As a risk management professional, you are evaluating the organizational risk management program using the risk maturity model. Which of the following is incorrect? (Wentz QOTD)
A. The term “maturity” refers to how well the risk management processes are performed.
B. A maturity model shall define five maturity levels.
C. Optimizing or optimized typically refers to the level of the best maturity.
D. Risk management in certain contexts can be a temporary endeavor.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. A maturity model shall define five maturity levels.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
A maturity model “may” (instead of SHALL or MUST) define five maturity levels because the commonly accepted traditional capability maturity model integration (CMMI) model defines five levels. However, it’s not always the case for a capability maturity model to do so. For example, the OWASP SAMM defines four levels only:
0 Implicit starting point representing the activities in the practice being unfulfilled
1 Initial understanding and adhoc provision of security practice
2 Increase efficiency and/or effectiveness of the security practice
3 Comprehensive mastery of the security practice at scale
Risk maturity models (RMMs) are still developing for now. Some RMMs may define five levels, but it’s not a requirement.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.
Projects and programs are temporary endeavors; their outputs are transferred to operations to create and deliver value persistently. Project and program risk management can be ceased once projects and programs are closed.
Risk management has contexts. It can happen in various contexts or levels in an organization, such as the information system level, business processes level, enterprise level, or project/program level. In most cases, risk management is persistent endeavor. However, it can be a temporary endeavor in certain contexts, e.g., risk management at the project/program level.
ISO 27001 requirement A.6.1.5 in Annex A specifies information security in project management that requires the control that “information security shall be addressed in project management, regardless of the type of the project.” A project is “a temporary endeavor undertaken to create a unique product, service, or result. See also portfolio and program.” (PMI) Risk management activities at the project level can be gone once the project is closed.
NIST SP 800-53 R5 is a security control framework in which program management (PM) is one of the control families. A program comprises “related projects, subsidiary programs, and program activities managed in a coordinated manner to obtain benefits not available from managing them individually.” (PMI)
- Key words for use in RFCs to Indicate Requirement Levels
- SAMM – Software Assurance Maturity Model – OWASP
- PMI Lexicon of Project Management Terms
作為風險管理專業人士，您正在使用風險成熟度模型評估組織風險管理計畫(program)。 關於風險成熟度模型，以下哪項是錯誤的？ (Wentz QOTD)