Documente Academic
Documente Profesional
Documente Cultură
2, June 2011
International Journal of Information and Communication Technology Research
http://www.esjournals.org
ABSTRACT
This paper explains appliance of maturity models in information security. Two information security standards which are
using maturity models are explained and compared.
http://www.esjournals.org
45
Volume 1 No. 2, June 2011
International Journal of Information and Communication Technology Research
http://www.esjournals.org
accessible, scalable, compatible and open. It allows the Table 1 Comparison of ISM3 and SSE-CMM
possibility of adjustment to the existing ISMS solution
and it increases the level of security by its MM. Authors
Criterion ISM3 SSE-CMM
recommend the “top-down“ approach in using it,
which considers business goals to be the most important, Number of 5 5
and they want to achieve admissible level of information achievement
security by designing ISMS following the guidelines levels
for this standard. Paradigm Process oriented Process oriented
Goal Admissible level Secure and quality
of security with ISMS with least
3. SSE-CMM maximal expenses
business result
System Security Engineering Capability Maturity Input Yes Yes
Model – SSE-CMM is a standard of similar characteristics Output Yes Yes
like ISM3, but of the smaller extent and with simpler Metrics Yes Yes
MM. SSE-CMM describes the basic characteristics that Compliance Yes with ISO Partly with ISO
an organization must provide in order to achieve the 27001 27001;
admissible level of information security. Like ISM3, SSE- Integrated in ISO
CMM is also process oriented, but it`s character is strictly 21827:2008
technical and it doesn`t treat business result as a main Approach Top-down Bottom-up
goal of MM. This standard is intended to be used as a Extent Strictly Technological,
basis for designing ISMS that can be used as: behavioral
Improvement Continuously Cyclically
Basis of security architecture through metrics through
Standard mechanism that the consumers can use outputs
to measure and asses security level License Commercial Free
The tool for further development of Last update April 2009 Jun, 2008
security mechanisms [4]
It is important to emphasize that there are two
The authors of the standard claim that the
essential differences between the two standards that can
benefits of using their methodology are achieved through:
be seen in the table 1. Those are: approach to standard
continuity, repetitiveness, efficiency and acceptability
implementation and the price of introduction. While ISM3
of the processes that are carried out in the organization,
is oriented on business result achievement, which is on the
and are protected by security mechanisms.
top of the priority list, SSE-CMM is focused primarily on
As with ISM3, it has the process metrics which
information security, and the effect on business is
measures, quantifies the results that MM achieves. Unlike
measured during the implementation.
ISM3, SSE-CMM introduces the concept of security
ISM3 is, thus, focused on the Top-down
metrics. For every process that is important from the
approach, from the most important goal of the
security aspect, SSE-CMM identifies entities that are
organization, to lower ones, including information
being followed and that are measurable. Security
security. SSE-CMM uses Bottom-up approach, in which it
attributes that follow it and that represent the basis for
goes from information security, as the basis, and other
measurements are added to every entity. Units of
goals of the organization depend, in great extent, from it
measurement can be the simplest physical units
[5].
(frequency, number of iterations, etc.), but also the more
The other big difference is in the price of
complex, statistical ones, and others.
implementation. Although the number of achievement
These measurements are very important for the
levels is in direct correlation with the price of introduction
management that is often faced with the great number of
that is not critical factor in the comparison of these two,
complex questions from this area and thus the simplicity
because the number is the same. Also, the common
of the metrics can help them to find the answers and bring
process orientation does not represent the key price
the decisions about information security.
difference. ISM3 is a commercial standard, which cannot
be downloaded for free from the Internet, unlike SSE-
4. ISM3 AND SSE-CMM COMPARISON CMM, and it is also adjusted with ISO 27002:2005,
standard expensive to introduce, so the price of its
Similar as for comparing standards that do not introduction is much bigger than the introduction price of
have MM for comparing ISM3 and SSE-CMM it is SSE-CMM. It should be taken into account that SSE-
important to identify the criteria of comparison. Mitigating CMM is older and needs revision more than ISM3, so it is
circumstance is that both standards are specialized and doubtful if introduction of older standard can help
they look at the problem of information security from management to choose it despite its free license.
similar perspective.
46
Volume 1 No. 2, June 2011
International Journal of Information and Communication Technology Research
http://www.esjournals.org
47