Business Model Process with 60+ New Business Hacks 2019
No organization wants to take unnecessary risk. No business leader wants to do anything intentionally that would negatively harm the organization or themselves. Every business leader is accountable for something specific that eventually contributes to desired business outcomes.
Business leaders set the framework and direction for the team to do the right things and believe they are doing the right things. If this is the case, we ask, why are business leaders concerned about security?
Why don’t business managers like the security solutions proposed by Information Technology (IT) teams? Why do organizations continue to be surprised by security incidents?
The answer seems to be obvious – misplaced accountability for securing business operations. Business thinks IT is accountable for security, but IT alone cannot set clear expectations, develop the clear capability, set the key performance indicators for the business outcome, and take appropriate risks.
In this post, we provide the details of Business Model Process and Types What It is 2018 to elaborate what it is and how it can be used by the business leaders for planning, prioritizing, communicating, and monitoring the state of capabilities required for secured business operations.
The secured business model provides a bridge between the business objectives and underlying business practices and technology solutions for secure business operations. This blog explains 60+ New Business Hacks for Business Model Process in 2019.
The model helps business leaders articulate their goals and objectives into a set of clear and directional statements about what must be prevented or protected, ensure alignment, establish the appropriate freedom within the framework, set expectations, and monitor progress and outcomes.
This model helps operational and line managers in scoping, driving cross-functional alignment, managing a portfolio, and measuring and communicating the value of their initiatives. The next post provides detailed insight into the secured operating model in support of the secured business model.
Secured Business Model
The heart of every effective business management is a business model, defining the purpose, value proposition, and core – differentiating capabilities. For secured business operations, the Secured Business Model provides an information security capability map from a business perspective.
It is used to determine the organization’s current risk posture, and the required capabilities for the required secured business posture.
In addition, the model provides the guidance for closing the gaps and acts as a vehicle for monitoring the execution. The capabilities are organized in five performance domains.
Each performance domain includes a set of capability building blocks. Each capability building block is characterized across five maturity or performance levels. Figure outlines the five Ps with their top-level capability building blocks.
One cannot clap with one hand. Business leaders must focus on all these five performance domains collectively to ensure that they have the right capabilities and are providing a clear direction to everyone in the organization for conducting business operations with the required security risk resilience.
Prevent performance domain represents what an organization is preventing or should be preventing from happening. Any occurrence of unauthorized access, leakage, failure, denial of service, or errors and fraud will have a detrimental impact on the organization’s ability to conduct and maintain business operations.
The table lists the key capabilities in the prevent domain. Based on the current and desired business engagement with customers, partners, and employees, business management can identify what must be prevented.
Prevent Capability Building Blocks
Unauthorized Today, most organizational assets are digitized. Limiting the right Access access to the right people at the right time is the most crucial to prevent cyber-attacks. Prevent unauthorized access and identify undesired access granted.
The extent of prevention depends upon the extent of business engagement and process/system exposure. Business must take ownership in establishing the appropriate access controls.
Prevent unintended and unplanned leakage of information and Leakage of intellectual property (IP) of the organization. Business must define the type of information and IP that must be prevented from any leakage, for example, information related to employees, customers, partners, products, services, and associated transactions.
Unplanned disruption in the functioning of a core organization Failures and information assets could pose risk to business continuity and security of business operations. Prevent unplanned and unnecessary failures in ongoing operations for mitigating associated business continuity risks.
Business must make sure all aspects of secured business operations are considered holistically for preventing unplanned failures. Errors and Prevent human errors and potential fraud by internal or external Fraud people or organizations. Technology cannot prevent all errors.
Business has the knowledge of processes and the context. Business must define what errors and fraud must be prevented.
The PROTECT performance domain represents what is or must be guarded against any lasting damage to integrity and trust within and outside the organization.
Protect Capability Building Blocks Credentials
Protect and preserve credentials and any information deemed and Sensitive sensitive by the organization from any harm.
Business must take ownership in defining the credentials and sensitive information and appropriate controls for guarding such information.
Protect information from any tempering during transmission of the information, or while being kept in any kind of storage. It is required for the information to be trusted by the recipient or consumer. Business must define appropriate rules to maintain the integrity of information produced or acquired.
Protect the privacy of information and transaction while communicating or sharing information between people, processes, and devices regardless of their location or means of communication.
Business only can define the privacy level required and must create the capability to define these levels and associate an appropriate level for every information asset.
Process Continuity Protect people, processes, interactions, and transactions from disruptions of any kind, for example, denial of service, could pose risk and lead to security breaches.
The continuity in business terms is about a smooth and uninterrupted flow of information. Business must identify what must be protected for business continuity and ensure the appropriate measures are in place.
POLICY performance domain addresses the polity or governance with appropriate organizational policies, decision rights, and processes for safe and secure business operations.
Rules and A control is an actionable pre-decided policy statement for offering Controls secured business operations for a business situation or for an external regulatory requirement. This control requires one or more rules to put it into action. A rule is a binding statement that is set for managing some business situation.
A rule can be leveraged by one or more controls. Establish guiding principles, governing rules, and controls for ensuring appropriate design and implementation of security-related procedures. It is important that business takes accountability to define these rules and controls for securing business operations.
A decision for planning and managing security risk may require Making support of business leaders across business functions. Business must define decisions rights, processes, and measures for ensuring appropriate behavior across the organization in a structured manner. Life Cycle Every asset has a useful life beyond which its value deteriorates.
To sustain secured business operations through business innovations or changes in the business environment, business management must review, replace, and retire past decisions, controls, rules, processes, and structures to keep them aligned with the changing business dynamics.
Business must take responsibility to define lifecycle management of rules and controls for managing, at all times, desired security risk levels.
Business leaders are periodically making strategic and tactical decisions, Management requiring either a change in the existing capabilities or, development of new capabilities.
Introduction of a new or enhanced capability can impact the security aspect of the business operations, or it may be required to ensure new business operations are optimal and secured.
To ensure value is created, security risks are mitigated, operations remain secured, and the business management must take the ownership and accountability seriously to see that the change happens as expected in the organization.
People are an integral part of every business process. In addition to functional skills for the job, people need to have appropriate security-related skills for secured business operations.
It is not sufficient for Human Resources to define and manage job roles. Business managers know their business processes and understand potential exposure. They must consider the security aspect of the process of defining roles and organizing skills.
