• Security Maturity Assessments

  • Security Maturity Assessments are important to understand the maturity level of your information security program. Crossroads Information Security performs security maturity assessments utilizing industry standard framework such as:

     We then measure maturity levels against industry standard security and control frameworks such as:

    A common approach is to measure maturity for the five functions of the NIST Cybersecurity framework:

    • Identify
    • Protect
    • Detect
    • Respond
    • Recover

    Those five functions are then assigned a maturity level ranging from 0-5 utilizing the CMMI Maturity Model.

    The resulting Security Maturity Assessment give insight into where your security program may be under invested or over invested in the five functions of the NIST Cybersecurity Framework, and how you compare to your industry peers or competitors.

    Gap Analysis

    One of the goals of a maturity assessment is to determine how to improve your information security program. We create a roadmap for your security program by performing a gap analysis. A gap analysis determines where your security program is today, what you want to look like in the future, and then what security initiatives are needed to bridge the gap.

    This approach provides our clients with a security roadmap, a gap analysis, and a 3-year roadmap for their security program. This is commonly referred to as a strategic plan for security.

    You can read more about what this looks like in a 3-part case study I wrote for the SANS Institute:

  • Specific Maturity Assessments

    In addition to performing security maturity assessments for information security programs we also measure the maturity of specific areas of information security that our clients are most concerned with.

  • Incident Response Maturity Assessments

    Incident response security assessments, also known as incident response capability assessments, measure the maturity of your organization's incident response program. We measure the maturity of incident response programs agains the NIST Cybersecurity Framework, the CMMI maturity model, the C2M2 maturity model, and the PICERL (Prepare, Identify, Contain, Eradicate, Recover, and Lessons Learned) model for incident response. Part of the maturity assessment approach is also performing table tops to determine now operationalized the incident response program is.

  • Vendor Management Security Assessment

    Supply chain risk is at an all time high. We've seen massive supply chain compromises where organizations were infiltrated by third party hardware, services, and software. Vendor Management programs help determine the supply chain risk when dealing with 3rd party vendors. We evaluate the process and procedures for organization's vendor management programs and advise how to mature the program to better reduce risk for the organization.

  • Security Metrics Maturity Assessments

    Security metrics help security leaders deliver on information security programs. The problem is metrics take a long time to mature and organizations often lose sight of what metrics they need and who the appropriate audience for the metrics is. We evaluate the maturity level of your security metrics program from the perspectives of the technical, operational, and executive level metrics.

    We then review the organizations delivery and visualization methods for these metrics to ensure they are capturing the right metrics for the appropriate audience in the most efficient way possible.