What To Do First Quadrant
quadrantChart
title Core Security Controls Maturity Assessment
x-axis Low Implementation Complexity --> High Implementation Complexity
y-axis Low Impact --> High Impact
quadrant-1 Strategic Projects
quadrant-2 Essential Foundation
quadrant-3 Supporting Controls
quadrant-4 Specialized Needs
Basic IAM: [0.2, 0.8]
SIEM/SOC: [0.9, 0.9]
Email Security: [0.3, 0.9]
Network Controls: [0.4, 0.6]
XDR Platform: [0.8, 0.8]
Zero Trust: [0.9, 0.7]
Vulnerability Scanning: [0.3, 0.4]
Asset Management: [0.2, 0.3]
Security Awareness: [0.1, 0.6]
GRC Platform: [0.7, 0.4]
CASB: [0.6, 0.3]
Threat Intel: [0.6, 0.2]
Pen Testing: [0.9, 0.3]
API Security: [0.5, 0.5]
The quadrant is a visual aid to help assessing and prioritizing security risk mitigation activities. Below you will find a more exhaustive overview of what needs to be prioritized. Use that and other information from your own organization to build your own quadrant.
Gauging IT Security Maturity
What follows below is a more comprehensive overview of IT security deliverables.
The deliverables are represented in 4 phases representing a hierarchy of maturity.
Your organization may have achieved one of the phases, or portions of multiple phases. The phases could be organized slightly different but the big lines will be similar.
There will for sure be other parameters unique to your organization which are not listed below. In any case: build your own overview.
- Evaluate your current position for each control
- Identify gaps
- Prioritize implementations based on:
- Current quadrant coverage
- Risk profile
- Compliance requirements
Implementation Strategy
- Before anything else, make sure your have the Essential Foundation controls covered
- Build towards Strategic Mitigation
- Add Supporting Controls to build efficiency
- Implement Specialized Needs based on specific requirements or business expectations
Phase 1: Foundation Building
Timeline: 0-6 months | Total Cost: 4-6% of IT spend
Identity & Access Management (P0)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Password Management System | - Password complexity compliance >98% - Password rotation compliance >95% - Privileged account inventory accuracy >99% |
- Credential theft - Password spraying - Privilege escalation |
| MFA Implementation | - MFA coverage for all privileged accounts - MFA enrollment >99% for standard users - Failed MFA attempts tracked |
- Account takeover - Phishing success - Credential stuffing |
| Access Lifecycle Management | - Account provisioning/deprovisioning within 24h - Quarterly access reviews completed - Orphaned accounts <1% |
- Unauthorized access - Access creep - Terminated employee access |
| Privileged Access Management | - PAM coverage >99% for admin accounts - Session recording for privileged access - Just-in-time access implementation |
- Admin credential abuse - Unauthorized elevation - Lateral movement |
Network Security (P0)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Next-Gen Firewall | - All ingress/egress traffic monitored - Rule review quarterly - Threat prevention enabled |
- Unauthorized access - Malware infiltration - Data exfiltration |
| Network Segmentation | - Critical assets isolated - Micro-segmentation for sensitive systems - Zero-trust architecture roadmap |
- Lateral movement - Network reconnaissance - Breach containment failure |
| Secure Remote Access | - All remote access encrypted - Split tunneling disabled - Device posture checking |
- VPN compromise - Remote access abuse - Malware propagation |
DNS & Email Security (P0)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| DMARC/DKIM/SPF | - DMARC at enforcement - DKIM rotation process - SPF coverage >99% |
- Email spoofing - Domain hijacking - Phishing campaigns |
| Anti-phishing Controls | - Phishing simulation success rate <5% - External email marking - Attachment scanning |
- Phishing attacks - Business email compromise - Malware via email |
| DNS Security | - DNSSEC implemented - DNS filtering active - DNS monitoring |
- DNS poisoning - Domain hijacking - C2 communication |
Backup & Recovery (P0)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Air-gapped Backup | - Weekly offline backups - Quarterly restore testing - Geographic separation - Encryption of backups |
- Ransomware infection - Malicious deletion - Site-wide disaster |
| Recovery Procedures | - RTO/RPO defined and tested - Critical system priority list - Emergency access procedures |
- Extended downtime - Data loss - Business continuity failure |
| Chain of Custody | - Physical access logs - Backup media tracking - Authorization procedures |
