Comparative analysis ofmaturity models to evaluate information security
DOI:
https://doi.org/10.18372/2410-7840.21.14337Keywords:
information security, maturity model, ISO 27001, ISMS, comparative analysis, metricsAbstract
Information security can be defined as: the protection of information assets by processing risks of violating the confidentiality, integrity and availability of information that is processed, stored and transmitted between interconnected information systems; and a process that includes preventing, detecting and responding to information security threats. In world practice, the concept of maturity model is used to determine the stage of organizational and technological development of an organization and its processes. To measure the state of the process, a set of metrics is used that represent certain characteristics. Evaluation of these metrics according to the established scale shows the state of the processes, which will characterize the level of their maturity. In world practice, in contrast to Ukrainian practice, the application of the maturity model for managing information security processes is widespread. An example of this is the ISO27000 series of standards that governs information security management issues implemented on the basis of the Information Security Management System. Obviously, before an organization engaged in information security management, sooner or later the question arises of how to fulfill these requirements, to what extent and at what level of detail, etc. Maturity model can help to answer these and other questions, on the basis of which the level of maturity of information security processes will be evaluated. To identify the main models of information security maturity, an analysis of open sources and best practices related to information security maturity models was carried out. Based on the results of the analysis of the sources, the most applicable models of information security maturity were determined, namely: SSE-CMM, C2M2, NICE and OISM3.References
Select Business Solutions. [Electronic resource]. Accecc: http://www.selectbs.com/ process-maturity/
what-is-the-capability-maturity-model.
M. Lessing: Best practices show the way to
Information Security Maturity. [Electronic resource].
Accecc: http:// researchspace. csir. co. za/ dspace/
bitstream/handle/10204/3156/Lessing6_2008.pdf?s
equence=1&isAllowed=y.
G. White, "The community cyber security maturity
model". In: IEEE International Conference on Technologies
for Homeland Security, pp. 173-178, 2011.
SSE-CMM. [Electronic resource]. Accecc:
https://pqm-online.com/assets/files/lib/std/gost_
r_iso_mek_21827-2010.pdf.
Department of Energy: Cybersecurity Capability Maturity
Model (C2M2): Version 1.1, Department of Homeland
Security, 2014.
US Department of Homeland Security.: Cybersecurity
Capability Maturity Model: Version1.0. White paper,
Department of Homeland Security, 2014. [Electronic
resource]. Accecc: https://niccs.us-cert.gov/sites/
default/ files/ Capability%20 Maturity% 20Model%
White%20Paper.pdf?trackDocs=Capability%20M
aturity%20Model%20White%20Paper.pdf.
The Open Group.: Open Information Security
Management Maturity Model (O-ISM3). Technical
report, Open Group, 2017.
Н. Милославская, Р. Сагиров, Обзор моделей зрелости процессов управления информационной безопасностью.
Downloads
Published
How to Cite
Issue
Section
License
The scientific journal adheres to the principles of Open Access and provides free, immediate, and permanent access to all published materials without financial, technical, or legal barriers for readers.
All articles are published in Open Access under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.
Copyright
Authors who publish their works in the journal:
-
retain the copyright to their publications;
-
grant the journal the right of first publication of the article;
-
agree to the distribution of their materials under the CC BY 4.0 license;
-
have the right to reuse, archive, and distribute their works (including in institutional and subject repositories), provided that proper reference is made to the original publication in the journal.
