SMotW #35: compliance maturity
Security Metric of the Week #35: information security compliance management maturity
Compliance with information security-related laws and regulations is undoubtedly of concern for management, since non-compliance can lead to substantial penalties both for the organization and, in some cases, for its officers personally. Legal and regulatory compliance is generally asserted by the organization, but confirmed (and in a sense measured) by independent reviews, inspections and audits.
But important though they are, laws and regulations are just part of the compliance landscape. Employees are also expected to comply with obligations imposed by management (in formal policies mostly) and by other third parties (in contracts mostly). Compliance in these areas is also confirmed/measured by various reviews, inspections and audits.
In order to measure the organization's compliance practices, then, we probably ought to take all these aspects into account.
P | R | A | G | M | A | T | I | C | Score |
90 | 95 | 70 | 80 | 90 | 85 | 90 | 85 | 90 | 86% |
This week's security metric is another maturity measure. Maturity metrics (as we have described before) are very flexible and extensible, so it's no problem to take account of all the issues above, and more besides.
We have been quite harsh on the Actionability rating for this metric, giving it "just" 70%, in anticipation of the practical issues that would crop up if Acme's management deemed it necessary to improve the organization's security compliance. On the other hand, breaking down and analyzing security compliance in some detail makes this an information-rich metric. Aside from the overall maturity score, management would be able to see quite easily where the biggest improvement opportunities lie.