- Insider threats - Media theft - Unauthorized restoration |
Legacy Systems Management (P0)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Unsupported OS Management | - Complete inventory - Isolation from critical systems - Compensating controls documented |
- Unpatched vulnerabilities - Lateral movement - Compliance violations |
| Legacy Hardware Control | - Firmware inventory - Network isolation - Access restrictions |
- Firmware exploitation - Network compromise - Unauthorized access |
| (Legacy) Applications Control | - Software inventory - Network isolation - Access restrictions |
- Software exploitation - Network compromise - Unauthorized access |
| (Legacy) Middleware Control | - Software inventory - Network isolation - Access restrictions |
- Software exploitation - Network compromise - Unauthorized access |
| Printer Security | - Default credentials changed - Updated firmware - Secure protocols enabled |
- Print server compromise - Network infiltration - Data leakage |
Enhanced Email Security (P0)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Anti-phishing Controls | - Simulation success rate <5% - External email marking - Link protection enabled |
- Phishing success - Credential theft - Malware infection |
| User Training | - Quarterly training completion >95% - Phishing reporting rate >80% - Reduced click rates |
- Social engineering - Human error - Awareness gaps |
| Attachment Control | - Sandbox analysis - Blocked file types - Zero-day protection |
- Malware delivery - Ransomware infection - Data loss |
Cloud Infrastructure Security (P0)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Cloud IAM | - Role-based access - Service accounts managed - Key rotation - Privilege inventory - Just-in-time access |
- Account takeover - Privilege escalation - Key compromise - Identity sprawl |
| Cloud Network | - VPC segmentation - Peering controls - Load balancer security - Transit encryption |
- Network exposure - Cross-account access - Data interception - Unauthorized routing |
| Cloud Storage | - Bucket policies - Encryption settings - Access logging - Data classification - Lifecycle policies |
- Data leakage - Public exposure - Data loss - Compliance violations |
Operational Technology (P0)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Building Management | - Access control systems - CCTV monitoring - Environmental controls - Emergency systems - Maintenance access |
- Unauthorized entry - System sabotage - Environmental threats - Safety incidents |
| HVAC Systems | - Network isolation - Access logging - Temperature monitoring - Maintenance protocols |
- System manipulation - Environmental damage - Equipment failure - Unauthorized control |
| Industrial Control | - Air-gapped networks - Change management - Vendor access control - Backup controls |
- Production disruption - Safety incidents - System tampering - Unauthorized changes |
Manufacturing Control Systems (P0)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| PLC Security | - Firmware management - Program backup - Access control - Change monitoring - Network isolation |
- Production tampering - Safety incidents - Unauthorized changes - Program loss - System hijacking |
| SCADA Systems | - Network segmentation - Protocol security - Command validation - Monitoring systems - Backup controls |
- System takeover - Data manipulation - Unauthorized control - Production sabotage |
| HMI Security | - Access controls - Screen locking - Input validation - Session management - Change logging |
- Unauthorized operation - Screen hijacking - False commands - Operator spoofing |
Production Line Systems (P0)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Robotics Security | - Safety systems - Movement control - Program integrity - Emergency stops - Access zones |
- Safety breaches - Program tampering - Unauthorized control - Collision risks |
| Vision Systems | - Image integrity - Calibration control - Result validation - Access management |
- Quality issues - False readings - System manipulation - Data theft |
| Sensor Networks | - Data integrity - Calibration management - Reading validation - Alert systems |
- False readings - Safety issues - Quality problems - Process deviation |
Industrial Network Security (P0)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| OT Network Segregation | - Air gaps/Data diodes - VLAN separation - Protocol filtering - Traffic monitoring |
- IT/OT breach - Network attacks - Protocol abuse - Lateral movement |
| Industrial Protocols | - Protocol security - Command validation - Traffic monitoring - Encryption where possible |
- Protocol attacks - Command injection - Data manipulation - Communication breach |
