Optimizing the certainty of outcomes, reduction of risk, and added value across the organization. Continuous improvement methods have been established and are fully integrated into the management system.
Optimizing the certainty of outcomes, reduction of risk, and added value across the organization. Continuous improvement methods have been established and are fully integrated into the management system.
Standard process is defined. Processes provide established feedback mechanism to allow for improvement over time. Focus on consistency in operations across the organization.
Processes are planned, performed, and measured. Focus is on driving process execution and adjustments to meet business needs across the organization.
Work may or may not be completed. When completed it is often delayed with unpredictable outcomes. Processes are ad-hoc and not documented although they may be performed. There is limited or no operational visibility into functional process across the organization.
Common features include practices that implement and institutionalize a key process area.
The level has been validated as effective over time across the organization. Planning for next level of maturity has started.
Measurement and analysis of level performance is accurate and driving process maturity decisions.
The resources needed to implement the planned activities have been allocated and applied in accordance to plan.
Management and necessary stakeholders have committed and approved the implementation of the planned activities.
Maturity improvement plans are designed and documented in line with organizational requirements for formal project approval.
“Yes and No” questions, referred to as “Polar Questions” provide a more definitive level of response which some CISO’s prefer to Ordinal responses. At V3 we believe that Polar Responses do not capture the level of maturity of a particular control. We understand that people naturally prefer the simplicity of binary responses, but we believe that in cybersecurity, binary responses lead to a false sense of security. Consider the example below.
EXAMPLE:
Are technical controls in place to segregate networks?
Answering “Yes” or “No” does not provide the necessary insight to provide a response aligned with the intent of the control. We must understand the level of maturity associated with the control to have an understanding of the effectiveness of the control.
Lets assume that we want to answer yes because we have firewalls that separate our network segments. What is the policy being enforced by the technical controls was to allow all traffic to traverse the device? We could technically answer “Yes” to the question, but clearly the intent of the control has not been met and could misrepresent the organizational posture.
Give us a call or drop by anytime, we endeavour to answer all enquiries within 24 hours on business days.