esrm maturity assessment5 - optimized: a formal onboarding program for all security employees trains...
TRANSCRIPT
ESRM Maturity Assessment
How to Use This Model The following assessment gives you the capacity to measure your enterprise's maturity level
based on the current Enterprise Security Risk Management (ESRM) framework. Below are
guidelines to get started.
Categories and Ratings
General Ratings
0 - Non-Existent/Not Wanted: The requirement is non-existent in the environment and/or not
desired.
1 - Ad Hoc: It is characteristic of processes at this level that they are (typically) undocumented
and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive
manner by users or events. This provides a chaotic or unstable environment for the processes.
2 - Repeatable: It is characteristic of processes at this level that some processes are
repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but
where it exists it may help to ensure that existing processes are maintained during times of
stress.
3 - Defined: It is characteristic of processes at this level that there are sets of defined and
documented standard processes established and subject to some degree of improvement over
time. These standard processes are in place (i.e., they are the AS-IS processes) and used to
establish consistency of process performance across the organization.
4 - Managed: It is characteristic of processes at this level that, using process metrics,
management can effectively control the AS-IS process (e.g., for software development). In
particular, management can identify ways to adjust and adapt the process to particular projects
without measurable losses of quality or deviations from specifications. Process Capability is
established from this level.
5 - Optimized: It is a characteristic of processes at this level that the focus is on continually
improving process performance through both incremental and innovative technological
changes/improvements.
Current Score
The current score is the score agreed to by the working group filling out the matrix on how the
enterprise is currently meeting the requirement as written. Separate scores for People and
Process are averaged to find the overall score.
People
1 - Risk knowledge is limited to a few key personnel, with no cross training between security
teams/groups and departments.
2 - Cross functional teams are mostly in place, and roles/responsibilities regarding risk
knowledge are generally understood.
3 - Cross functional teams are in place, ESRM knowledge is transferred between teams, and
roles/responsibilities regarding risk knowledge are well defined.
4 - Cross functional teams are adequately staffed for ESRM, performance for these teams is
measured, and ESRM development/training programs are in place for teams across the
organization.
5 - ESRM performance metrics are measured and optimized.
Process
1 - ESRM/Risk processes do not exist or are performed in an ad hoc manner.
2 - ESRM/Risk processes exist and are repeatable.
3 - ESRM/Risk processes are defined and documented as a standardized process across the
organization.
4 - ESRM/Risk processes are measured against established metrics.
5 - ESRM/Risk processes are reviewed and proactively improved based on measurable results.
Governance Target
Governance Target is the target set by the security governance body, based on their risk-
decision making authority, of the most appropriate rating to meet the set thresholds for risk as
determined by the governing body.
Recommended Score
Recommended score is the recommendation from the security leadership, based on our
security expertise, of the most appropriate rating to meet the set thresholds for risk as
communicated to the security leadership.
Definitions Used in this Model
Asset Owner
The person with budgetary control over the assets at a high enough level in the organization to
have appropriate decision-making authority on security risk decisions.
Business Unit Leader
Top level leaders of a particular function or department in the enterprise organization. (e.g.
Head of accounting, HR, IT, Operational departments, etc.).
Enterprise
This matrix references "enterprise" in the broadest sense of the meaning – a business,
organization, or company and can include Public, State or Government run organizations,
privately held, family companies, not–for–profit organizations, Stockholder controlled
corporations, or others.
Enterprise Executive
The enterprise executive references personnel at the top level of the organization: The "C-
Suite", President, Controlling Partners, Executive Vice Presidents, or other titled individuals with
strategic management level roles in the organization.
ESRM
The application of fundamental risk principles to manage all security risks – whether information,
cyber, physical security, asset management, or business continuity – in a comprehensive,
holistic, all–encompassing approach.
Security Department
The department designated in the organization to manage the enterprise security risk.
Security Discipline
Individual tactical security specialties, such as executive protection, information security,
physical access control, business continuity, investigations and forensics, and so on. These
disciplines are typically technically diverse enough to require tactical personnel with specialized
skill sets to complete the activities.
Security Risk
Anything that threatens harm to the enterprise, its mission, its employees, its customers, its
partners, its operations, its assets, or its reputation.