The PEOPLE performance domain represents the people-centric management responsibilities and activities for ensuring ongoing secured business operations. Every business activity and outcome requires a combination of people, process, information, and technology.
As much as the human element could add intelligence, flexibility, and compassion to any business process, it also introduces a security risk.
The people domain defines intangible and tangible management actions for appropriate culture, workforce transitions, and awareness and readiness for managing the security risk.
People Capability Building Blocks Culture
Beliefs, behavior, attitude, and adoption of a security mindset and risk posture of people in the organization. Culture defines what people in the organization will do when they encounter a situation.
Unless machines are making all the decisions, it is important that leadership is promoting and driving the appropriate culture for secured business operations under all circumstances.
Most of the security incidents in an organization happen due to lack of awareness and readiness. In many cases, people represent the first or the last mile in business interactions.
People can only make decisions and take actions based on what they know. Individual responsibility starts with business leaders making sure that people are aware of the security implications and are prepared to take appropriate actions.
People Capability Building Blocks Transitions
It is given that people will change their roles and new people will take over the tasks. The transition should not only address the access controls but also the individual knowledge related to security in the context of the tasks being transitioned.
Business must define the type and extent of access controls and security knowledge needed for a job, and ensure that access and knowledge transfer is managed across transitions.
Management and Having capability for setting the direction, driving change Operations and accountability, ensuring integration across strategic and execution processes, managing development, and adoption of security practices across the organization.
Just like business management is anticipating, planning and driving innovative business capabilities, business should be evaluating and planning security capabilities, policies, and practices for sustaining secured business operations through the change in business.
The PROFILE performance domain defines what the organization must know to plan and maintain secure business operations. It includes knowledge of vulnerabilities, exceptions, risks, and dependencies in organizations across people, process, information, and technologies.
Without this knowledge, organizations may not be as proactive in anticipating and addressing potential incidents. In many ways, this domain supports all other performance domains.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide for here]
Profile Capability Building Blocks Vulnerabilities
A vulnerability is a weakness that can be exploited in reducing an organization’s risk resilience. A vulnerability can be anywhere across people, business process, and technologies. The organization must profile current and potential internal and external vulnerabilities.
Security risks have the potential to impact an organization brand along with the potential to impact the profitability and/or revenue growth. Managing such risks is critical for sustaining secured business operations. Business leaders must take responsibility for the profiling of security risks and mitigation plans from a business perspective.
Security exceptions need to be monitored and managed. Over time, an exception may become a vulnerability or a risk. Business must ensure they have the capability to identify exceptions and manage exceptions over time to achieve desired risk resilience.
Every business outcome requires cross-functional, in many cases cross-organizational, collaboration. The management needs to understand interdependencies to effectively manage the security risk in any business operation. The organization must profile internal and external dependencies across people, process, technologies, and information assets.
Secured Business Model Capability Maturity Levels as a Value Road Map Every organization, regardless of the industry, must ensure that the security risk resilience is in alignment with the business engagement model and organization’s goals.
we explained the business engagement model, how an organization can determine the engagement type and corresponding security risk resilience level. Each risk resilience level requires a set of organizational capabilities and practices.
So, the obvious question is what are those capabilities for a risk resilience level? In the previous section, we identified five performance domains (7 Ps) of the secured business model.
Each of these performance domains can be further described in the form of a capability maturity model, where a maturity level can be viewed as capability requirements to achieve a level of risk resilience.
The figure summarizes the capability maturity model for each of the 7 Ps in the secured business model. Each maturity level identifies what capabilities an organization must have across the 7 Ps. This model is not about how an organization will accomplish these capabilities. We will be discussing that in the next post.
The capability maturity model is a progressive and cumulative model, that is, capabilities at one level builds upon the capabilities at previous levels. It also means that an organization must have capabilities from previous levels to be considered for the next level of maturity.
For example, at a lower level of maturity, an organization may only consider preventing unauthorized access to a physical location or systems storing critical business information.
As the organization expands interaction with customers and partners, the organization must prevent unauthorized access to business transactions and documents, achieving the next level of maturity.
Depending upon the nature of collaboration and use of digital assets, organizations may need to enhance its capabilities in preventing unauthorized access to distributed content, further driving the level of maturity and risk resilience.
Because of the progressive nature of the capability maturity model, it can easily be used as a value or capability improvement roadmap. As described in Figure in the previous post, an organization that is already a connected business or seeking to be one, the target risk resilience level should be at least level 4 – Competing.
It means, business management should be prioritizing and planning capabilities, and monitoring progress toward level 4. The capability gap between the current and desired state defines the improvement roadmap.
It is expected that an organization may not be at a particular level across all 7 Ps. It is possible that an organization might have focused on a few select capabilities or overinvested in some capabilities to address specific situations or in response to the market news.
Just like it is hard to stay comfortable and stable while sitting on a stool with legs of varied sizes, organizations can’t ensure and sustain secured business operations if the organization does not make progress toward the required maturity level across all 7 Ps.
In a large organization with multiple business segments or organizational units, it is quite possible that various segments may be at different maturity levels. It is not important that all of them be at the same level of maturity.
But it is critical that each segment is at the right level for the required risk resilience in business activities performed by the people, processes, and systems in that segment.
Using the secured business model, each segment can evaluate its current state and identify the desired state, and use the gap for developing the improvement roadmap.
Secured Business Model Is a Bridge Between Business Engagement and Operating Model
The Secured Business Model is the critical layer between business engagement and the secured operating model. Business leaders and managers own the responsibility and accountability in defining the state of business engagement and required capabilities across 5 Ps in the secured business model.
Once the required capabilities in the secured business model are defined, the organization is ready to evaluate and plan capabilities in the secured operating model.
The next post provides details of the secured operating model. The operating rhythm without the predictable behavior in sensing and responding to the events that we didn’t anticipate is a fire drill.
Realizing Secured Business Operations
The objectives, the requirements, the plans – help us create a desire for change and define a direction, but they are not sufficient to ensure we get to our intended destination.
In this post, we focus on how organizations can achieve and sustain secured business operations. The secured operating model provides an actionable body of knowledge in understanding, identifying, and implementing necessary operational capabilities for realizing the desired outcomes defined in the secured business model.
Why the secured operating model when we have many operational frameworks such as NIST 800-171, NIST 800-53, ISO 27001/27002, and many others? There is no doubt these frameworks provide a depth of knowledge that no single person or organization can develop and organize.
