Security Maturity Model
One ISECOM project getting special attention from senior managers is the Security Maturity Model (SMM), which seeks to reconcile the information security management (ISM) systems with BS7799-2:2002 by creating a standard for ISMs.
One Security Maturity Model working group participant is Martin Dion, chief technology officer of Montreal-based Above Security, which specializes in security management for networks and computer applications. "We are working to define the baseline. A standard capability maturity model normally uses multiple levels—zero to five—to define maturity levels," he says. The previous team "created the methodology, the suite of tools, but they didn't elaborate yet what's needed for level one, level two, and so on." That's where the new team is currently focused.
The Security Maturity Model stalled, but then got a new infusion of project participants. Other projects, such as Security Incident Policy Enforcement (SIPE) and the Software Testing Checklist (STICK), have lost project leaders, and they remain stalled. Still, Herzog often gets inquiries about the projects, or people mention using at least what's available. To move them forward, "We're always looking for new owners," says Herzog, saying the call is always open for volunteers.
To expand on ISECOM's offer of practical, open-source security methodologies to end users and businesses, Herzog says he'll continue to drive related research, push for greater security awareness, and promote related certifications and training.
With such an approach, could fear, uncertainty, and doubt in information security practices soon be a thing of the past?