Unformatted text preview: overlaps depending upon the organization’s structure
and progress in building an assurance program.
Functionally, these indicate synergies or optimizations in Activity implementation if the Related
Level is also a goal or already in place. Conducting Assessments
By measuring an organization against the defined Security Practices, an overall picture of built-in security assurance activities is created. This type of assessment is useful for understanding the breadth
of security activities currently in place at an organization. Further, it enables that organization to then
utilize SAMM to create a future roadmap for iterative improvement.
The process of conducting an assessment is simply evaluating an organization to determine the Maturity
Level at which it is performing, The extent to which an organization’s performance is checked will usually vary according to the drivers behind the assessment, but in general, there are two recommended
✦Lightweight - The assessment worksheets for each Practice are evaluated and
scores are assigned based on answers. This type of assessment is usually sufficient
for an organization that is trying to map their existing assurance program into
SAMM and just wants to get a quick picture of where they stand.
✦Detailed - After completion of the assessment worksheets, additional audit work is
performed to check the organization to ensure the Activities prescribed by each Practice
are in place. Additionally since each Practice also specifies Success Metrics, that data
should be collected to ensure that the organization is performing as expected. Complete
worksheets Start Assign a
Practice lightweight Assessment
type? Done detailed
Practice Existing assurance programs might not always consist of activities that neatly fall on a boundary between Maturity Levels, e.g. an organization that assesses to a Level 1 for a given Practice might also have
additional activities in place but not such that Level 2 is completed. For such cases, the organization’s
score should be annotated with a “+” symbol to indicate there’s additional assurances in place beyond
those indicated by the Level obtained. For example, an organization that is performing all Level 1 Activities for Operational Enablement as well as one Level 2 or 3 Activity would be assigned a “1+” score.
Likewise, an organization performing all Activities for a Security Practice, including some beyond the
scope of SAMM, would be given a "3+" score. 0 0+ assessment scores 1 1+ 2 2+ 3 3+ SAMM / Applying the Model - v1.0 Scoring an organization using the assessment worksheets is straightforward. After answering the questions, evaluate the answer column to determine the Level. It is indicated by affirmative answers on all
questions above the markers to the right of the answer column. 21 Governance
Assessment worksheet Strategy & Metrics Yes/No ✦Is there a software se...
View Full Document
- Spring '14