Stakeholder
Any non-asset owner whose group could be impacted by any incident or action involving that
asset who will need to be consulted on questions of security risk at a high enough level in the
organization to have appropriate decision-making authority on security risk decisions.
ESRM MATURITY SURVEY
Read each ESRM requirement and rate how the people and processes in your enterprise
support that requirement on a scale of 0 to 5, using the definitions above. All questions are
required.
1. Program Strategy
1.1 - Enterprise executives formally support the ESRM philosophy and approach.
1 - Ad Hoc: Tacit support of the program with no formal statement
5 - Optimized: Formal ESRM charter signed by all C-Level Stakeholders
1.2 - Security department mission and goals formally commit to an ESRM philosophy
and approach.
1 - Ad Hoc: Security team has verbal instruction to adhere to ESRM approach
5 - Optimized: Security department has a formal, written ESRM mission and goal set that is
shared with all security team members.
1.3 Security department leadership has established relationships with
function/department business leaders across the enterprise.
1 - Ad Hoc: Some team members have developed relationships with some business
Stakeholders in the Enterprise.
5 - Optimized: A formal registry of business Stakeholders is maintained with primary
security points of contact named for each Stakeholder and a mandated contact schedule
maintained for each.
1.4 Security department understands the mission and goals of the overall enterprise.
1 - Ad Hoc: Personnel with longer tenure have some insight into the overall mission, goals, and
function of the enterprise.
5 - Optimized: A formal onboarding program for all security employees trains on the overall
mission, goals, and critical functions of the enterprise and aligns them with the ESRM approach.
1.5 Security department understands the mission and goals of critical internal
departments / business units and the needs of those business leaders.
1 - Ad Hoc: Personnel with longer tenure have some insight into the business goals,
and function of critical processes.
5 - Optimized: A formal onboarding program for all security employees trains on the
business goals and critical functions of the enterprise and aligns them with the ESRM
approach.
1.6 Security department leaders and enterprise executives understand and agree to a
definition of what constitutes successful accomplishment of the security mission.
1 - Ad Hoc: Informal definition of tangible security goals.
5 - Optimized: Formal, documented, success criteria, additionally including intangible
goals.
1.7 Security department has a defined strategy to meet the defined success security
criteria based on an ESRM philosophy.
1 - Ad Hoc: Key performance indicators (KPIs) are developed for some achievement of tangible
goals.
5 - Optimized: Documented and reported-upon KPIs exist for all goals, including intangible
goals.
1.8 The ESRM security strategy is based on a formal risk model (such as ISO, COBIT,
ANSI, etc.).
1 - Ad Hoc: Some portions of the ESRM strategy align with some portions of a formal risk
management model.
5 - Optimized: A risk management model is officially adopted for the program and all practices
align with the model.
1.9 Enterprise executives understand the skillsets needed for effective ESRM program
management and support training existing staff and hiring staff with necessary skills.
1 - Ad Hoc: Management has some understanding of ESRM required skills and provides
sufficient resources through hiring or sufficient training.
5 - Optimized: ESRM requirements are incorporated into the HR hiring process and job
descriptions and existing personnel are given advanced risk management training.
2. Program Governance
2.1 Enterprise has instituted a security group or council to govern security risk and the
security program.
1 - Ad Hoc: A council or working group is established and meetings occur as the council
desires.
5 - Optimized: A security council is formed with a documented charter, roles and
responsibilities. The council has a mandated meeting schedule and regularly interacts
with the board of directors / management.
2.2 Enterprise has a set tolerance level for security risk overall for the enterprise.
1 - Ad Hoc: Security has an implied understanding of risk levels or a documented risk
posture for some risks.
5 - Optimized: The board of directors / management has a formal posture on the risk
level of the company including risk categories (high, medium, low).
2.3 Enterprise has a set tolerance level for security risk at the critical asset / function
level based on criticality of assets / functions across the enterprise.
1 - Ad Hoc: Risk thresholds are defined for the critical assets of the company.
5 - Optimized: Specific risk thresholds are defined for non-critical areas of the enterprise
as well and thresholds include risk categories (high, medium, low).
2.4 Security Department operates with effective levels of independence to avoid any
conflicts of interest.
1 - Ad Hoc: Internal audits are executed to confirm the independency.
