Security maturity assessment method

US 7,290,275 B2
Filed: 04/29/2002
Issued: 10/30/2007
Est. Priority Date: 04/29/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for assessing an information security policy and practice of an organization, comprising:

collecting information about the information security policy and practice of the organization;

generating a rating for each of a plurality of information security items using a security maturity assessment matrix and the collected information,wherein the security maturity assessment matrix comprises a first dimension and a second dimension,wherein the first dimension corresponds to the plurality of information security items;

wherein the second dimension corresponds to a plurality of maturity levels;

wherein at least one of the plurality of maturity levels corresponds to a maturity level associated with a Capability Maturity Model, andwherein each rating is derived using the first dimension and the second dimension; and

determining how to modify the information security policy and practice of the organization using the rating for the at least one of the plurality of security items.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for assessing an information security policy and practice of an organization, including determining a risk associated with the information security policy and practice, collecting information about the information security policy and practice, generating a rating using a security maturity assessment matrix, the collected information, and the risk associated with the information security policy and practice, generating a list of corrective actions using the rating, executing the list of corrective actions to create a new security information policy and practice, and monitoring the new security information policy and practice.

518 Citations

35 Claims

1. A method for assessing an information security policy and practice of an organization, comprising:
- collecting information about the information security policy and practice of the organization;
  
  generating a rating for each of a plurality of information security items using a security maturity assessment matrix and the collected information,wherein the security maturity assessment matrix comprises a first dimension and a second dimension,wherein the first dimension corresponds to the plurality of information security items;
  
  wherein the second dimension corresponds to a plurality of maturity levels;
  
  wherein at least one of the plurality of maturity levels corresponds to a maturity level associated with a Capability Maturity Model, andwherein each rating is derived using the first dimension and the second dimension; and
  
  determining how to modify the information security policy and practice of the organization using the rating for the at least one of the plurality of security items.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, further comprising:
    - generating a new rating for each of a plurality of information security items using the security maturity assessment matrix when there is a change in an information security environment of the organization.
  - 3. The method of claim 1, further comprising:
    - generating a graphical assessment of the ratings.
  - 4. The method of claim 3, wherein the graphical assessment of the ratings is generated by a security maturity assessment reporting tool.
  - 5. The method of claim 4, wherein the security maturity assessment reporting tool comprises functionality to track the ratings of each of the plurality of information security items over time.
  - 6. The method of claim 4, wherein the security maturity assessment reporting tool comprises functionality to graphically compare the ratings associated with each of the plurality of information security items with a corresponding rating goal associated with each of the plurality of information security items.
  - 7. The method of claim 1, the collecting information comprising collection of documentation detailing the information security policy and practice of the organization.
  - 8. The method of claim 1, wherein at least one of the plurality of information security items corresponds to a best mode practice in information security.
  - 9. The method of claim 1, wherein determining how to modify the information security policy and practice of the organization, comprises:
    - generating a corrective action using the rating for at least one of the plurality of information security items and the security maturity assessment matrix.
  - 10. The method of claim 9, further comprising:
    - executing the corrective action to create a new security information policy and practice.
  - 11. The method of claim 10, further comprising:
    - monitoring the new security information policy and practice.
  - 12. The method of claim 9, wherein generating the corrective action comprises:
    - obtaining a first description from the security maturity assessment matrix corresponding to the rating of the at least one of the plurality of information security items;
      
      obtaining a second description from the security maturity assessment matrix corresponding to a goal rating of the at least one of the plurality of information security items; and
      
      comparing the first description with the second description to obtain the corrective action for the at least one of the plurality of information security items.
  - 13. The method of claim 1, wherein at least one of the plurality of security items corresponds to an information security item associated with at least one selected from the group consisting of BS7799 and ISO17799.
  - 14. The method of claim 1, wherein the maturity level is at least one selected from the group consisting of:
    - initial, repeatable, defined, managed, and optimized.
  - 15. The method of claim 1, wherein at least one of the plurality of information security items in the first dimension is associated with a scope requirement.
  - 16. The method of claim 15, wherein the scope requirement defines what portions of the organization to which the at least one of the plurality of information security items applies.
  - 17. The method of claim 1, wherein the first dimension is displayed using at least one row and the second dimension is displayed using at least one column.

