Benchmarking standards and maturity models are an absolute necessity in a variety of fields, but they’ve been slow to catch on in information risk management.
Most software developers use benchmarking tools like the ISO/IEC 15504 Process Assessment Standard to assess the maturity of their software life cycle processes. And HIMSS Analytics has developed a widely used resource called the Electronic Medical Record Adoption Model to help healthcare organizations gauge the maturity and effectiveness of their EMR implementations.
In risk management, there’s the National Institute of Standards and Technology Security Framework, but the name says it all: It’s a framework, not a maturity model. So to fill that void, we’ve developed a free resource called the Information Risk Management Capability Advancement Model (IRMCAM) that lets security, privacy and risk management professionals see how their programs stack up against key benchmarks. It is a maturity model for information risk management.
You Work for the "CIA"
All security/privacy pros work for the CIA: Confidentiality, Integrity and Availability of the data they help safeguard. The IRMCAM model is an objective way to determine the effectiveness of your methods and processes according to management best practices, against a clearly defined set of external benchmarks.
How does IRMCAM accomplish this? Let’s use a baseball analogy.
Every Major League Baseball team continuously assesses its players in key areas like hitting, pitching, fielding and so on. Then they assign rankings, where Level 1 might be “Just Covering The Bases” (no pun intended) to indicate that their starting pitchers are mediocre and so is the team batting average. Level 5 would be “Mature,” meaning that they’ve got four excellent starting pitchers and the team is leading the league in batting average and runs scored.
The IRMCAM model does essentially the same thing in information risk management. Here are the five major practice areas surveyed:
- Risk Management Governance and Awareness of Benefits and Value
- Risk Management People, Skills, Knowledge and Culture
- Risk Management Process, Discipline and Repeatability
- Risk Management Use of Standards, Technology Tools and Scalability
- Risk Management Engagement, Delivery and Operations
An organization then gets a Capability Level score in each practice area:
- Level 0 Incomplete: This is the “anything goes” ranking. There’s no risk management governance; practices are ad hoc and chaotic.
- Level 1 Performed: Way too much variance in risk practices, a few successes but also many failures.
- Level 2 Managed: The key word here is “some.” The organization has some risk management processes defined, documented and practiced, and some employees are trained in them.
- Level 3 Established: There’s board-issued guidance; risk management processes are consistent across the entire organization.
- Level 4 Predictable: The organization views risk management as a business enabler; predictive risk scenarios are used.
- Level 5 Mature: Risk is considered in all decisions. Real-time continuous monitoring of risk events is standard; processes and tools are continuously improved.
Web-Based Tool Makes It Easy
To assist organizations with maturity model assessments, we’ve created a free web-based survey tool called IRMCAMi. The first step is to assemble an assessment team with representatives from the board, senior management, compliance and other key stakeholders. The team must decide what capability level is desired (Predictable, Mature, etc.) Each team member then completes the IRMCAMi survey online. It’s that easy.
The survey results reveal your organization’s current maturity level and identify any gaps preventing you from reaching the desired level.
Benchmarking: Too Important To Ignore
The IRMCAM and IRMCAMi resources are designed to provide a highly accurate assessment of the strengths and weaknesses of your information security and risk management programs.
It’s a safe bet that many organizations that think they’re doing a stellar job are in fact falling short against key benchmarks. Now there’s a simple way to find out.
To get complimentary access to the IRMCAMi tool online, click here.
If you want to comment on this post, you need to login.