating to each control
- Identify gaps
- Scope projects to close gaps
- Execute projects
- Rinse and repeat
Hopefully this helps you out. It can be difficult translating our mission to the business and explaining why our work is important. This framework was created to help build the understanding at an executive level to identify the why behind our projects. It even has pretty colors and pictures for management 🙂
Thanks for reading! If you have any questions or comments (or want the source doc) – hit me up on twitter @setoptz and I will be happy to share.
Attachments: Security Framework – General