| Remote Access | - Secure VPN - MFA implementation - Access logging - Vendor management |
- Unauthorized access - Remote attacks - Vendor breaches - Access abuse |
Process Control (P0)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Recipe Management | - Version control - Access rights - Change tracking - Backup systems |
- Recipe tampering - Quality issues - Production errors - Knowledge loss |
| Batch Control | - Process validation - Parameter control - Data logging - Exception handling |
- Batch failure - Quality issues - Process deviation - Production loss |
| Process Monitoring | - Real-time monitoring - Alert systems - Data validation - Trend analysis |
- Process drift - Late detection - Quality issues - Efficiency loss |
Phase 2: Enhanced Security
Timeline: 6-12 months | Total Cost: 5-7% of IT spend
IDS/IPS Implementation (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Network IDS | - Coverage of all critical segments - Custom rule sets for environment - 24/7 monitoring |
- Network attacks - Protocol abuse - Zero-day exploitation |
| Host IDS | - Critical server coverage 100% - Endpoint correlation - Behavior baseline established |
- Host compromise - Rootkit installation - Process injection |
| Alert Management | - False positive rate <10% - Critical alert response <15min - Alert tuning process |
- Alert fatigue - Missed detections - Response delays |
IoT Security (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| IoT Network Segregation | - Dedicated VLAN - Firewall rules - Traffic monitoring |
- Network compromise - Device hijacking - Data exfiltration |
| IoT Asset Management | - Complete inventory - Firmware versions tracked - Update procedures |
- Unknown devices - Outdated firmware - Unpatched vulnerabilities |
| IoT Access Control | - Default passwords changed - Access logging - Authentication requirements |
- Unauthorized access - Device tampering - Credential theft |
Application Security (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Custom Applications | - SAST/DAST implemented - Security in SDLC - Dependencies tracked - Secure coding standards - Regular pen testing |
- Code vulnerabilities - Supply chain attacks - Technical debt - Insecure deployments |
| Web Applications | - WAF implementation - Session management - Input validation - CSP headers - SSL/TLS configuration |
- Injection attacks - Session hijacking - XSS/CSRF - Data exposure |
| Mobile Applications | - Code signing - API security - Data encryption - Secure authentication - App store compliance |
- App cloning - Data leakage - Reverse engineering - Insecure data storage |
Middleware & Integration Security (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| API Security | - API gateway implemented - Rate limiting - Authentication/Authorization - Input validation - API inventory |
- API abuse - Data exposure - Service disruption - Unauthorized access |
| Message Queues | - Queue encryption - Access controls - Message signing - Monitoring implemented |
- Message tampering - Information disclosure - Queue flooding - Replay attacks |
| ETL Processes | - Data classification - Process monitoring - Error handling - Audit logging |
- Data leakage - Process manipulation - Data corruption - Unauthorized transfers |
Cloud Services Management (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Serverless Security | - Function permissions - Dependency scanning - Runtime protection - Execution limits |
- Function abuse - Code injection - Resource exhaustion - Dependency vulnerabilities |
| Container Security | - Image scanning - Runtime security - Registry controls - Pod security - Network policies |
- Malicious images - Container escape - Registry compromise - Cross-pod attacks |
| Database-as-a-Service | - Encryption settings - Backup config - Access controls - Performance monitoring |
- Data breach - Service disruption - Resource exhaustion - Unauthorized access |
Cloud Cost & Resource Security (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Resource Governance | - Budget alerts - Resource tagging - Quota management - Cleanup automation |
- Cost overruns - Resource sprawl - Orphaned resources - Budget breaches |
| Service Limits | - Limit monitoring - Usage tracking - Scaling policies - Resource optimization |
- Service disruption - Performance issues - Capacity limits - Resource exhaustion |
| Multi-Cloud Security | - Policy consistency - Identity federation - Cross-cloud monitoring - Unified logging |
- Policy gaps - Identity silos - Visibility gaps - Compliance inconsistency |