These frameworks focus on security policies, procedures, and controls, providing a highly prescriptive content for auditors, implementers, and practitioners. It is left up to the organization to figure out the extent of relevancy and develop a roadmap for implementing policies, procedures, and controls.
Organizations tend to underplay or overengineer the implementation due to the lack of structured understanding, alignment, prioritization, and business case for policies, procedures, and controls in the context of organizational and business capabilities.
Just like when digging a hole, it is difficult to be wide and deep at the same time, most of these technical frameworks provide excellent depth in cybersecurity and risk management but tend to ignore other capabilities needed to drive overall organizational maturity and effectiveness even in their area of focus.
The secured operating model provides the bridge between what the organization wants to secure in the form of a secured business model and the specific best practices and implementation described in these frameworks. Figure articulates the dependencies and relationship between various layers of the body of knowledge in achieving and sustaining secured business operations.
The secured operating model includes a set of core capabilities along with their maturity levels. The model also includes underlying practices derived from various best practices and security frameworks.
The model allows organizations to focus on the capabilities. It is the capabilities that enable organizations to sense, respond, and operate in a predictable manner even in previously unknown situations.
Every time there is a security breach, it doesn’t do any good if the organization scrambles and comes up with an excuse of not seeing it before. With the secured operating model, the organizations can build and maintain the required capabilities to achieve and sustain secured business operations.
Components of Secured Operating Model
The secured operating model consists of twenty-one operational capabilities organized into the following six capability domains.
\ 1.\ Business Management
\ 2.\ Operations Management
\ 3.\ Risk Management
\ 4.\ Compliance Controls
\ 5.\ Master Data Management
\ 6.\ Infrastructure Management
An organization may have a few or all the twenty-one capabilities listed. Even if an organization has these capabilities, they may not be at the desired level of maturity needed for secured business operations. Overinvesting in some and underinvesting in others don’t make organizations safe and secure.
All capabilities need to be focused and sufficiently advanced to achieve and sustain the desired outcomes. The figure provides a top-level capability map at various levels of maturity.
This map can be used to understand where we are and where we need to be in operating practices, aligned with the required capabilities in the 7 Ps defined in the secured business model.
Although described as a capability maturity model, the capability map in Figure is, in fact, a roadmap for planning operational practices. At any time, an organization may be at different maturity levels across the six capability domains. Over time, an organization cannot be too far out of step with maturity in each domain.
For example, the organization can’t be very high in risk management and remain very basic in master data management. Sustaining secured business operations is not just about preventing something from happening; it is also about responding and recovering when something does happen.
Organizations need different capabilities for proactive prevention and predictive responses to the situations. Moreover, improvement in one capability may enable another capability or reduce the demand on another capability.
For example, improvement in master data management may help the organization with improved change management and governance while reducing the time and efforts required for implementing and monitoring compliance controls.
Therefore, it is critical for the organizations to evaluate, understand, and plan all twenty-one capabilities under these six capability domains for appropriate maturity in core operational practices. The following pages provide a summary of twenty-one capability building blocks across six capability domains.
Business management represents a set of capabilities for the organization to plan, manage, and measure the effectiveness of operational practices required for secured business operations. It is a business prerogative and issue to decide the extent the organization needs to be secured and ensure it is secured.
The organizations must have relevant business management capabilities and practices. Business management, in general, may include many practices. For planning and managing the portfolio of people, process, information, and technology for secured business operations, the following three operational capabilities are the most critical to developing and mature.
\ 1.\ Change Management
\ 2.\ Governance
\ 3.\ KPI Measurements
These capabilities are not new or unique for business management. Many times, these practices do not sufficiently consider or incorporate security-related requirements and practices or account for the impact of security. These practices are leveraged to develop the desired maturity required for achieving secured business operations.
Provide relevant awareness and training to all the workforce about the capabilities/services, keeping them informed and prepared in identifying and addressing new vulnerabilities that require human behavior in addition to systematic controls.
Establish a collaborative business and IT governance structure, associated processes, and committee to govern the development, maintenance, and transitioning incremental/new capabilities to conduct business operations in a secured manner.
Define, measure, and monitor key performance indicators and metrics for security effectiveness and desired outcomes. The next section includes key practices for improving change management, governance, and KPI measurement in the organization.
Managing day-to-day operations is one of the core business activities in any organization. In the context of secured business operations, ongoing operational practices need to include activities related to maintaining secured operations.
Therefore, the Operations Management capability domain includes and primarily focuses on the following:
\ 1.\ Process Management
\ 2.\ Access Control Management
\ 3.\ Audit and Monitoring
These operational capabilities are not new to the organization, which is good news. We just need to make sure these capabilities are enhanced so that business process design and execution are security aware and incorporates additional practices and measures for ensuring end-to-end secured business processes.
Operations Management Capability Building Blocks Process
A process is a set of interrelated activities that interact to achieve Management a result, for example, secured supply change management, secured channel partner communication and management, secure banking, and secure collaboration.
A governance committee is responsible for ensuring appropriate processes are created, automated, and managed to meet the required and relevant security objectives.
To ensure business operations are being conducted in a secured Management manner, it is necessary that all the managed resources have appropriate access all the time. This capability ensures that the appropriate access is granted and managed all the time.
Audit and This capability are required to find out at any time who is Monitoring accessing what managed resources, and if there are any malicious activates going on in the enterprise environment. Based on this knowledge, appropriate risks can be created in the risk register to manage such risks appropriately.
These operational capabilities are quite interdependent and support each other. For organizational efficiency and effectiveness, all these capabilities should be advanced with appropriate design and automation. The access control management is supported by process management and audit and monitoring.
There are known security risks to the business operations due to the known vulnerabilities and their threat level. The risk management must include the proper criteria for the assessment, prioritization, and treatment of risks. In the previous post, we discussed the security profile as one of the 7 Ps, covering vulnerabilities, dependencies, exceptions, and risks.
Any vulnerability or threat is a business risk, even if it is manifested in one of the IT systems or processes. In the secured operating model, risk management is about understanding, anticipating, and managing both business and IT risks.
Ultimately, business leaders are accountable and must decide the acceptable level of risk. Risk management capability includes the following:
\ 1.\ Threat Management
\ 2.\ Vulnerability Management
\ 3.\ Exception Management
The threats, vulnerabilities, and exceptions are different, closely related terms. They are associated with managing assets. The figure represents the relationship among managed asset, risk, threat, and vulnerability.