5 - Optimized: In addition, external audits are executed to confirm the independency.
2.5 Security Department operates with effective levels of transparency for all security
risks.
1 - Ad Hoc: Status reports on risk tolerances are given to business leaders if requested.
5 - Optimized: Mandated status reports on risk tolerances are given to business leaders
and to external stake holders´ (e.g. security authorities) on a defined timeline.
2.6 Security Department operates with effective levels of authority to manage security
risk in all areas of the enterprise.
1 - Ad Hoc: The security department has executive support to perform security activities
as needed.
5 - Optimized: There is a clear and direct authorization for the security department from
the board of directors / management and by the security authorities.
2.7 Security program has a defined scope / charter / remit to clarify risk categories as
security or non-security for enterprise operations.
1 - Ad Hoc: The security program is formally approved by the security council.
5 - Optimized: The security program is formally approved by the security council and the
board of directors / management and has a documented charter / policy.
2.8 Security disciplines are aligned with industry standards and maturity of the
alignment is reported regularly to the governing group and to enterprise executives.
1 - Ad Hoc: Trainings are based on industry standards and the success of the training is
reported to the management.
5 - Optimized: Training for personnel also includes certification based on industry
standards.
2.9 All in-scope / chartered security risks are managed in accordance with an ESRM
approach regardless of the threat vector or impacted asset.
1 - Ad Hoc: The security council conducts self-assessments to verify the ESRM
approach.
5 - Optimized: The security council engages third party auditors on a defined timeline to
conduct audits to verify the ESRM approach.
3. Understanding and Awareness
3.1 Enterprise executives and department/business function leaders understand the
ESRM philosophy and approach.
1- Ad Hoc: Executives and management in critical functions and some support functions
have been exposed to the ESRM program and understand it.
5 - Optimized: ESRM is part of a formal security awareness program and the security
department conducts more in depth workshops with the most critical business functions.
3.2 Enterprise executives and department / business function leaders understand the
role of security as risk managers.
1 - Ad Hoc: Executives and management in critical functions and some support functions
have been part of a risk mitigation process and understand security's role in it.
5 - Optimized: ESRM is part of a formal security awareness program and the security
department conducts more in depth workshops with the most critical business functions
to ensure understanding of security's role.
3.3 Security department personnel understand the ESRM philosophy and approach.
1 - Ad Hoc: Some staff have been exposed to the ESRM philosophy.
5 - Optimized: Formal annual training is required for every security department employee
in ESRM methodologies.
3.4 Security department personnel understand the role of security as risk managers.
1 - Ad Hoc: Risk management trainings are provided to the security personnel.
5 - Optimized: The trainings will include certifications based on international standards.
3.5 Security department personnel act at all times in accordance with an ESRM
approach.
1 - Ad Hoc: A risk-management approach is sometimes used by security department
personnel.
5 - Optimized: Use of ESRM methodologies and processes is a formal part of security
staff training and employees are rated on ESRM adherence as part of the annual review
process.
3.6 Any department personnel outside of Security Department tasked with performing
activities that mitigate security risks understand the ESRM philosophy and approach.
1 - Ad Hoc: Some business functions are trained in ESRM and are capable of
performing their security tasks in partnership with the security department.
5 - Optimized: All functions performing any security mitigation process has formal
training in ESRM and understands the security role and their partnership with the
security department.
3.7 Enterprise Asset Owners understand the role of an Asset Owner in the ESRM
program.
1 - Ad Hoc: Asset owners may have their roles explained to them in the event they
become involved in a security project.
5 - Optimized: An embedded security culture of risk-management-decision making is
formally part of the training and awareness of all budget managers in the organization.
3.8 Security risk Stakeholders understand the role of a risk Stakeholder in the ESRM
program.
1 - Ad Hoc: The security department communicates the role of security to impacted
stakeholders.
5 - Optimized: In addition, the security department conducts workshops with the most
relevant stakeholders.
3.9 Enterprise employees understand their role in promoting and interacting in an
ESRM security culture.
1 - Ad Hoc: The security department communicates the ESRM approach to all
employees of the company.
5 - Optimized: In addition, the security department offers townhall meetings, webinars,
workshops to interact with the employees.