Physical Security Systems (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Badge Systems | - Credential management - Zone control - Integration security - Audit logging |
- Unauthorized access - Credential cloning - Zone breaches - Log tampering |
| Security Cameras | - Feed encryption - Storage management - Access controls - Retention policies |
- Feed interception - Storage breach - Unauthorized viewing - Evidence tampering |
| Emergency Systems | - Alert management - System testing - Integration security - Override controls |
- System failure - False alarms - Response delays - Control compromise |
Industry-Specific Systems (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Medical Devices | - FDA compliance - Network isolation - Update management - Data protection |
- Patient safety - Data breach - Device tampering - Compliance violations |
| POS Systems | - PCI compliance - Transaction security - Key management - Network isolation |
- Payment fraud - Data theft - System compromise - Financial loss |
| Laboratory Equipment | - Data integrity - Access controls - Calibration management - Result protection |
- Result tampering - Equipment abuse - Data falsification - Quality compromise |
Facilities Management (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Smart Lighting | - Network isolation - Schedule control - Override security - Integration protection |
- Energy waste - System abuse - Schedule tampering - Control compromise |
| Elevator Systems | - Safety controls - Access management - Monitoring systems - Emergency override |
- Safety incidents - Unauthorized access - Service disruption - System tampering |
| Water Management | - Quality monitoring - Access controls - Alert systems - Treatment security |
- Water quality - System tampering - Safety incidents - Monitoring breach |
Manufacturing Support Systems (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| MES Systems | - Production tracking - Data integrity - Access control - Integration security - Change management |
- Production data loss - Process manipulation - Quality issues - Tracking failures |
| Quality Control Systems | - Test data integrity - Calibration management - Result protection - Access controls |
- False quality data - Test manipulation - Standard violations - Compliance issues |
| Material Handling | - Inventory accuracy - Movement tracking - Access control - Safety systems |
- Inventory theft - Routing errors - Safety incidents - Process disruption |
Shop Floor Systems (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Workstation Security | - Access control - USB protection - Software control - Update management |
- Malware infection - Data theft - Unauthorized use - System compromise |
| Mobile Devices | - Device management - App control - Data protection - Network access |
- Data leakage - Device compromise - Network breach - Unauthorized apps |
| Digital Tools | - Calibration control - Data integrity - Access management - Result validation |
- False measurements - Tool tampering - Quality issues - Data manipulation |
Production Environment (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Environmental Controls | - Parameter monitoring - Alert systems - Access control - Backup systems |
- Production damage - Quality issues - Safety incidents - Environment breach |
| Power Systems | - UPS management - Power monitoring - Surge protection - Backup power |
- Production stops - Equipment damage - Data loss - Safety issues |
| Compressed Air | - System monitoring - Quality control - Pressure management - Safety systems |
- Production quality - System failure - Safety incidents - Energy waste |
Maintenance Systems (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Predictive Maintenance | - Sensor security - Data integrity - Alert management - Access control |
- Missed maintenance - False alerts - Equipment damage - Production loss |
| Tool Management | - Inventory control - Calibration tracking - Access rights - Usage logging |
- Tool loss - Quality issues - Unauthorized use - Compliance breach |
| Spare Parts | - Inventory security - Access control - Usage tracking - Reorder protection |
- Parts theft - Stock-outs - Counterfeit parts - Cost inflation |
Third-Party Vendor Management (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Access Management | - Vendor inventory - Access reviews - Just-in-time access - Activity monitoring |
- Unauthorized access - Privilege abuse - Account persistence - Vendor compromise |
| Security Assessment | - Initial security review - Annual reassessment - Compliance verification - Incident reporting |
- Vendor breaches - Non-compliance - Security gaps - Delayed notifications |