Managed Asset: Anything that generates value for the business is a managed asset. It could be people, physical items, and information. People are workforce users, including employees, customers, and partners. Physical items could be office properties, products, and services with tangible or intangible value.
Information could be business data, software code, and other intangible items. Businesses try to protect a managed asset.
Threat: Anything that can exploit a weakness to damage or destroy a managed asset and against which protection is required.
Vulnerability: A weakness that can be exploited by threats to gain unauthorized access to a managed asset.
Risk: A tangible or intangible damage potentially caused due to a threat in your environment that exploits a vulnerability.
T Compliance Controls
Due to an interdependent ecosystem, and mobile and digital business information, every organization small or big needs to address confidentiality, privacy, and integrity of information.
Many government and non-government entities have defined the range of controls for organizations to consider for conforming to compliance requirements or to address procedural or system risks.
We have looked at hundreds of controls across various frameworks. In the secured operating model, we addressed the subject of compliance as a set of organizational and operational capabilities, supported by many of the security controls defined in industry frameworks.
Compliance Controls as a capability provides the necessary business context, and a mechanism to prioritize and road map required controls for implementation and ongoing monitoring.
Master Data Management
Master data management is not a new topic. This is important for the secured operating model for two reasons.
\ 1.\ The information security data domains such as Identity, Asset, Role, Policy, Dependency, and Glossary are not often considered as “master” data domains, even though they have organization-wide implications.
\ 2.\ The data associated with these data domains are equally critical for business operations as other business data domains, such as Customer, Product, Supplier, and Partner. The management of security and business data is critical for executing business transactions predictably, safely, and securely.
Before discussing the master data management capabilities, we must understand the master data management principles. The principles are Data Definition, Data Integrity, Data Security, Data Services, and Data Architecture. These principles are important and required for managing data domains, identities, assets, roles, policies, dependency, and data glossary.
It includes defining a data domain, its ownership, identifying associated data elements, and defining each associated data element. On the business side, the definition covers the meaning, ownership, and purpose. On the technical side, it covers the data design and its implementation details.
It is important to take a business perspective, as data is owned by the business and business is accountable for defining it. The meaning of a data domain clarifies the business intent, ownership defines who in the business owns it, and its purpose clarifies its business usage. The associated data elements are identified in support of business intent and usage.
The meaning of each associated data element must ensure its alignment with the business intent of its data domain. Each associated data element must have a unique business purpose.
The purpose of each associated data element supports the business usage of its data domain. The illustrative examples are provided in the subsequent pages in the definition and the purpose of master data management capabilities.
The best way to understand this master data management principle is to first review and understand the dictionary meaning of Integrity. The origin of word integrity is from the Latin word integer, which means whole or complete. In mathematics, an integer is a whole number that has no fractions.
The key characteristics of a dictionary meaning of the word integrity include being honest and consistent with strong moral principles. Extending this definition into the dictionary definition of data integrity means the data is an exact copy of some original version, and it is absent from any unintended changes or errors in its static state or when it is transmitted or copied.
In business terms, data integrity can be interpreted as the information represented by the data is validated, does not leave any ambiguity, and is authentic.
Data security was covered under compliance controls from the regulatory requirements perspective. This master data management principle enables building foundations for achieving data security controls above and beyond compliance controls in business transactions. Business transactions rely upon master data, such as customer, product, identity, roles, and others.
A typical business operation spans multiple business transactions. For secured business operations, it is imperative that data in a business transaction is secured. This is where data security principles go beyond achieving compliance controls.
The data security principles include data uniqueness, data integrity, data access controls, data encryption, data decryption, and data storage.
The business context, such as Sales Order, Accounts Payable, Customer Relationship Management, Market Intelligence, and others define the usage and characteristics of data security principles. The business context also helps in defining the requirements and cost considerations for data encryption and decryption.
Master data is foundational for all business transactions data. For maintaining data integrity and data security, it is critical that access and maintenance of master data do not become bottlenecks.
Data services, strategically defined, alleviate this situation. Direct access to master data impacts performance for processing business transactions. That is why data services principles take the central place in master data management.
In the information age, data is like a bloodstream for running the business. The human body is healthy and alive when uncontaminated blood is flowing smoothly through all its veins and arteries in the entire body.
The human body has a two-circuit circulatory system. One is pulmonary (for the lungs) circulation and another one is systemic (for the rest of the body) circulation. The blood is oxygenated through the lungs and this oxygenated blood flows using the framework of veins and arteries through the rest of the body.
Using this analogy, entire business data is managed between master data and enterprise data. Master data management conceptually establishes data integrity and security that is extended and further maintained through enterprise data management.
Data architecture is the framework that is required for managing the master data and circulating securely the enterprise data for secured business operations. The framework for master data management consists of data design incorporating data definitions, data capabilities for maintaining data integrity, data security, and data services for enabling business operations data flows.
Master Data Management Capability Building Blocks Identity
Identities include a digital representation of the entire workforce Management and other managed resources associated with the business.
The workforce includes employees, contractors, and partner and customer resources who are involved in the business. The digital representation includes the storing and management of the associated identities and attributes. This capability ensures that digital representation of the identities is securely protected and poses no risks in leaking the associated details.
Manage physical and nonphysical assets owned by the Management organization.
For secured business operations, appropriate access is required Management for every consumer, and that is managed automatically by assigning appropriate roles to the consumer.
The consumer may be a workforce resource, a process, a system or a device. The role management capability is required to assign an appropriate role to a consumer at the start of the relationship and then update the role to account for transitions and changes in relationships.
To develop, deploy, and maintain lifecycle of policies, with the help Management of a governance committee, to conduct business operations in a secured manner.
Secure end-to-end business operations by ensuring all the cross- Management functional and organization dependencies are understood, well documented, and they all follow the same governance policies/ rules to achieve the goal of secured business operations.
Glossary and Define all relevant terms so that their purpose and Life Cycle meaning are consistently understood and used across the business organizations and the ecosystem. The above capabilities are further explored with enabling practices in the next section.
Securing business operations depends upon the infrastructure used for performing business activities. The security of infrastructure is the key focus area for every organization. As infrastructure is typically maintained by IT, this area does not generally get business management attention unless there is an incident impacting the business.
To secure the infrastructure, many practices are considered and deployed, such as single or multi-factor authentication, single sign-on, firewalls, secured local area, wide area, and wireless networks, and applications security.
