Security Process Maturity: Level 2

by Steven McElwee

For most businesses, level one will not provide enough security to protect their information assets. If a company needs to demonstrate due care to its business partners, has many users of server-based applications, and sensitive information, it needs to move up to the security processes listed in ISM³'s second level.

Level two provides additional protection against technical security threats. It requires more security investment, but not significantly higher. The processes in level two build on the level one processes. To achieve this level, you will need to define and manage all of the level one and level two tasks.

The level one processes may be able to be accomplished by IT technical staff, but level two requires a combination of dedicated security professionals and facilitation with IT departments responsible for server and application administration.

The operational security processes for level two are:

• Select security tools
• Environment change control
• Data clearing
• System hardening
• Security measures change control
• Access control
• User registration
• Physical security
• Internal technical audit
• Alerts monitoring

Level 2 security is a good starting point for securing your organization, but it may not meed compliance standards, such as SAS70, SOX 404, PCI, and NERC-CIP. If you are required to comply with these standards, you'll need to move up to level 3 or 4.