4.1 Security Department has identified all enterprise assets (tangible and intangible) to
be considered in the ESRM program.
1 - Ad Hoc: A list of tangible assets exists.
5 - Optimized: A list of tangible and intangible assets exists.
4.2 Security Department has identified all Asset Owners or Stakeholders with
appropriate risk-decision-making authority for each asset to be considered in the ESRM
program.
1 - Ad Hoc: A list of tangible assets owners and stakeholders exists.
5 - Optimized: A list of tangible and intangible assets owners and stakeholders exists.
4.3 Security Department has engaged all Asset Owners or Stakeholders with
appropriate risk-decision-making authority in prioritizing each asset to be considered in
the ESRM program.
1 - Ad Hoc: The asset owners/stakeholders have prioritized their tangible assets.
5 - Optimized: The asset owners/stakeholders have prioritized their tangible and
intangible assets.
4.4 Security Department has identified all security risks associated with assets that have
been prioritized for risk assessment in the ESRM program.
1 - Ad Hoc: A risk report with all relevant risks related to prioritized tangible assets is
created.
5 - Optimized: A risk report with all relevant risks related to prioritized tangible and
intangible assets is created.
4.5 Security Department has engaged all Asset Owners or Stakeholders with
appropriate risk-decision-making authority in prioritizing the identified risks associated
with assets in the risk assessment process.
1 - Ad Hoc: The risk report with all relevant risks related to prioritized tangible assets is
created and aligned with all asset owners/stakeholders.
5 - Optimized: A risk report with all relevant risks related to prioritized tangible and
intangible assets is created and aligned with all asset owners/stakeholders.
4.6 A register of assets and associated risks with potential impacts exists for all assets
prioritized for risk assessment.
1 - Ad Hoc: The impact and likelihood of all relevant risks related to prioritized tangible
assets is calculated.
5 - Optimized: The impact and likelihood of all relevant risks related to prioritized tangible
and intangible assets is calculated.
4.7 All assets that meet the threshold for risk mitigation (as set by the ESRM governing
body) have had mitigation plans recommended to the Asset Owners or Stakeholders
with appropriate risk-decision-making authority previously identified for final risk
treatment decisions.
1 - Ad Hoc: Risk mitigation plans exist for relevant risks related to prioritized assets.
5 - Optimized: Risk mitigation plans exist for all relevant risks related to prioritized
tangible and intangible assets and have been tested and reviewed for residual risk.
4.8 Security risk mitigation plans approved by associated Asset Owners or Stakeholders
with appropriate risk-decision-making authority are documented in short term, mid term,
and long term security implementation roadmaps / plans.
1 - Ad Hoc: Risk mitigation plans for all relevant risks related to prioritized assets are
approved by the asset owners and milestones on the implementation are agreed.
5 - Optimized: Risk mitigation plans for all relevant risks related to prioritized assets are
approved by the asset owners and milestones on the implementation are agreed to and
reported on to the security council in addition to risk owners.
5.1 Key risk indicators for each are identified for each Asset Owner and Stakeholder to
understand how risk mitigation activities are working to maintain risk within stated
tolerance levels.
1 - Ad Hoc: A status report with KPIs is created on the mitigation for all relevant risks
related to prioritized assets.
5 - Optimized: A status report with KPIs is created on the mitigation of all relevant risks
related to prioritized assets and is reported on to the security council in addition to risk
owners.
5.2 Risk status reports are regularly delivered to Asset Owners and Stakeholders with
assets impacted by the ESRM program.
1 - Ad Hoc: The risk report is communicated to the asset owners / stakeholders as
requested.
5 - Optimized: The risk report is communicated to the asset owners and to stakeholders
on a formal, documented timeline.
5.3 Risk status reports are regularly delivered to executive management.
1 - Ad Hoc: The risk report is communicated to the executive management as requested.
5 - Optimized: The risk report is communicated to the executive management on a
formal, documented timeline.
5.4 Risk status reports are regularly delivered to Security Department governing body.
1 - Ad Hoc: The risk report is communicated to the governing body as requested.
5 - Optimized: The risk report is communicated to the governing body on a formal,
documented timeline.
5.5 Risk mitigation plan roadmap status reports are regularly delivered to Asset Owners
and Stakeholders with assets impacted by the ESRM program.
