CAPABILITY MATURITY MODEL

HOW TO MEASURE

VIRTUE

VALUE

VISION

5

OPTIMIZING

Optimizing the certainty of outcomes, reduction of risk, and added value across the organization.  Continuous improvement methods have been established and are fully integrated into the management system.

4

REVIEWED

Optimizing the certainty of outcomes, reduction of risk, and added value across the organization.  Continuous improvement methods have been established and are fully integrated into the management system.

3

MANAGED

Standard process is defined.  Processes provide established feedback mechanism to allow for improvement over time.  Focus on consistency in operations across the organization.

2

DOCUMENTED

Processes are planned, performed, and measured.  Focus is on driving process execution and adjustments to meet business needs across the organization.

1

PERFORMED

Work may or may not be completed.  When completed it is often delayed with unpredictable outcomes.  Processes are ad-hoc and not documented although they may be performed.  There is limited or no operational visibility into functional process across the organization.

LEVEL FEATURES

Common features include practices that implement and institutionalize a key process area.

9

VERIFIED

The level has been validated as effective over time across the organization.  Planning for next level of maturity has started.

7

ESTABLISHED

Measurement and analysis of level performance is accurate and driving process maturity decisions.

5

CAPABLE

The resources needed to implement the planned activities have been allocated and applied in accordance to plan.

3

COMMITTED

Management and necessary stakeholders have committed and approved the implementation of the planned activities.

1

PERFORMED

Maturity improvement plans are designed and documented in line with organizational requirements for formal project approval.

POLAR QUESTIONS

“Yes and No” questions, referred to as “Polar Questions” provide a more definitive level of response which some CISO’s prefer to Ordinal responses.  At V3 we believe that Polar Responses do not capture the level of maturity of a particular control.  We understand that people naturally prefer the simplicity of binary responses, but we believe that in cybersecurity, binary responses lead to a false sense of security.  Consider the example below.

EXAMPLE:
Are technical controls in place to segregate networks?

Answering “Yes” or “No” does not provide the necessary insight to provide a response aligned with the intent of the control. We must understand the level of maturity associated with the control to have an understanding of the effectiveness of the control.

Lets assume that we want to answer yes because we have firewalls that separate our network segments. What is the policy being enforced by the technical controls was to allow all traffic to traverse the device? We could technically answer “Yes” to the question, but clearly the intent of the control has not been met and could misrepresent the organizational posture.