Assessing risk begins with baselining, establishing a current state to get to the desired state. Progress is measured by meeting milestones and objectives, i.e. a maturing process. For example, the capability maturity model has the following framework:
- Initial informal
- Documented Strategy & Principles – formalizing
- Adaptive Security Architecture well defined
- Security Organization & Roadmap – optimized
- Baseline Security Standards quantitatively controlled
Give examples of risk at the level of these categories and how each level mitigates risks from the previous level?
