Comparative analysis ofmaturity models to evaluate information security
DOI:
https://doi.org/10.18372/2410-7840.21.14337Keywords:
information security, maturity model, ISO 27001, ISMS, comparative analysis, metricsAbstract
Information security can be defined as: the protection of information assets by processing risks of violating the confidentiality, integrity and availability of information that is processed, stored and transmitted between interconnected information systems; and a process that includes preventing, detecting and responding to information security threats. In world practice, the concept of maturity model is used to determine the stage of organizational and technological development of an organization and its processes. To measure the state of the process, a set of metrics is used that represent certain characteristics. Evaluation of these metrics according to the established scale shows the state of the processes, which will characterize the level of their maturity. In world practice, in contrast to Ukrainian practice, the application of the maturity model for managing information security processes is widespread. An example of this is the ISO27000 series of standards that governs information security management issues implemented on the basis of the Information Security Management System. Obviously, before an organization engaged in information security management, sooner or later the question arises of how to fulfill these requirements, to what extent and at what level of detail, etc. Maturity model can help to answer these and other questions, on the basis of which the level of maturity of information security processes will be evaluated. To identify the main models of information security maturity, an analysis of open sources and best practices related to information security maturity models was carried out. Based on the results of the analysis of the sources, the most applicable models of information security maturity were determined, namely: SSE-CMM, C2M2, NICE and OISM3.References
Select Business Solutions. [Electronic resource]. Accecc: http://www.selectbs.com/ process-maturity/
what-is-the-capability-maturity-model.
M. Lessing: Best practices show the way to
Information Security Maturity. [Electronic resource].
Accecc: http:// researchspace. csir. co. za/ dspace/
bitstream/handle/10204/3156/Lessing6_2008.pdf?s
equence=1&isAllowed=y.
G. White, "The community cyber security maturity
model". In: IEEE International Conference on Technologies
for Homeland Security, pp. 173-178, 2011.
SSE-CMM. [Electronic resource]. Accecc:
https://pqm-online.com/assets/files/lib/std/gost_
r_iso_mek_21827-2010.pdf.
Department of Energy: Cybersecurity Capability Maturity
Model (C2M2): Version 1.1, Department of Homeland
Security, 2014.
US Department of Homeland Security.: Cybersecurity
Capability Maturity Model: Version1.0. White paper,
Department of Homeland Security, 2014. [Electronic
resource]. Accecc: https://niccs.us-cert.gov/sites/
default/ files/ Capability%20 Maturity% 20Model%
White%20Paper.pdf?trackDocs=Capability%20M
aturity%20Model%20White%20Paper.pdf.
The Open Group.: Open Information Security
Management Maturity Model (O-ISM3). Technical
report, Open Group, 2017.
Н. Милославская, Р. Сагиров, Обзор моделей зрелости процессов управления информационной безопасностью.
Downloads
Published
Issue
Section
License
Authors who publish with this journal agree to the following terms:- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