The Open Systems Interconnection (OSI), Figure model is an effective way to understand, at the conceptual level, the Infrastructure elements and their security needs.
To better manage infrastructure security, we have organized infrastructure capabilities in three building blocks.
Network Management Managing all the LAN, WAN, and WLAN infrastructure in a secured manner to prevent penetration into the Information boundary walls of an organization.
Securing the data center from any malicious penetration or Management damage of all Infrastructure components maintained in the data center.
Managing all business supporting applications in a Management secured manner with appropriate access controls. There is a large published body of knowledge and vast cybersecurity industry focus on implementing security capabilities at the Infrastructure level. We assume that organizations have access to the information and have implemented many of the suggested practices.
Our intent is to add business context and help business managers to understand the need and extent of investment and management oversight required for secured business operations.
The capability maturity map and correlation with enabling practices provides management with the mechanism to assess and plan the right capabilities supporting the business objectives.
Practices for Secured Operating Model
In the previous section, we described the twenty-one operational capabilities organized into six capability domains. In this section, we explore specific and critical implementation practices supporting these capabilities.
Business Management: Change Management
Businesses are periodically making strategic and tactical decisions for innovating, improving profitability, improving top-line growth, improving bottom-line growth, improving brand value, expanding into new markets, meeting compliance requirements, and on and on. Any such decision requires either changing the existing capabilities or developing new capabilities.
A new project is spawned to develop a new or enhanced capability. In today’s cybercrime environment, every project must have a security track so that the capabilities and developed solutions are secured. Most organizations follow internationally recognized standard practices for project management.
Yes, over 18% of the projects fail. What does it mean? A failed project didn’t deliver on expectations, either a capability was not developed or delivered, or it was not successfully transitioned into operations.
In many cases, the security implications and requirements were not considered early enough in the development and transition processes. Change management is an operational practice to ensure all factors, including security, are considered and managed for successful delivery.
Without change management, it is not possible to determine requirements from an operational perspective for a new capability or enhancement to an existing capability.
Without change management, it is not possible to gauge the impact on existing operations or to understand the readiness and training requirements for business users. In addition, without change management, it is not possible to determine new vulnerabilities affecting the desired security posture.
Change management is a critical operational practice for business management. Writing about change management is not a focus of this post. Our Iceberg Is Melting: Changing and Succeeding Under Any Conditions, by John Kotter and Holger Rathgeber, is one of the recommended posts for learning about change management.
In the secured business model, we talked about change management policies under the policy domain of the model. Change management as an operational capability and practice is required for supporting change management policies and secured business operations.
Business Management: Governance
Organizations generally have established corporate governance and IT governance practices for overall business management. Until recently, security was not the focus area of corporate governance. IT governance is primarily focused on technology standards and selection.
The technology selection is typically based on industry ratings and reviews, and not based on the best fit for meeting the business requirements. This is generally the case with security solutions as security needs are not defined by business, and they are a risk-averse posture for the Chief Information Security Officer or IT management.
The result is a continuous increase in spending on IT security while the business continues to incur financial damages from security incidents. Global spending is expected to be $101B in 2018 and $170B by 2020. As per the world economic forum, businesses have security-related damages in the range of $400B–$500B with much more damage not being reported.
The accountability needs to be shared among business and IT management and the Chief Information Security Officer, mainly for defining the security requirements and supporting policies, rules, and controls.
The responsibility for appropriate solution deployment and tools selection may remain with the Chief Information Security Officer, but the overall strategy and governance must be directed by the business leadership. The end-to-end secured business operations require cross- functional decision making and collaboration.
An appropriate governance practice involving cross-functional business and IT executives, managers, and subject-matter experts is required for ensuring timely decision making and sponsoring initiatives for achieving and sustaining secured business operations.
The figure provides an example of a governance committee structure for establishing an operational practice of governing security matters.The above governance committee structure has three layers.
The steering committee provides the leadership for security and other business portfolios. They manage any escalations from the operating committee. This committee sponsors security initiatives. This committee is generally presided by the Chief Operating Officer or an equivalent role.
This operating committee is exclusively for security. This is formed with the help of middle-management leaders from all functional organizations. This team needs to be empowered to make security-related decisions based on the guidelines provided by the steering committee. This team should have the authority to fund various related initiatives in the form of projects.
For some reason, due to a complex situation and/or due to costs involved, if this team is not able to make a decision, such an issue needs to be escalated to the steering committee for the decision making and forgetting funding approvals.
This committee is presided over by a chairperson who is selected with the motion issued by this team and the votes taken by this committee. As this is an ongoing committee, a chairperson should be on rotation and preside over this committee for a predefined duration of a year or so.
Analysts and Managers
This team of analysts and managers are subject-matter experts from different functional organizations. It consists of some static members and some who join this team on a demand basis.
A lead manager presides over this team on a rotation basis and is selected the same way a chairperson is selected for the operating committee. Any issue (vulnerability, risk, dependency, or exception) that needs action due to lack of established rules and controls is assigned to this team.
Based on the issue at hand, managers assign analysts and designate a project manager who manages the analysis and decides the on-demand resource(s) required for the project.
The managers from this team help arrange on-demand resource(s). Based on the due diligent analysis, the project manager collects the facts to present the team findings and recommendations for enhancements and implementations of the existing rules and controls or for additional rules and controls.
Business Management: KPI Measurements
Key performance indicators are in common use to manage business growth. Targets are set, and through key performance indicators, growth is measured. The focus here is on secured business operations. The security of business operations directly contributes to business growth.
There is a direct relationship between achieving and maintaining a desired level of security and key performance indicators for achieving business growth. Some of the common KPIs for business growth measurements are reducing operational expenses, improving profitability, and improving sales.
The security of business operations is critical for achieving such KPIs for business growth. For illustrative purposes, the key element contributing to the operating expenses is the cost of goods sold.
This cost depends upon fixed and variable costs. The opportunity here is to control variable costs. The contributing factor is optimizing the operational processes and improving productivity. In the digital age, the critical element impacting productivity is not having the right access at the right time.
Having the right access at the right time is the key factor in maintaining secured business operations. This way the related key performance indicator for secured business operations is granting the right access at the right time.
The next illustration is for improving sales. Sales depend upon the sales force and the tools available to them for promoting sales, such as for a deal negotiation, for customer relationship management, for checking sales reports, and other such tools.