18. An apparatus for assessing an information security policy and practice of an organization, comprising:
- means for collecting information about the information security policy and practice of the organization;
  
  means for generating a rating for each of a plurality of information security items using a security maturity assessment matrix and the collected information,wherein the security maturity assessment matrix comprises a first dimension and a second dimension,wherein the first dimension corresponds to the plurality of information security items;
  
  wherein the second dimension corresponds to a plurality of maturity levels;
  
  wherein at least one of the plurality of maturity levels corresponds to a maturity level associated with a Capability Maturity Model, andwherein each rating is derived using the first dimension and the second dimension; and
  
  means for determining how to modify the information security policy and practice of the organization using the rating for the at least one of the plurality of security items.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 29, 30, 31)
- - 19. The apparatus of claim 18, further comprising:
    - means for generating a new rating for each of a plurality of information security items using the security maturity assessment matrix if there is a change in the information security environment of the organization.
  - 20. The apparatus of claim 18, wherein determining how to modify the information security policy and practice of the organization, comprises:
    - means for generating a corrective action using the rating for at least one of the plurality of information security items and the security maturity assessment matrix.
  - 21. The apparatus of claim 20, further comprising:
    - means for executing the corrective action to create a new security information policy and practice.
  - 22. The apparatus of claim 21, further comprising:
    - means for monitoring the new security information policy and practice.
  - 23. The apparatus of claim 21, wherein the scope requirement defines what portions of the organization to which the at least one of the plurality of information security items applies.
  - 24. The apparatus of claim 18, wherein at least one of the plurality of security items corresponds to an information security item associated with at least one selected from the group consisting of BS7799 and ISO17799.
  - 25. The apparatus of claim 18, wherein the maturity level is at least one selected from the group consisting of:
    - initial, repeatable, defined, managed, and optimized.
  - 26. The apparatus of claim 18, wherein at least one of the plurality of information security items in the first dimension is associated with a scope requirement.
  - 29. The computer system of claim 18, wherein software instructions for determining how to modify the information security policy and practice of the organization, comprises:
    - software instructions for generating a corrective action using the rating for at least one of the plurality of information security items and the security maturity assessment matrix.
  - 30. The computer system of claim 29, further comprising:
    - software instructions for executing the corrective action to create a new security information policy and practice.
  - 31. The computer system of claim 30, further comprising:
    - software instructions for monitoring the new security information policy and practice.

27. A computer system for assessing an information security policy and practice of an organization, comprising:
- a processor;
  
  a memory;
  
  an input means; and
  
  software instructions stored in the memory for enabling the computer system under control of the processor, to perform;
  
  collecting information about the information security policy and practice of the organization;
  
  generating a rating for each of a plurality of information security items using a security maturity assessment matrix and the collected information,wherein the security maturity assessment matrix comprises a first dimension and a second dimension,wherein the first dimension corresponds to the plurality of information security items;
  
  wherein the second dimension corresponds to a plurality of maturity levels;
  
  wherein at least one of the plurality of maturity levels corresponds to a maturity level associated with a Capability Maturity Model, andwherein each rating is derived using the first dimension and the second dimension;
  
  determining how to modify the information security policy and practice of the organization using the rating for the at least one of the plurality of security items.
- View Dependent Claims (28, 32, 33, 34, 35)
- - 28. The computer system of claim 27, further comprising:
    - software instructions to perform generating a new rating for each of a plurality of information security items using the security maturity assessment matrix if there is a change in the information security environment of the organization.
  - 32. The computer system of claim 27, wherein at least one of the plurality of security items corresponds to an information security item associated with at least one selected from the group consisting of BS7799 and ISO17799.
  - 33. The computer system of claim 27, wherein the maturity level is at least one selected from the group consisting of:
    - initial, repeatable, defined, managed, and optimized.
  - 34. The computer system of claim 27, wherein at least one of the plurality of information security items in the first dimension is associated with a scope requirement.
  - 35. The computer system of claim 34, wherein the scope requirement defines what portions of the organization to which the at least one of the plurality of information security items applies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DEXA Systems Incorporated
Original Assignee
Schlumberger Omnes, Inc. (Schlumberger NV)
Inventors
Elliott, Colin R., Baudoin, Claude R.
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US10/134,815
Publication Number

US 20040010709A1
Time in Patent Office

2,010 Days
Field of Search

713/200, 713/201, 726/1
US Class Current

726/1
CPC Class Codes

G06Q 40/08 Insurance

Security maturity assessment method

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

518 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Security maturity assessment method

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

518 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links