16 July 2012

SMotW #15: HR security maturity

Security Metric of the Week #15: Human Resources security maturity

In order to explain the PRAGMATIC score for this week's example security metric, we first need to introduce you to the concept of security maturity metrics.  Bear with us.

Section 8 of ISO/IEC 27002:2005 lays out a suite of HR-based information security controls that apply to the pre-, para- and post-employment phases.  For example, prior to offering anyone a role, especially in a powerful/trusted position, wise organizations conduct suitable background checks to weed-out unsuitable candidates.  For highly sensitive government and military work, the security clearance process can involve an extensive range of checks including credit worthiness, criminal history, identity, qualifications, professional experience and character references, in addition to a structured interview process and on-the-job supervision/oversight during a probationary period.  For low-grade positions such as office cleaners, pre-employment checks tend to be trivial and in many cases are left to third parties supplying contract staff ... but while this is common practice, it creates information security risks that probably deserve more attention.  Office cleaners typically work alone out-of-hours and have ready access to IT equipment, paperwork and other valuables:   do you really want to let someone of unknown vintage and negligible loyalty, paid a minimal wage, loose in your office?

So-called maturity metrics are an excellent way to measure such complex situations.  The idea is simply to lay out a spectrum of good practice security controls ranging from trivial, negligible and weak up to extensive, leading-edge and strong.  Figuring out where an organization stands in relation to the spectrum of controls allows us to determine a maturity level or score. 

Maturity metrics are similar to the Capability Maturity Models originally created [and trademarked] by Carnegie Mellon University as a means to assess and measure software development practices.

Given the number of aspects relevant to information security, over the course of about two decades we have developed a tabular style maturity metric with rows for each type or area of control and columns for key points on the scale.  Cells in the body of the table contain examples of the controls, providing sufficient information to guide a competent reviewer in determining the most appropriate level and hence the score.

While scoring process is inevitably subjective, stating the scoring criteria makes it objective enough that different reviewers, auditors, managers, assessors etc. can gather, consider and discuss the evidence, generally reaching agreement on specific maturity scores.  

We have provided a suite of security maturity metrics based on the recommendations in ISO/IEC 27001 and 27002 as an appendix to our book.  As an example, here is one of the seven rows in the table covering section 8's HR security controls:

No human resources security
Basic human resources security
Good human resources security
Excellent human resources security
Information security rôles and responsibilities are entirely undocumented
Some information security rôles and responsibilities are documented, though not very well or consistently
Most information security rôles and responsibilities, including all the important ones, are assigned to individuals through being incorporated into vacancy notices, job descriptions and/or codes of conduct
Information security rôles and responsibilities are comprehensively documented, formally assigned to suitable individuals (typically in legally-binding contracts of employment or terms and conditions of employment), and are  proactively maintained
(e.g. periodically reconfirmed with the individual’s signature to confirm their acceptance)

The four columns correspond to maturity scores of 0%, 33%, 67% and 100% respectively.  There is a further implied scoring point at 50%, marking the divide between practices that are generally considered unacceptable and those that are broadly acceptable.

OK, so now let's look at the PRAGMATIC rating for this kind of metric:


The metric scores remarkably well, especially given that, while HR practices are undoubtedly relevant to information security, they are rather difficult to measure.  In fact, to our knowledge, very few organizations have decent security metrics in this area.  Most seem content with classical HR metrics such as the number of employees that have completed some form of security training, despite the fact that such metrics do not adequately reflect security in practice.  Did anyone actually learn anything from the training?  Did they actually change their behaviors as a consequence?  Or did they just turn up under sufferance and passively sit there just to get the tick on their personnel records?  The classical metric says practically nothing about these aspects.  [Feel free to determine the PRAGMATIC score for the classic metric as a homework exercise.  We'd be amazed if it scores anything remotely approaching 86%!]

There are further security maturity metrics in the book, corresponding to the remaining sections of ISO/IEC 27001 and 27002.  We'll expand on them in future metrics of the week but for now you will have to bide your time until the book is published, although we will try to address any questions in the comments to this blog.

No comments:

Post a Comment

Have your say!