Again, having the right access to the right customers and the right reports at the right time are critical for improving the productivity of the sales force that is critical for growing sales.
Then, it is simple math: improved profitability is based on improved sales and reduced operating expenses. Again, granting the right access at the right time is a key performance indicator for secured business operations.
This is not the only key performance indicator for secured business operations. The right access available is critical, however, ensuring that this access cannot be hacked, the tool to which this access granted is protected, and that the information maintained must be prevented from any leakage.
The key performance indicators for protecting the sales user credentials from hacking, protecting the tool from hacking, and preventing leakage of business information are all important for securing business operations. The next critical element about KPI is its measurements.
The business management is successful only if KPIs can be measured. The right targets should be set for the key performance indicators, right measurements should be defined for the key performance indicators, and right reporting should be defined to measure the status and progress of these indicators.
The experience is that businesses are not focusing on defining such key performance indicators and in measuring the progress for achieving and sustaining secured business operations. That is why operational practice is required for KPI Measurements that contributes to the overall success of business management.
As for performing any business activity, a process is required and business process management is standard operational practice. There are many approaches used, such as Lean Sigma, Six Sigma, Business Process Optimization, and others.
To manage secured business operations, the same approaches can be used. Following the lean sigma, five phases – Define, Measure, Analyze, Improve, and Control (DMAIC), the process can be defined and controls can be established.
The security problem in a business operation could be for many reasons, such as access to managed asset(s) used for managing the business operations is not controlled, the information generated for business operations can be leaked, the integrity of information is at risk, the user credentials used to access the information are at risk to be compromised, the firewall in place is not suitable for the federated access for end-to-end business operation execution, and on and on.
Using DMAIC, each of these problems or a problem can be defined, the problem potential damage can be quantified, the problem can be analyzed in detail, the solution can be put in place to improve the current situation; and through controls, the solution can be maintained.
For controlling the solution, a process management approach is required. The main thing to emphasize here is that the problem cannot be fully identified just by the Information Security Office or IT, rather, the business stake is required to not only fully identify the problem, but to quantify it, analyze it, develop a solution to mitigate the problem, and to properly control it.
Operations Management: Access Control Management
Managing access control is a key achievement for securing business operations. The life-cycle approach is required. The first-time access, ongoing access, and retiring the access, all three phases of life-cycle management, are equally important for maintaining the end-to-end security of business operations.
Each business operation end to end performs a number of steps, where each step may require different managed assets, or more than one managed asset is used for executing end-to-end business operations.
Appropriate access needs to be granted to these managed assets for different users. Similarly, each managed asset may be accessing other managed assets for giving business-required capabilities.
Each managed asset may be accessed by multiple users and/or each managed asset may be accessed by more than one other managed assets to provide business- required capability. For illustrative purposes, consider a voice service.
It is a managed asset. It will require audio, an instrument to access audio, means to communicate using voice, audio provisioning from the service provider, billing to a business user department, and few more related managed assets to provide voice capability for a business operation. From a security perspective, it is important that voice is not hacked as it is used for business conversations.
All the managed assets described above need restricted access control and protection of voice communications. In brief, a simple capability, such as voice, requires a many-to-many relationship among managed assets as depicted in Figure.
This is a simple illustration to convey the point that access control management involved the following:
Workforce users (could be internal only or both, internal and external) managed assets, represented as digital ids
Business Application-based managed assets, represented as digital ids
Infrastructure-based managed assets, represented as digital ids
The relationship among users and non-user-based managed assets
Many-to-many-based access control among the managed assets
Business Processes steps for the business operation
IT Processes for the business operation
The complexity is added as businesses have many, several thousand to millions of workforce users internally and externally, and several thousand business applications and infrastructure-based managed assets.
In addition, currently, business transformations for growth and increasing profitability businesses are embracing services transformation, cloud- based business and infrastructure services.
The hope is that the above complexities provide the perspective to understand why access control management is critical for securing business operations.
Keep in mind the entire lifecycle of access management, involving first-time access, access during hire-to-retire of a workforce user and non-human managed assets, termination of access control, and the need to be strictly controlled to minimize vulnerabilities associated with securing business operations.
To securely manage access control, different operational practices are required from Figure under Business Management, Operations Management, Risk Management, Compliance Controls, Master Data Management, and Infrastructure Management.
The intent here is not to leave access control management as a complex thing to manage; rather, the intent is to justify the criticality of it for securing business operations and provide approaches discussed in other operational practices to manage the lifecycle of access control, systematically.
Operations Management: Audit and Monitoring
Audit and monitoring is not only a compliance requirement but also, it is a critical operational practice for maintaining controls established. As stated in post 1, for cybersecurity a significant proportion of the spending in billion dollars is allocated for fraud and data breach detection with emphasis on Security Analytics, Threat Intelligence, Mobile Security, and Cloud Security.
The main purpose of security analytics and threat intelligence is to develop audit and monitoring capabilities for finding potential fraud and data breaches before significant damage is done and to be able to take proactive actions based on the set thresholds.
It is like identifying unknown risks for risk management. The focus on mobile and cloud security is mainly due to the fact that growth for businesses is becoming more and more dependent on business solutions being developed, using cloud-based business services on mobile platforms. These solutions add more vulnerabilities to security if the access controls are not properly managed.
We talked about KPI Measurements as a business management operating practice. One of the key elements in KPI Measurements operating practice is the capability to measure for key performance indicators.
Audit and Monitoring provide the means to collect relevant data. The good and commonly used KPI is for managing and controlling unwanted access controls by each workforce user.
This is a compliance requirement as well. Companies have deployed a solution based on audit and monitoring to identify a user not accessing a particular tool or service, say for 90 days, and invokes user access after 90 days of the account remaining dormant.
This meets compliance requirements, though it adds vulnerability for leaving the access to an account for so long. This is one of the use cases where security analytics and threat intelligence can help determine on a near real-time basis the unwanted access by setting up the right controls and minimizing the associated vulnerabilities by creating near real-time to real-time audit and monitoring capabilities.
By having an operational practice, it can be a part of your operations DNA to become vigilant by enabling smart audit and monitoring capabilities.
Risk Management Threat Management
It has become clear that protection from threats is required. That means for securing business operations, threat management operational practice must add value.
This value can be added by creating visibility of known threats, creating visibility of the managed assets having threats, understanding of potential risks associated with the known threats, and in prioritizing the known threats.