1 - Ad Hoc: The risk mitigation plan is communicated to the asset owners as requested.
5 - Optimized: The risk mitigation plan is communicated to the asset owners on a formal,
documented timeline.
5.6 Risk mitigation plan roadmap status reports are regularly delivered to executive
management.
1 - Ad Hoc: The risk mitigation plan is communicated to the executive management as
requested.
5 - Optimized: The risk mitigation plan is communicated to the executive management
on a formal, documented timeline.
5.7 Risk mitigation plan roadmap status reports are regularly delivered to Security
Department governing body.
1 - Ad Hoc: The risk mitigation plan is communicated to the governing body as
requested.
5 - Optimized: The risk mitigation plan is communicated to the governing body on a
formal, documented timeline.
5.8 Risk re-assessments of all enterprise security risks are performed on a regular
basis.
1 - Ad Hoc: Risk assessments are conducted as the security team has availability.
5 - Optimized: Risk assessments are mandated by the Security Council and reported to
the council on formal, documented timeline.
5.9 New security risk scanning activities are performed on a regular basis.
1 - Ad Hoc: Risk scanning is conducted as the security team has availability.
5 - Optimized: Risk scanning is mandated by the Security Council and reported to the
council on formal, documented timeline.
5.10 Risk mitigation plans and activities, and associated roadmaps, are updated
regularly to account for changing risk environments.
1 - Ad Hoc: Updates on mitigation plans are completed when events impact them.
5 - Optimized: Updates on mitigation plans will be conducted on a formal, documented
timeline.
5.11 All post-incident or post-investigation root cause analysis findings are delivered to
the Asset Owners and impacted Stakeholders for further risk mitigation decision
making.
1 - Ad Hoc: The security department reports root cause analysis to impacted functions or
asset owners/stakeholders as requested.
5 - Optimized: The security department reports root cause analysis to impacted functions
or asset owners/stakeholders as a formal, documented part of any incident investigation
or follow up.
6.1 All job roles and responsibilities within Security Department are developed and
defined with an ESRM philosophy and approach.
1 - Ad Hoc: All job profiles in the security department are aligned with ESRM and
approved by security management.
5 - Optimized: All job profiles in the security department are mandated to be aligned with
ESRM by the security council and have risk-management specific skillsets required for
hiring processes.
6.2 Teams performing security risk mitigation activities are managed cross-functionally
or work cross-functionally in partnership using an ESRM approach if they are not
managed in a single organization.
1 - Ad Hoc: Projects will sometimes involve cross functional teams working under a
project structure.
5 - Optimized: All security risk mitigation activities are performed by staff that report in a
single organization structure to a CSO at the executive level. All security risk is managed
in a single department.
6.3 All security risk mitigation activities performed by security tactical personnel in any
discipline are directly linked to an asset and risk (or identified as mitigating risk
universally for multiple assets).
1 - Ad Hoc: Security projects may sometimes be sponsored by or tied to a requesting
department.
5 - Optimized: No security risk mitigation activities take place that do not have an
underlying, documented asset or group of assets that are protected by the security
activity.
6.4 Internal and external security threats and risks are managed holistically in
partnership with all impacted groups.
1 - Ad Hoc: Partnerships with all relevant asset owners/stakeholder are established.
5 - Optimized: Partnerships with all relevant asset owners/stakeholders are established
and formally documented and reported on to the security council.
6.5 Any risk assessment performed by any tactical security personnel in any security
discipline is shared across all disciplines and leveraged to identify assets and risks to
ensure all are considered in the ESRM program.
1 - Ad Hoc: Most risk assessments are communicated within the security department
and to any personnel performing security mitigation tasks in other departments.
5 - Optimized: All risk assessments are communicated within the security department, to
any personnel performing security mitigation tasks in other departments, and to asset
owners/stakeholders.
6.6 Any security risk monitoring activity performed by any tactical security personnel in
any security discipline is shared across all disciplines and leveraged to proactively
identify new or emerging security risks in the enterprise.
1 - Ad Hoc: Most risk monitoring activities are communicated within the security
department and to any personnel performing security mitigation tasks in other
departments.
5 - Optimized: All risk monitoring activities are communicated within the security
department, to any personnel performing security mitigation tasks in other departments
and to asset owners/stakeholders.
