Security maturity assessment method

US 20040010709A1
Filed: 04/29/2002
Published: 01/15/2004
Est. Priority Date: 04/29/2002
Status: Active Grant

First Claim

Patent Images

1. A method for assessing an information security policy and practice of an organization, comprising:

determining a risk associated with the information security policy and practice;

collecting information about the information security policy and practice;

generating a rating using a security maturity assessment matrix, the collected information, and the risk associated with the information security policy and practice;

generating a list of corrective actions using the rating;

executing the list of corrective actions to create a new security information policy and practice; and

monitoring the new security information policy and practice.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for assessing an information security policy and practice of an organization, including determining a risk associated with the information security policy and practice, collecting information about the information security policy and practice, generating a rating using a security maturity assessment matrix, the collected information, and the risk associated with the information security policy and practice, generating a list of corrective actions using the rating, executing the list of corrective actions to create a new security information policy and practice, and monitoring the new security information policy and practice.

192 Citations

19 Claims

1. A method for assessing an information security policy and practice of an organization, comprising:
- determining a risk associated with the information security policy and practice;
  
  collecting information about the information security policy and practice;
  
  generating a rating using a security maturity assessment matrix, the collected information, and the risk associated with the information security policy and practice;
  
  generating a list of corrective actions using the rating;
  
  executing the list of corrective actions to create a new security information policy and practice; and
  
  monitoring the new security information policy and practice.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - generating a new rating using the security capability assessment matrix when there is a change in an information security environment of the organization.
  - 3. The method of claim 1, further comprising:
    - generating a graphical assessment of the rating.
  - 4. The method of claim 3, wherein the graphical assessment of the rating is generated by a security maturity assessment reporting tool.
  - 5. The method of claim 4, wherein the security maturity assessment reporting tool comprises functionality to track the rating of the security information policy and practice over time.
  - 6. The method of claim 4, wherein the security maturity assessment reporting tool comprises functionality to graphically compare the rating to a rating goal.
  - 7. The method of claim 1, the collecting information comprising collection of documentation detailing the information security policy and practice of the organization.
  - 8. The method of claim 1, the security assessment matrix comprising a matrix in which each of a plurality of columns denote a maturity level and each of a plurality of rows denote a particular information security feature such that the intersection of one of the plurality of columns with one of the plurality of rows is a capability maturity level.
  - 9. The method of claim 8, wherein each of the plurality of rows is a grouping of British Standards Institution 7799 items.
  - 10. The method of claim 8, wherein each of the plurality of rows is a grouping of a set of controls outlining best mode practices in information security.
  - 11. The method of claim 8, wherein each of the plurality of rows is a grouping of International Organization for Standardization 17799 items.
  - 12. The method of claim 8, wherein each of the plurality of columns is a maturity level defined in accordance with the Capability Maturity Model of the Software Engineering Institute.
  - 13. The method of claim 9, the grouping of British Standards Institution 7799 items comprising a British Standards Institution 7799 category.
  - 14. The method of claim 11, the grouping of International Organization for Standardization 17799 items comprising an International Organization for Standardization 17799 category.
  - 15. The method of claim 1, the generating the list of corrective actions comprising comparing a description of a current maturity level of an organization for each of a plurality of information security items in the security assessment matrix with a description of a desired maturity level for each of the plurality of information security items.

16. An apparatus for assessing an information security policy and practice of an organization, comprising:
- means for determining a risk associated with the information security policy and practice;
  
  means for collecting information about the information security policy and practice;
  
  means for generating a rating using a security maturity assessment matrix, the collected information, and the risk associated with the information security policy and practice;
  
  means for generating a list of corrective actions using the rating;
  
  means for executing the list of corrective actions to create a new security information policy; and
  
  means for monitoring the new security information policy.
- View Dependent Claims (17)
- - 17. The apparatus of claim 16, further comprising:
    - means for generating a new rating using the security maturity assessment matrix if there is a change in the information security environment of the organization.

18. A computer system for assessing an information security policy and practice of an organization, comprising:
- a processor;
  
  a memory;
  
  an input means; and
  
  software instructions stored in the memory for enabling the computer system under control of the processor, to perform;
  
  determining a risk associated with the information security policy and practice;
  
  collecting information about the information security policy and practice using the input means;
  
  generating a rating using a security maturity assessment matrix, the collected information, and the risk associated with the information security policy and practice;
  
  generating a list of corrective actions using the rating;
  
  executing the list of corrective actions to create a new security information policy and practice; and
  
  monitoring the new security information policy and practice.
- View Dependent Claims (19)
- - 19. The computer system of claim 18, further comprising:
    - software instructions to perform generating a new rating using the security maturity assessment matrix if there is a change in the information security environment of the organization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DEXA Systems Incorporated
Original Assignee
Schlumberger Technology Corporation (Schlumberger NV)
Inventors
Elliott, Colin R., Baudoin, Claude R.

Granted Patent

US 7,290,275 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06Q 40/08 Insurance

Security maturity assessment method

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

192 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Security maturity assessment method

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

192 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links