To protect assets, certainly, you need to mitigate these threats. In addition to that, you should conduct a root-cause analysis for mitigating the probability of recurrence of similar threats.
This should be in the DNA of your business operational practices. Threat management should not be practiced just when there is a security breach; rather this should be an ongoing operational practice. The overall value of that is the equivalent of increasing the immune system of your body by doing regular exercises.
Risk Management Vulnerability Management
Vulnerability exposes the operational weakness that poses a security risk. It means there is a direct value of strengthening operations by managing vulnerabilities.
Healthy operations are like a healthy body. Like a healthy body that allows one to be more productive and creative, healthy operations allow organizations to be more profitable and innovative.
Establishing operational practice for managing vulnerabilities means having the capability of registering vulnerabilities, understanding associated threats, understanding the associated potential risks, and the capability to reduce or eliminate existing types of vulnerabilities. Having operational practice for vulnerability management means having ongoing associated capabilities to gain sustainable value.
Risk Management Exception Management
In the context of security, threats, and vulnerabilities, exceptions are business situations that do not fit under threats or vulnerabilities but pose risks with the potential of producing damages equivalent to the potential damages that can be produced due to threats and vulnerabilities.
Due to such potential risks, exception management is equally important, if not more, to vulnerability and threat management.
The value anticipated of exception management is generally more than the value anticipated of vulnerability and threat management. This is due to the fact that by design, exceptions are difficult to register and understand. The risks associated with an exception are extremely difficult to comprehend. Exceptions are not regular and generally misunderstood.
Thus, having an operational practice to acknowledge, register, understand and manage exceptions could be more valuable for securing business operations.
Compliance Controls Data Security
In the United States, there are industry-specific data security regulations, like HIPAA for the healthcare industry. This is not like in Europe, where Global Data Protection Regulations (GDPR) are enforced for the entire European Union to all twenty-eight European countries that are part of the EU and to all businesses, regardless of the industries they belong to. The GDPR are applicable outside the EU to any country having EU citizens.
The purpose of this post is not to go into the details of individual data security compliance regulations. The point to emphasize here is that to ensure business operations comply with data security regulations, businesses need accountability.
Businesses need to have operational practices and not leave it for IT to manage these regulations because these are data- related security requirements. Under the Master Data Management section, there will be more details covered that will assist in managing data security.
Compliance Controls Segregation of Duties
It is called the separation of duties as well. The straightforward way to understand this is by using an illustrative example – a buyer cannot make payment for the items purchased.
In the past, this was controlled merely by giving accounts payable authority to a different person. In today’s digital world, that is certainly a fundamental necessary requirement; however, it is not sufficient.
It needs to be ensured that the buyer does not have access to accounts payable automated utility managed the asset. If this access control is not managed securely, not only does this vulnerability possess a risk to business operations, but it is also noncompliant as per the segregation of the duties compliance requirement.
This compliance control is managed by business architecture by setting the right organizational structures and creating appropriate roles. However, the automated tools in use require appropriate segregation of duty utilities and access control management to successfully meet the compliance control requirements.
Based on our experience, businesses spend the bare minimum to meet compliance needs, but the vulnerabilities created due to not being able to achieve desired access controls pose threats to manage secured business operations. Again, who can manage these access controls?
What is required for ensuring appropriately automated utilities are produced so that these access controls can be managed? Business needs to lead this in collaboration with IT.
We discussed managed asset under the access control management and risk management sections of the secured operating model. These managed assets could be a workforce user (employee, consultant, contractor, supplier, customer, partner), IT infrastructure, process, business products, and service offerings.
In short, a managed asset could be a human or non- human. The total number of these assets could be in several thousand, to millions, depending upon your organization size.
As these are managed assets, these need to be tracked for securely conducting the business operations. Each asset is granted an identity in digital terms. Each asset has a life cycle as long as it is associated with the organization and contributes for generating value. Each identity is used in one form or another in the other business transaction.
It acts as master data for executing a business transaction. At the same time, this is loosely managed by most companies without realizing the implications in securing business operations.
To manage identities, master data management treatment is required so that there is a proper data definition for each managed asset type, data integrity and security is maintained for each asset, and appropriate data services are provided for accessing identity data for business transactions.
By now, it must have become clear that managed assets are critical to run the business. As discussed earlier, the identity management capability manages identity details of these assets for security purposes. As these are business assets, formal asset management is required.
Business has distinct functions to manage different classes of assets, for example, HR for employees, contractors and consultants, Customer Service for customers who have relationships with the organization, Manufacturing for product development, Purchasing for vendors, etc.
Each of these functions must follow an asset management methodology to manage the life cycle of these assets; the relationship among the assets; the value they generate; the timeline of the disposition of these assets; and, of course, the risk to quality and integrity.
To maximize return on assets, each managed asset has one or more roles to play in the organization. Based on the given role, an asset is granted access to other managed assets.
To keep it simple, let us keep our focus on workforce users- the roles assigned to manage value, competency, and capacity. To maintain a level of separation, ease of management, and avoid unnecessary complexity, access to various assets is granted to roles rather than directly to users.
Roles are master data assigned to each workforce user, maybe one or more than one, for managing access control of managed assets.
For access control management, roles are assigned to a workforce user identity based on policies defined by governance. To manage roles, same master data management principles, Data Definition, Data Integrity, Data Security, Data Services and Data Architecture are required.
Access control management depends upon policies. These policies are defined and maintained by the governance committee. The policies are defined in collaboration with cross-functional business and IT management who are part of this governance committee.
These policies are documented in plain English language for general understanding, yet actionable through access control management systems and procedures. Roles can refer the policy data to enforce access controls for securing business operations.
As the policy data is referenced, it needs the same treatment as master data with principles of data definition, data integrity, data security, data services, and data architecture. effective, and secure manner. It is critical to highlight security needs for inter/intra dependencies that can be linked to associated risks and/or vulnerabilities.
To interoperate and communicate, every organization needs a language, acronyms, and definitions of terms. Most organizations do have them but they are not used consistently across the organization.
They may have different meanings to different people. It is an issue when an organization wants to have end-to-end secured operations across various functions, systems, processes, and people.
Most organizations do not maintain the glossary of security terms. The key words in the previous statement are “organization” and “maintain.” The IT department may have a version of terms, but generally, they are not published or publicized organization-wide.
Other departments or groups do not attempt to contribute, as they consider security an IT responsibility. Where IT department creates a glossary of security terms, there may not be an ongoing effort to maintain it.