| Contract Management | - Security requirements - SLA monitoring - Incident response plans - Exit strategies |
- Contract breach - Service disruption - Legal exposure - Vendor lock-in |
Communication Systems (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| VoIP Systems | - Call encryption - Access control - QoS management - Fraud prevention |
- Call interception - Toll fraud - Service abuse - Quality issues |
| Radio Systems | - Transmission security - Device management - Channel control - Emergency priority |
- Communication breach - Unauthorized use - Signal interference - Priority override |
| Paging Systems | - Message security - Device control - Coverage management - Integration security |
- Message interception - System abuse - Coverage gaps - Unauthorized access |
Development Environment Security (P1)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Code Repositories | - Access control - Secret scanning - Branch protection - Backup procedures |
- Code theft - Secret exposure - Unauthorized changes - Repository loss |
| CI/CD Pipeline | - Pipeline security - Artifact signing - Deployment controls - Environment separation |
- Pipeline injection - Malicious builds - Unauthorized deploys - Environment compromise |
| Test Data Management | - Data masking - Access controls - Refresh procedures - Data cleanup |
- Data exposure - Privacy violations - Test data leaks - Compliance issues |
Phase 3: Advanced Capabilities
Timeline: 12-24 months | Total Cost: 6-8% of IT spend
SIEM Implementation (P2)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Log Collection | - >90% log source coverage - Log retention compliance - Log integrity verification |
- Missing security events - Compliance violations - Forensics gaps |
| Use Case Development | - Critical scenarios covered - Business context integration - Regular effectiveness review |
- Detection gaps - False negatives - Context loss |
| Correlation Rules | - Multi-source correlation - Custom rule effectiveness >85% - Regular rule updates |
- Complex attack missed - Alert overload - Detection delay |
XDR Deployment (P2)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Endpoint Integration | - >95% endpoint coverage - Real-time response capability - Offline protection |
- Endpoint compromise - Malware spread - Data theft |
| Network Integration | - Full packet capture - Protocol analysis - Threat hunting capability |
- Network attacks - Lateral movement - Data exfiltration |
| Response Automation | - Playbook coverage >80% - Response time <5min - Automation success rate |
- Slow response - Human error - Inconsistent actions |
Specialized Systems (P2)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Time and Attendance | - Data accuracy - Integration security - Access controls - Audit logging |
- Time fraud - Payroll errors - Data manipulation - Compliance issues |
| Parking Systems | - Access control - Payment security - Camera integration - Emergency override |
- Unauthorized access - Payment fraud - Safety incidents - System abuse |
| Cafeteria/Vending | - Payment security - Network isolation - Inventory control - Access management |
- Payment fraud - System manipulation - Inventory theft - Data exposure |
Additional Specialized Systems (P2)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| Digital Signage | - Content control - Network isolation - Update management - Display monitoring |
- Content hijacking - System abuse - Unauthorized messages - Display compromise |
| Conference Systems | - Access controls - Meeting security - Recording management - Integration security |
- Meeting hijacking - Data leakage - Recording exposure - Unauthorized access |
| Visitor Management | - Identity verification - Access provisioning - Log retention - Integration security |
- Unauthorized entry - Data privacy breach - Policy violations - System bypass |
Phase 4: Enterprise Maturity
Timeline: 24-36 months | Total Cost: 7-10% of IT spend
Security Operations (P3)
| Implementation | Success Criteria | Risks Mitigated |
|---|---|---|
| 24/7 SOC | - Coverage verification - SLA compliance >99% - Incident handling metrics |
- Delayed detection - Poor response - Missing incidents |
| Threat Hunting | - Regular hunt campaigns - Threat Intel integration - Hunt effectiveness metrics |
- APT presence - Undetected threats - Dormant malware |
| Incident Response | - IR plan tested quarterly - Team certification current - Response metrics met |
- Poor incident handling - Business impact - Reputation damage |
Maturity Assessment Scoring
Perhaps the quickest way to get an idea of your IT security maturity level is to count points.