6.7 Any security intelligence gathering and analysis activity performed by any tactical
security personnel in any security discipline is shared across all disciplines and
leveraged to proactively identify new or emerging security risks in the enterprise.
1 - Ad Hoc: Most security intelligence analyses are communicated within the security
department and to any personnel performing security mitigation tasks in other
departments.
5 - Optimized: All security intelligence analyses are communicated within the security
department, to any personnel performing security mitigation tasks in other departments
and to asset owners/stakeholders.
6.8 Security incident response teams in any security discipline provide immediate
response / triage / control / recovery for any security risks that become realized
incidents and notify security leadership in order to consider activation of other security
discipline incident response teams for coordination.
1 - Ad Hoc: Security personnel escalate and notify management and other groups as
needed during an event.
5 - Optimized: Formal documented processes exist with escalation pathways and
thresholds to mandate communication across teams and stakeholder during incident
response.
6.9 A post-incident investigation including a root cause analysis is performed on every
security incident regardless of the threat vector, impacted asset, or the tactical security
discipline of the response team(s) that was tasked to work the incident.
1 - Ad Hoc: Post-incident investigation reporting is done on critical or high-visibility
events.
5 - Optimized: Every security incident has a post-incident investigation that is
communicated within the security department and to the asset owners/stakeholders.
6.10 All incident investigations in all security disciplines include a post-mortem report
delivered to all impacted asset owners and stakeholders that communicates incident
impact, root cause, identified risks, and any further recommended risk mitigation
activities for the risk.
1 - Ad Hoc: Post-incident investigation reporting is done on critical or high-visibility
events and sometimes communicated to asset owners / stakeholders.
5 - Optimized: Every security incident has a post-incident investigation that is
communicated within the security department and to the asset owners/stakeholders.
6.11 All incident investigations in all security disciplines identify and account for
impacted Asset Owners and Stakeholders in the investigation process to ensure proper
audience for the post-incident reporting process.
1 - Ad Hoc: Investigations sometimes involve asset owners/stakeholders if needed for
investigative input.
5 - Optimized: A formal, documented process exists to ensure asset
owners/stakeholders are included in the investigative process involving their impacted
assets.
6.12 All incident investigations in all security disciplines identify and account for any
related policy / process / risk mitigation ties that could impact the investigation to ensure
thorough root cause analysis and residual risk identification.
1 - Ad Hoc: Investigations sometimes look at any associated policies and processes if
needed for investigative input.
5 - Optimized: A formal, documented process exists to ensure associated policies and
processes are included in the investigative process involving their impacted assets.
6.13 Any enterprise security awareness training performed by any tactical security
group in any security discipline considers ESRM philosophies and is leveraged to
increase awareness of security risks across all security disciplines.
1 - Ad Hoc: The security employees will receive a security awareness training based on
ESRM methods.
5 - Optimized: The security employees and the asset owners will receive a security
awareness training based on ESRM methods.
6.14 Any enterprise security policy, standard, procedure, or guideline written or created
by any tactical security group in any security discipline considers ESRM philosophies
and is leveraged to facilitate the management of security risks across all security
disciplines.
1 - Ad Hoc: The security policies are based on ESRM methods.
5 - Optimized: The security and the business policies are based on ESRM methods.
6.15 Any security architecture design model created by any tactical security group in
any security discipline considers ESRM philosophies and is leveraged to facilitate the
management of security risks across all security disciplines.
1 - Ad Hoc: The designer of a new access control system involves information security
after installation to take part in the credentialing process.
5 - Optimized: All new projects begin with a discovery step to identify all security risk
Asset Owners and Stakeholder and involve them in the architecture risk decision
making, allowing the project to benefit from many avenues of input.
6.16 Any security testing activity performed by any tactical security group in any security
discipline considers ESRM philosophies and is leveraged to facilitate the management
of security risks across all security disciplines.
1 - Ad Hoc: Security tests and exercises occasionally incorporate multiple tactical teams
or cross different types of security discipline.
5 - Optimized: The security department has a dedicated test and exercise function that
plans and designs all tests and exercises to incorporate multiple security disciplines and
tracks all testing to ensure all disciplines participate in tests on a regular basis.