Security Process Maturity: Level 1

by Steven McElwee, CISSP

How mature is security in your organization? Thanks to the ISM³ Consortium, we have a framework for measuring the security maturity of any organization. ISM³ looks at security as a set of defined processes. Each level of maturity has its own processes. Organizations can decide how much security is enough for their type of business and ensure that the processes at that level are defined and implemented.

This series provides a high level view of the operational processes of ISM³. Learn more about ISM³ and its strategic and tactical processes at http://www.ism3.com.

Level one security is suitable for organizations that have very low risk of security threats. These companies have few or no servers and operate primarily using personal computers. At this level, the operational security processes require little investment yet reduce the risk of security threats.

The operational processes for level one are:

• Patch management
• Segmentation and filtering
• Malware protection
• Backup management
• Reporting to tactical management

These processes may be performed by existing IT operations personnel and do not require a dedicated security staff.