This capability maturity model can be used to measure the maturity of an organization’s security risk management process and to assist its progress from the initial/ad-hoc state toward the optimized state.
The capability maturity model describes a maturity curve on these capability levels: INITIAL, which describes a poorly aligned function with non-documented strategies, manual management processes, lack of integrated systems and heavy reliance on spreadsheets/manual documents; REPEATABLE, which describes a loosely aligned function supported by informal policies applied to processes performed by personnel with mixed skill levels; DEFINED, which describes a strategic management structure in place with well-defined processes supported by an organized and highly trained team; MANAGED, which describes a function aligned with the organizational strategic plan and personnel; and OPTIMIZED, which describes a management process performed at an optimal level with best practices in full use.
In this sample, an OPTIMIZED organization’s technology processes optimize and leverage information through real-time security threats analysis.
The capability maturity model is a framework that describes an improvement path from an ad-hoc, immature process to a mature, disciplined process focused on continuous improvement. The CMM defines the state of a process using a common language that is based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model.