Security Process Maturity: Level 3

by Steven McElwee, CISSP

The third level of ISM³ requires significant investment, but it provides a high level of protection against technical security threats. This level is important for organizations that have high security risks and many critical assets, especially externally facing applications.

The jump from level two to level three does not add many processes, but the processes require more people and time commitment. In addition, these processes require more participation from business function owners, IT operations, project management, and software development. To achieve this level, your security staff will need skills to create a collaborative, participative environment.

The level three operational security processes are:

• Asset classification and management
• SDLC control
• Operations continuity management
• Incident response
• Incident emulation

The level 3 processes build on the previous levels. Building a solid foundation at levels one and two before tackling level 3 will provide broad security coverage of systems, processes, and people.