|
Friday, 13 November 2009 12:54 |
|
The paper "GoCoMM: A Governance and Compliance Maturity Model" authored by Gabriela Gheorghe, Fabio Massacci, Stephan Neuhaus and Alexander Pretschner was presented at The 1st ACM Workshop on Information Security Governance that took place on November 13, 2009 in Hyatt Regency, Chicago (USA). In this paper, the authors propose a maturity model for governance and compliance. Their starting point is the observation that traditional maturity models seem to be oriented towards auditors that need to ascertain whether or not an organisation is already compliant. Consequently, they offer procedures for checking compliance, but little advice on how to become compliant, or how to move from one level of maturity to the next. Additionally, the authors note that violations of security policies will probably always occur in sufficiently large organisations, so it is arguably more important for an organisation to show that is in control of its processes (i.e., to show that it has done all that it could reasonably be expected to do) than expend an large amount of resources trying to reduce the probability of policy violations by that last 0.01 per cent. The authors therefore propose a maturity model and architecture for achieving the highest level of maturity. This model starts from analyses of the business and control objectives. In practice, these are regulations and other objectives with impact on business process control. Using risk analysis, these objectives are then decomposed into smaller objectives, until they are implementable. One result of this process is a measurable indicator of compliance and also of the correct functioning and coverage of controls for every objective. This makes it possible to have meaningful metrics on every organisational level and also to talk meaningfully about degrees of compliance.
|
