The SecureControls Framework (SCF) release 2023.2 contains completely newcontent for its Security& Privacy Capability Maturity Model (SP-CMM). Thiseffort was conducted to help streamline and standardize maturity criteria. Oneof the use cases for the SP-CMM is to provide objective criteria for projectteams so that secure practices are appropriately planned and budgeted for.
When you consider regulations such as the EU General DataProtection Regulation (GDPR), there is an expectation for systems, applications and processes toidentify and incorporate cybersecurity and privacy by default and by design.In order to determine what is appropriate and to evaluate it prior to “go live”it necessitates expectations for control maturity to be defined.
In planning a project or initiative, it is important toestablish “what right looks like” from security and privacy controls that mustbe implemented to address all compliance needs. This includes internalrequirements, as well as external requirements from applicable laws,regulations and contracts. Prior planning of requirements can reduce delaysand other costs associated with re-engineering.
Referencing back to the SP-CMM Overview section of thisdocument, L0-1 levels of maturity are identified as being deficient from a“reasonable person perspective” in most cases. Therefore, project teams needto look at the “capability maturity sweet spot” between L2-L4 to identify thereasonable people, processes and technologies that need to be incorporated intothe solution.
As previously-covered, avoiding negligent behavior is acritical consideration. The most common constraints that impact a project’smaturity are: (1) budget and (2) time. A System Development Life Cycle (SDLC)has constraints and the expectations are that security and privacy controls areapplied throughout the SDLC.
Projects do not have unlimited budgets, nor do they tend tohave overly flexible timelines that allow for new security & privacy toolsto be installed and trained upon. From a project perspective, this is oftengoing to limit target CMM levels to L2-3 for planning purposes.
Whilethere are over 1,000 controls in the SCF’s controls catalog, it is necessaryfor a project team to pare down that catalog to only what is applicable tothe project (e.g., ISO 27002, PCI DSS, CCPA, etc.). This step simplyinvolves filtering out the controls in the SCF that are not applicable. Thisstep can also be done within Excel or within a GRC solution (e.g., SCF Connect). In the end, the result is atailored set of controls that meet the project’s specific needs.
Now that you have pared down the SCF’s controls catalog toonly what is applicable, it is a manual review process to identify theappropriate level of maturity for each of the controls. Ideally, the projectwill inherit the same target maturity level for controls as used throughout theorganization. For any deviations, based on budget, time or otherconstraints, a risk assessment should be conducted to ensure a lower level ofmaturity for project-specific controls is appropriate.
%20(white).png)
.png)