Why is it important to maintain the glossary? The simple answer is to increase awareness of security, particularly cybersecurity, among the organization’s workforce.
Without this awareness, it is difficult to keep people informed on security trends and to sustain secured business operations. To start with, use the lists of security terms maintained by the National Initiative for Cybersecurity Careers and Studies or by the National Institute of Standards and Technology.
Although the functional groups, such as marketing, engineering, and distribution, may have their own glossary of terms, the security terms are applicable to everyone inside the organization and any external entity with whom there are interdependencies. The glossary must be treated and managed as master data.
Every data has a shelf life, and therefore, every data requires life-cycle management. Security data domains, such as identity, asset, role, policy, dependency, and glossary, are no different. As the operating environment or other things change in the organization, an adjustment is needed in security data to reflect the change.
Timely and proper adjustments in the definition and attributes ensure ongoing data integrity, data security, data services, and data architecture for secured business operations.
For example, a change in the job of a user due to promotions, department change, or for any other reasons may trigger an adjustment in user identity, role, assets, and access controls.
If the user profile is not adjusted properly and timely, it could create an unwanted exposure, resulting in potential security threats.
When an asset is replaced for any reason, such as end-of-life or new capability requirements, its association with all identities need to remain intact with the replaced asset, so that business operations have minimal to no impact and relevant users can execute their relevant processes securely and with same or better efficiencies.
When a role is updated with new or different responsibilities, it may need a change in the things the role can access and perform.
In such a life-changing event of the role, there might be a need for identities associated with the original role to continue to perform their operations and do not get any extra access, thus keeping current operations secured.
The existing policies may not be sufficient in addressing change in the business conditions, business model or services, requiring a revision and updates to all other assets impacted by the policy. Managing dependencies, particularly interdependencies, can be complicated.
For example, let’s say your business partner gets access to submit their orders with no export holds, as long as they maintain the embargo with the same countries as your organization.
If the partner decides to lift the embargo from one of the countries without getting approval from your organization, submits the order that passes export hold conditions, and the products get shipped to that country, this may pose security threats along with compliance violations for your organization.
Ideally, the ability to submit the order to such a country must be adjusted with the life-changing event. Similarly, for the glossary term, if its meaning is expanded or reduced, or a new glossary term is added, it is imperative to timely publicize it so that people are aware and ready in dealing with new cyber threats.
To protect business operations, it is very important to keep the workforce informed. It is quite clear that life-cycle management is mandatory for sustaining secured business operations. Master data management is critical for defining and managing the life cycle of each of the security data domains.
The network has become an operating system for an organization. It is like veins and arteries in the body for blood to flow across the body. Information is like blood. As the oxygenated blood is important for the functioning of the body, secured information is important for the functioning of the organization.
The geographically dispersed organizations are connected using wide area, local area, wireless, a virtual private network, and Internet configurations to seamlessly share and access information, and conduct business operations.
To prevent leakage of information and protect business operations from hacking, secured network tunnels and firewalls are put in place by network management.
To allow only authorized workforce users to access the organization network, only users recognized by Human Resources (HR) are granted access to the organization network.
Nowadays, almost every Human Resources department has a step in the hire-to-retire process to grant timely network access at the time of hiring and revoke network access immediately at the time of termination. The timely network access is critical as access to all other managed assets is based on the network access user id.
Some organizations have a fairly comprehensive and efficient on-boarding process that may include provisioning of laptop/desktop with the network; and access to office services, such as email, calendar, phone, and job- related applications and systems.
This is possible only after Human Resources has successfully completed a new hire background check and has given the go-ahead to the Network Management team for establishing user credentials.
The user id from these credentials is used for granting access to other core IT and application systems. The technical management of networks is beyond the scope of this post.
Data Center Management
Most of the enterprise information in terms of data and documents, and enterprise services in the form of applications are hosted in the data center. The data center computational and storage resources may be physically located on the organization’s premise, at the location of an outsourced service provider, or in the cloud as Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS).
Therefore, we are focused on access security rather than physical security. Due to the availability of high-speed connectivity at low costs, organizations have consolidated data centers.
A few data centers and cloud have made it easier for organizations to secure infrastructure. Companies are using Cloud Access Security Brokerage (CASB) solutions, leveraging servers, storage, routers, and switches with built-in security solutions.
In spite of using security-aware equipment, the governance continues to be a critical element in ensuring definition and enforcement of security policies. The policies defined for securing the access to data center equipment should not be defined in a silo and must be extensible to hosted applications and users.
The extensibility helps in reducing points of vulnerabilities, starting with the network-level ids, in the chain of granting and managing access control for hardware, software, and users.
Even if the application, such as Excel or email, is running on a user’s device, the information whether in files or databases may be stored on the geographically dispersed data centers and situated in a strategic data center location that is provisioned to a business user.
Therefore, a securing data center is even more critical in this digital age. The security must not stop at the equipment level and must transcend at a user level for all the relevant managed assets.
Applications have been the foundation for enabling business process automation. Organizations prefer buying off-the-shelf applications than building them. Whether buying or building, the applications tend to serve individual business functions and are hosted on a dedicated infrastructure for the functional organization.
Therefore, in this configuration, the security requirements are mostly contained and managed within the application. With the digital transformation, organizations are adopting cloud-based services rather than deploying and maintaining applications in-house.
These services tend to interact with other services in the cloud. While there are significant financial and performance benefits of using cloud services, there is an increased level of cyber threats.
The service or application management must address the changing nature of the infrastructure, access, and integration. Just like line-of-business application services, cloud-based application management services provide an opportunity to simplify security policies and enforcement methodologies.
Using Secured Operating Model
Each of the twenty-one capabilities in the secured operating model is described as a capability maturity map with five maturity levels. The complete capability maps are available online at secured business ops. com website.
Organizations can use these maps to assess the current state of these capabilities. Based on the desired state of the secured business model, organizations can determine the required state of secure operating model capabilities.
Without the business context, it is not fair to say anything low in maturity is not good, and anything in high is excellent. It is possible that organizations might be overinvesting in some areas, underinvesting in others, or just about right based on the business engagement model and business needs defined by the secured business model.
In the next post, the details will be provided for how to achieve and sustain the desired maturity levels. These maturity levels enable you to maintain the secured operating platform that is necessary for achieving the business vision and strategic goals. The structured execution is required once it has determined the desired maturity levels using the template described above.