Individual Control Risk Categories
| Point Range | Risk Level | Action Required |
|---|---|---|
| 0-2 points | Optimized | Maintain & Monitor |
| 3-4 points | Managed | Fine-tune & Improve |
| 5-6 points | Elevated | Immediate Attention |
| 7-9 points | Critical | Emergency Response |
Enterprise Risk Categories
| Average Points | Risk Level | Status | Required Actions |
|---|---|---|---|
| 0-2.0 | Optimized | Organization demonstrates mature security practices | • Maintain current controls • Monitor for changes • Focus on automation • Enhance efficiency |
| 2.1-4.0 | Managed | Organization has effective controls with improvement areas | • Address gaps systematically • Improve documentation • Enhance monitoring • Strengthen controls |
| 4.1-6.0 | Elevated | Significant gaps requiring immediate attention | • Immediate risk mitigation • Resource allocation • Executive reporting • Control enhancement |
| 6.1-9.0 | Critical | Major vulnerabilities requiring emergency remediation | • Emergency response • Crisis management • Executive escalation • Immediate remediation |
Calculation Method
Per Control Area
Total Risk Score = Implementation Status + Success Criteria + Control Effectiveness
- Minimum: 0 points (best)
- Maximum: 9 points (worst)
Enterprise Score
- Calculate points for each control area
- Sum total points across all areas
- Divide by number of control areas
- Result = Enterprise Risk Score
Enterprise Risk Score = (Σ Control Area Risk Scores) / (Number of Control Areas)
Where:
- Control Area Risk Score = Implementation Status + Success Criteria + Control Effectiveness
- Each Control Area can score between 0 (best) and 9 (worst) points
Practical Example
Assessed Control Areas
-
Access Management
- Implementation: Mostly (1)
- Success: 88% met (1)
- Effectiveness: Substantial (1)
- Area Score: 3
-
Network Security
- Implementation: Fully (0)
- Success: 96% met (0)
- Effectiveness: Comprehensive (0)
- Area Score: 0
-
Cloud Security
- Implementation: Partially (2)
- Success: 75% met (2)
- Effectiveness: Moderate (2)
- Area Score: 6
-
Endpoint Protection
- Implementation: Mostly (1)
- Success: 90% met (1)
- Effectiveness: Substantial (1)
- Area Score: 3
-
Data Protection
- Implementation: Not (9)
- Success: 20% met (7)
- Effectiveness: Low (7)
- Area Score: 32
Calculation
Enterprise Risk Score = (3 + 0 + 6 + 3 + 23) / 5 = 7
Interpretation
Score of 7 falls in the “Emergency Response” category (6.1-9.0)
- Major vulnerabilities requiring emergency remediation
- Emergency response
- Crisis management
- Executive escalation
- Immediate remediation
Here’s a chart showing the risk distribution for the 5 selected assessment areas:
%%{init: {'theme': 'default', 'themeVariables': { 'pie1': '#44ff44', 'pie2': '#ffae44', 'pie3': '#ff4444', 'pie4': '#fg4444'}}}%%
pie showData
title Control Area Risk Distribution
"Optimized (0-2): Network" : 20
"Managed (3-4): Access, Endpoint" : 40
"Elevated (5-6): Cloud" : 20
"Critical (7-9): Data" : 20
Assessment Guidelines
Scoring Best Practices
- Evidence-based scoring
- Independent verification
- Regular reassessment (quarterly)
- Documented justification
- Peer review of scores
Trend Analysis
- Track scores over time
- Monitor risk level changes
- Document improvements
- Note degradation
- Identify patterns
Reporting Requirements
- Individual control scores
- Enterprise risk score
- Change from previous assessment
- Remediation progress
- Resource requirements
Using the Maturity Assessment
- Evaluate your current position for each control
- Identify gaps in high-impact quadrants
- Prioritize implementations based on:
- Current quadrant coverage
- Resource availability
- Risk profile
- Compliance requirements
Implementation Strategy
- Start with Essential Foundation controls
- Build towards Strategic Projects
- Add Supporting Controls as resources allow
- Implement Specialized Needs based on specific requirements
Remember to customize success criteria and risk mappings based on your organization’s specific context and requirements.