Creator of Knowledge
Information Resources Management Association
Advancing the Concepts & Practices of Information Resources Management in Modern Organizations

Measuring Information Security: Combining the SSE-CMM with the ISO 17799 Standard

Measuring Information Security: Combining the SSE-CMM with the ISO 17799 Standard
View Free PDF
Author(s): Vaughn R. Christie (Purdue University, USA)and James E. Goldman (Purdue University, USA)
Copyright: 2003
Pages: 2
Source title: Information Technology & Organizations: Trends, Issues, Challenges & Solutions
Source Editor(s): Mehdi Khosrow-Pour, D.B.A. (Information Resources Management Association, USA)
DOI: 10.4018/978-1-59140-066-0.ch302
ISBN13: 9781616921248
EISBN13: 9781466665330


Information security (IS) incidents are on the rise with new attacks reported daily. How have system administrators and security professionals reacted to these new threats? Traditionally, system owners have rushed to “acquire the latest cure” (Nielsen, 2000). They have implemented today’s fix with little thought to the benefit truly gained from such tools. This historical approach to system security is yielding to a model of increased accountability. In short, IS professionals are being asked, “How secure are we?” (Payne, 2001). Answers to this and similar questions are not easily derived (Payne, 2001). Dating back to the late 1970’s and early 1980’s, when the annual loss expectancy (ALE) calculation was being developed, security professionals have attempted to define security by a single distinct value: ALE (Fletcher, 1995). Since that time, additional IS management documents, defined by Fletcher (1995) as third-generation information security tools, have been developed, including a number of guidance documents, which have been published to assist organizations in establishing and maintaining their IT security programs. Examples include the NIST Handbook, the CSE Guide, ISO 17799, etc. (Hopkins, 1999). Unfortunately, problems reside in these guidance tools; specifically, they lack the ability to measure defined IS parameters easily, effectively or efficiently (Payne, 2001). This research has yielded a metric-based IS maturity framework constructed from the combination of the ISO 17799 standard and the Systems Security Engineering Capability Maturity Model (SSE-CMM). The study has illustrated the complementary nature of the SSE-CMM and ISO standard and shown how the SSE-CMM can be leveraged to assess the maturity of the practices implemented according to ISO 17799 standard specifications. The end result is a self-facilitated metrics-based security assessment (MBSA) framework, which will allow organizations to assess the maturity of their IS processes. By using the SSE-CMM to measure the maturity of industry accepted IS process standards, the findings of this study enable professionals to measure, in a more consistent, reliable, and timely manner, areas for improvement and effectiveness. Furthermore, the findings allow a more dependable qualitative measurement of the returns achieved through given IS investments. Ultimately, this research has provided professionals an additional, more robust self-assessment tool in answering: “How secure are we?”

Body Bottom