Which of the following is least suitable for being measured by a maturity model?
A. Enterprise risk management
B. Organizational procurement
C. Organizational service delivery
D. Security capabilities of an information system
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Security capabilities of an information system.
- There are many risk maturity models used to evaluate an organization’s capabilities of risk management, e.g, the RIMS RMM.
- CMMI is a well-known capability maturity model that integrates multiples models to assess the capabilities of engineering, procurement, and service delivery and to provide different maturity levels.
- The security capabilities of an information system are assessed for assurance. TCSEC, ITSEC, or Common Criteria are well-known assurance systems that render assurance levels instead of maturity levels.
Capability is the ability to do something or a feature or function. In the context of security, it may refer to “a set of mutually reinforcing security controls implemented by technical, physical, and procedural means. Such controls are typically selected to achieve a common information security-related purpose.” (NISTIR 8011 Vol. 1)
A maturity model is a “set of structured levels that describe how well the behaviors, practices, and processes of an organization can reliably and sustainably produce required outcomes.” (ISO/TR 14639-2:2014)
Capability Maturity Model
A capability maturity model is a “model that contains the essential elements of effective processes for one or more disciplines and describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness.” (ISO/IEC/IEEE 24765:2017)
Capability Maturity Model Integration (CMMI)
- What is the RIMS Risk Maturity Model?
- Risk Maturity Models (wiley)
- Risk Management: A Maturity Model Based on ISO 31000
- Developing a generic risk maturity model (GRMM) for evaluating risk management in construction projects
- Using a Maturity Model to Assess Your Risk Management Program
- How does the RIMS RMM Work?
- What is Privacy by Design & Default?
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.